diff --git a/.crd2pulumi-checksum b/.crd2pulumi-checksum index 5b36035..191191c 100644 --- a/.crd2pulumi-checksum +++ b/.crd2pulumi-checksum @@ -1 +1 @@ -2eebf9968d1e434ea85182c1a229254ca0aefa30b6f433dd2ccfeca4751159ae \ No newline at end of file +e522ddaad885daad3a5b9684988dacc4af9df36c76fe7fa057c7d4dfd078450e \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..32607d5 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,100 @@ +# CHANGELOG + +## 1.6.0 (2025-10-17) + +- Configurable package namespaces/prefixes. (https://github.com/pulumi/crd2pulumi/pull/247) + +## 1.5.4 (2024-11-13) + +- NodeJS now uses correct input/output types for object metadata. (https://github.com/pulumi/crd2pulumi/issues/158) + +## 1.5.3 (2024-09-30) + +- Fix crd2pulumi not generating all CRD versions. [#152](https://github.com/pulumi/crd2pulumi/issues/152) +- Fix crd2pulumi generating packages and types with incorrect group names. [#152](https://github.com/pulumi/crd2pulumi/issues/152) + +## 1.5.2 (2024-09-16) + +- Set the pulumi-kubernetes dependency for Python packages to v4.18.0. [#148](https://github.com/pulumi/crd2pulumi/issues/148) +- Fixed generating Go types for StringMapArrayMap types. [#147](https://github.com/pulumi/crd2pulumi/issues/147) + +## 1.5.1 (2024-09-13) + +- Fixed Patch varaints not generated for types that end in List. [#146](https://github.com/pulumi/crd2pulumi/pull/146) + +## 1.5.0 (2024-09-13) + +### Added +- Patch variant resources are now generated for all custom resources. Patch resources allow you to modify and an existing custom resource. For more details on using Patch resources, see our [documentation](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/#patch-a-resource). + +### Changed +- The Pulumi schema generation now utilizes the library from the Pulumi Kubernetes provider, replacing the previous custom implementation. This resolves a number of correctness issues when generating code. [#143](https://github.com/pulumi/crd2pulumi/pull/143) +- Golang package generation now correctly adheres to the `--goPath` CLI flag, aligning with the behavior of other languages. [#89](https://github.com/pulumi/crd2pulumi/issues/89) +- CRDs with oneOf fields are now correctly typed and not generic. [#97](https://github.com/pulumi/crd2pulumi/issues/97) + + +### Fixed +- Various code generation correctness issues have been addressed, including: + - Python packages can now be successfully imported and consumed by Pulumi Python programs. [#113](https://github.com/pulumi/crd2pulumi/issues/113) + - Golang packages no longer produce compilation errors due to duplicate declarations. [#104](https://github.com/pulumi/crd2pulumi/issues/104) + - NodeJS package names are now properly generated. [#70](https://github.com/pulumi/crd2pulumi/issues/70) + - Dotnet packages now include the correct imports. [#49](https://github.com/pulumi/crd2pulumi/issues/49) + - NodeJS object metadata types no longer accept undefined values. [#34](https://github.com/pulumi/crd2pulumi/issues/34) + +## 1.4.0 (2024-05-29) + +- Fix unpinned Kubernetes version in generated nodejs resources. [#121](https://github.com/pulumi/crd2pulumi/pull/121) +- Fix .NET generated code to use provider v4. [#134](https://github.com/pulumi/crd2pulumi/pull/134) +- Fix invalid generated code due to unnamed properties. [#135](https://github.com/pulumi/crd2pulumi/pull/135) +- Fix a panic when generating code with non-primitive defaults. [#136](https://github.com/pulumi/crd2pulumi/pull/136) +- Add Java generation support. [#129](https://github.com/pulumi/crd2pulumi/pull/129) + +## 1.3.0 (2023-12-12) + +- Fix: excluding files from unneededGoFiles was not working () +- Support kubernetes provider v4 () + +## 1.2.5 (2023-05-31) + +- Remove underscores in generated nested types () + +## 1.2.4 (2023-03-23) + +- Requires Go 1.19 or higher now to build +- Fix issue [#108](https://github.com/pulumi/crd2pulumi/issues/108) - crd2pulumi generator splits types apart into duplicate entires in pulumiTypes.go and pulumiTypes1.go + +## 1.2.3 (2022-10-18) + +- Fix issue [#43: crd properties with - in name](https://github.com/pulumi/crd2pulumi/issues/43) () + +## 1.2.2 (2022-07-20) + +- Fix regression that caused code in all languages to be generated regardless of selection. + +## 1.2.1 (2022-07-19) + +This release is a refactor with no user-affecting changes. + +- Create public interface for codegen in the `pkg/codegen` namespace + while placing internal utilities under `internal/` +- Simplify cobra usage, simplify program config substantially +- A new test env var, `TEST_SKIP_CLEANUP`, can be set to instruct the + `crds_test.go` tests to not perform temp dir cleanup after the test + run, for the purposes of investigating bad output during test failure. + Generated code is now placed in temp dirs with friendly, identifiable + names for each test case. +- General refactoring: removal of dead code, reorganizing functions into + more appropriately named files or packages. +- Update to latest Pulumi SDK as well as update all other dependencies. +- Update to Go 1.18 +- Upgrade to go 1.17 () + +## 1.2.0 (2022-02-07) + +- [python] Do not overwrite _utilities.py () + +## 1.1.0 (2022-01-04) + +- Update to Pulumi v3.21.0 () +- Fix x-kubernetes-int-or-string precedence () +- Add generating CRD from URL () diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..261eeb9 --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.md b/README.md new file mode 100644 index 0000000..6b0f0b6 --- /dev/null +++ b/README.md @@ -0,0 +1,325 @@ +# crd2pulumi +Generate typed CustomResources based on Kubernetes CustomResourceDefinitions. + +## Goals + +`crd2pulumi` is a CLI tool that generates typed CustomResources based on Kubernetes CustomResourceDefinition (CRDs). +CRDs allow you to extend the Kubernetes API by defining your own schemas for custom objects. While Pulumi lets you create + [CustomResources](https://www.pulumi.com/docs/reference/pkg/kubernetes/apiextensions/customresource/), there was previously + no strong-typing for these objects since every schema was, well, custom. This can be a massive headache for popular CRDs + such as [cert-manager](https://github.com/jetstack/cert-manager/tree/master/deploy/crds) or + [istio](https://github.com/istio/istio/tree/0321da58ca86fc786fb03a68afd29d082477e4f2/manifests/charts/base/crds), which + contain thousands of lines of complex YAML schemas. By generating typed versions of CustomResources, `crd2pulumi` makes + filling out their arguments more convenient by allowing you to leverage existing IDE type checking and autocomplete features. + +## Building and Installation +If you wish to use `crd2pulumi` without developing the tool itself, you can use one of the [binary releases](https://github.com/pulumi/crd2pulumi/releases) hosted on this repository. + +### Homebrew +`crd2pulumi` can be installed on Mac from the Pulumi Homebrew tap. +```console +brew install pulumi/tap/crd2pulumi +``` + +`crd2pulumi` uses Go modules to manage dependencies. If you want to develop `crd2pulumi` itself, you'll need to have +Go installed in order to build. Once you install this prerequisite, run the following to build the `crd2pulumi` binary +and install it into `$GOPATH/bin`: + +```bash +$ go build -ldflags="-X github.com/pulumi/crd2pulumi/gen.Version=dev" -o $GOPATH/bin/crd2pulumi main.go +``` +The `ldflags` argument is necessary to dynamically set the `crd2pulumi` version at build time. However, the version +itself can be anything, so you don't have to set it to `dev`. + +Go should then automatically handle pulling the dependencies for you. If `$GOPATH/bin` is not on your path, you may +want to move the `crd2pulumi` binary from `$GOPATH/bin` into a directory that is on your path. + +## Usage +```bash +crd2pulumi is a CLI tool that generates typed Kubernetes +CustomResources to use in Pulumi programs, based on a +CustomResourceDefinition YAML schema. + +Usage: + crd2pulumi [-dgnp] [--nodejsPath path] [--pythonPath path] [--dotnetPath path] [--goPath path] [--javaPath path] [crd2.yaml ...] [flags] + crd2pulumi [command] + +Examples: +crd2pulumi --nodejs crontabs.yaml +crd2pulumi -dgnp crd-certificates.yaml crd-issuers.yaml crd-challenges.yaml +crd2pulumi --pythonPath=crds/python/istio --nodejsPath=crds/nodejs/istio crd-all.gen.yaml crd-mixer.yaml crd-operator.yaml +crd2pulumi --pythonPath=crds/python/gke https://raw.githubusercontent.com/GoogleCloudPlatform/gke-managed-certs/master/deploy/managedcertificates-crd.yaml + +Notice that by just setting a language-specific output path (--pythonPath, --nodejsPath, etc) the code will +still get generated, so setting -p, -n, etc becomes unnecessary. + + +Available Commands: + help Help about any command + version Print the version number of crd2pulumi + +Flags: + -d, --dotnet generate .NET + --dotnetName string name of generated .NET package (default "crds") + --dotnetNamespace string namespace of generated .NET package + --dotnetPath string optional .NET output dir + -f, --force overwrite existing files + -g, --go generate Go + --goName string name of generated Go package (default "crds") + --goPath string optional Go output dir + -h, --help help for crd2pulumi + -j, --java generate Java + --javaBasePackage string base package of generated Java package + --javaName string name of generated Java package (default "crds") + --javaPath string optional Java output dir + -n, --nodejs generate NodeJS + --nodejsName string name of generated NodeJS package (default "crds") + --nodejsNamespace string namespace of generated NodeJS package + --nodejsPath string optional NodeJS output dir + -p, --python generate Python + --pythonName string name of generated Python package (default "crds") + --pythonPackagePrefix string prefix of generated Python package + --pythonPath string optional Python output dir + + +Use "crd2pulumi [command] --help" for more information about a command. +``` +Setting only a language-specific flag will output the generated code in the default directory; so `-d` will output to +`crds/dotnet`, `-g` will output to `crds/go`, `-j` will output to `crds/java`, `-n` will output to `crds/nodejs`, and +`-p` will output to `crds/python`. You can also specify a language-specific path (`--pythonPath`, `--nodejsPath`, etc) +to control where the code will be outputted, in which case setting `-p`, `-n`, etc becomes unnecessary. + +## Examples +Let's use the example CronTab CRD specified in `resourcedefinition.yaml` from the +[Kubernetes Documentation](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/). + +### TypeScript +To generate a strongly-typed CronTab CustomResource in TypeScript, we can run this command: +```bash +$ crd2pulumi --nodejsPath ./crontabs resourcedefinition.yaml +``` +Now let's import the generated code into a Pulumi program that provisions the CRD and creates an instance of it. +```typescript +import * as crontabs from "./crontabs" +import * as pulumi from "@pulumi/pulumi" +import * as k8s from "@pulumi/kubernetes"; + +// Register the CronTab CRD. +const cronTabDefinition = new k8s.yaml.ConfigFile("my-crontab-definition", { file: "resourcedefinition.yaml" }); + +// Instantiate a CronTab resource. +const myCronTab = new crontabs.stable.v1.CronTab("my-new-cron-object", +{ + metadata: { + name: "my-new-cron-object", + }, + spec: { + cronSpec: "* * * * */5", + image: "my-awesome-cron-image", + } +}) + +``` +As you can see, the `CronTab` object is typed! For example, if you try to set +`cronSpec` to a non-string or add an extra field, your IDE should immediately warn you. + +### Python +```bash +$ crd2pulumi --pythonPath ./crontabs resourcedefinition.yaml +``` +```python +import pulumi_kubernetes as k8s +import crontabs.pulumi_crds as crontabs + + +# Register the CronTab CRD. +crontab_definition = k8s.yaml.ConfigFile("my-crontab-definition", file="resourcedefinition.yaml") + +# Instantiate a CronTab resource. +crontab_instance = crontabs.stable.v1.CronTab( + "my-new-cron-object", + metadata=k8s.meta.v1.ObjectMetaArgs( + name="my-new-cron-object" + ), + spec=crontabs.stable.v1.CronTabSpecArgs( + cron_spec="* * * */5", + image="my-awesome-cron-image", + ) +) + +``` + +### Go +```bash +$ crd2pulumi --goPath ./crontabs resourcedefinition.yaml +``` +Now we can access the `NewCronTab()` constructor. Create a `main.go` file with the following code. In this example, +the Pulumi project's module is named `crds-go-final`, so the import path is `crds-go-final/crontabs/stable/v1`. Make +sure to swap this out with your own module's name. +```go +package main + +import ( + crontabs_v1 "crds-go-final/crontabs/stable/v1" + + meta_v1 "github.com/pulumi/pulumi-kubernetes/sdk/v2/go/kubernetes/meta/v1" + "github.com/pulumi/pulumi/sdk/v3/go/pulumi" +) + +func main() { + pulumi.Run(func(ctx *pulumi.Context) error { + // Register the CronTab CRD. + _, err := yaml.NewConfigFile(ctx, "my-crontab-definition", + &yaml.ConfigFileArgs{ + File: "resourcedefinition.yaml", + }, + ) + if err != nil { + return err + } + + // Instantiate a CronTab resource. + _, err := crontabs_v1.NewCronTab(ctx, "cronTabInstance", &crontabs_v1.CronTabArgs{ + Metadata: &meta_v1.ObjectMetaArgs{ + Name: pulumi.String("my-new-cron-object"), + }, + Spec: crontabs_v1.CronTabSpecArgs{ + CronSpec: pulumi.String("* * * * */5"), + Image: pulumi.String("my-awesome-cron-image"), + Replicas: pulumi.IntPtr(3), + }, + }) + if err != nil { + return err + } + + return nil + }) +} + +``` + +### C\# +```bash +$ crd2pulumi --dotnetPath ./crontabs resourcedefinition.yaml +``` +```csharp +using Pulumi; +using Pulumi.Kubernetes.Yaml; +using Pulumi.Kubernetes.Types.Inputs.Meta.V1; + +class MyStack : Stack +{ + public MyStack() + { + // Register a CronTab CRD. + var cronTabDefinition = new Pulumi.Kubernetes.Yaml.ConfigFile("my-crontab-definition", + new ConfigFileArgs{ + File = "resourcedefinition.yaml" + } + ); + + // Instantiate a CronTab resource. + var cronTabInstance = new Pulumi.Crds.Stable.V1.CronTab("cronTabInstance", + new Pulumi.Kubernetes.Types.Inputs.Stable.V1.CronTabArgs{ + Metadata = new ObjectMetaArgs{ + Name = "my-new-cron-object" + }, + Spec = new Pulumi.Kubernetes.Types.Inputs.Stable.V1.CronTabSpecArgs{ + CronSpec = "* * * * */5", + Image = "my-awesome-cron-image" + } + }); + } +} + +``` + +> If you get an `Duplicate 'global::System.Runtime.Versioning.TargetFrameworkAttribute' attribute` error when trying to run `pulumi up`, then try deleting the `crontabs/bin` and `crontabs/obj` folders. + +### Java +```bash +$ crd2pulumi --javaPath ./crontabs resourcedefinition.yaml +``` +```java +package com.example; + +import com.pulumi.Pulumi; + +public class MyStack { + + public static void main(String[] args) { + Pulumi.run(ctx -> { + // Register a CronTab CRD (Coming Soon - see https://www.pulumi.com/registry/packages/kubernetes/api-docs/yaml/configfile/) + + // Instantiate a CronTab resource. + var cronTabInstance = new com.pulumi.crds.stable.v1.CronTab("cronTabInstance", + com.pulumi.crds.stable.v1.CronTabArgs.builder() + .metadata(com.pulumi.kubernetes.meta.v1.inputs.ObjectMetaArgs.builder() + .name("my-new-cron-object") + .build()) + .spec(com.pulumi.kubernetes.stable.v1.inputs.CronTabSpecArgs.builder() + .cronSpec("* * * * */5") + .image("my-awesome-cron-image") + .build()) + .build()); + }); + } +} + +``` + +Now let's run the program and perform the update. +```bash +$ pulumi up +Previewing update (dev): + Type Name Plan + pulumi:pulumi:Stack examples-dev + + ├─ kubernetes:stable.example.com:CronTab my-new-cron-object create + + └─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition my-crontab-definition create +Resources: + + 2 to create + 1 unchanged +Do you want to perform this update? yes +Updating (dev): + Type Name Status + pulumi:pulumi:Stack examples-dev + + ├─ kubernetes:stable.example.com:CronTab my-new-cron-object created + + └─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition my-crontab-definition created +Outputs: + urn: "urn:pulumi:dev::examples::kubernetes:stable.example.com/v1:CronTab::my-new-cron-object" +Resources: + + 2 created + 1 unchanged +Duration: 17s +Permalink: https://app.pulumi.com/albert-zhong/examples/dev/updates/4 +``` +It looks like both the CronTab definition and instance were both created! Finally, let's verify that they were created +by manually viewing the raw YAML data: +```bash +$ kubectl get ct -o yaml +``` +```yaml +- apiVersion: stable.example.com/v1 + kind: CronTab + metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"stable.example.com/v1","kind":"CronTab","metadata":{"labels":{"app.kubernetes.io/managed-by":"pulumi"},"name":"my-new-cron-object"},"spec":{"cronSpec":"* * * * */5","image":"my-awesome-cron-image"}} + creationTimestamp: "2020-08-10T09:50:38Z" + generation: 1 + labels: + app.kubernetes.io/managed-by: pulumi + name: my-new-cron-object + namespace: default + resourceVersion: "1658962" + selfLink: /apis/stable.example.com/v1/namespaces/default/crontabs/my-new-cron-object + uid: 5e2c56a2-7332-49cf-b0fc-211a0892c3d5 + spec: + cronSpec: '* * * * */5' + image: my-awesome-cron-image +kind: List +metadata: + resourceVersion: "" + selfLink: "" +``` diff --git a/crd2pulumi.tar.gz b/crd2pulumi.tar.gz new file mode 100644 index 0000000..1536448 Binary files /dev/null and b/crd2pulumi.tar.gz differ diff --git a/generated/crds/gateway/index.d.ts b/generated/crds/gateway/index.d.ts index 99ab3b9..22947f3 100644 --- a/generated/crds/gateway/index.d.ts +++ b/generated/crds/gateway/index.d.ts @@ -1,6 +1,5 @@ import * as v1 from "./v1"; -import * as v1alpha1 from "./v1alpha1"; import * as v1alpha2 from "./v1alpha2"; import * as v1alpha3 from "./v1alpha3"; import * as v1beta1 from "./v1beta1"; -export { v1, v1alpha1, v1alpha2, v1alpha3, v1beta1, }; +export { v1, v1alpha2, v1alpha3, v1beta1, }; diff --git a/generated/crds/gateway/index.js b/generated/crds/gateway/index.js index be1acb6..de0d6d6 100644 --- a/generated/crds/gateway/index.js +++ b/generated/crds/gateway/index.js @@ -2,12 +2,10 @@ // *** WARNING: this file was generated by crd2pulumi. *** // *** Do not edit by hand unless you're certain you know what you are doing! *** Object.defineProperty(exports, "__esModule", { value: true }); -exports.v1beta1 = exports.v1alpha3 = exports.v1alpha2 = exports.v1alpha1 = exports.v1 = void 0; +exports.v1beta1 = exports.v1alpha3 = exports.v1alpha2 = exports.v1 = void 0; // Export sub-modules: const v1 = require("./v1"); exports.v1 = v1; -const v1alpha1 = require("./v1alpha1"); -exports.v1alpha1 = v1alpha1; const v1alpha2 = require("./v1alpha2"); exports.v1alpha2 = v1alpha2; const v1alpha3 = require("./v1alpha3"); diff --git a/generated/crds/gateway/index.ts b/generated/crds/gateway/index.ts index 46f2d06..476b688 100644 --- a/generated/crds/gateway/index.ts +++ b/generated/crds/gateway/index.ts @@ -5,14 +5,12 @@ import * as utilities from "../utilities"; // Export sub-modules: import * as v1 from "./v1"; -import * as v1alpha1 from "./v1alpha1"; import * as v1alpha2 from "./v1alpha2"; import * as v1alpha3 from "./v1alpha3"; import * as v1beta1 from "./v1beta1"; export { v1, - v1alpha1, v1alpha2, v1alpha3, v1beta1, diff --git a/generated/crds/gateway/v1/grpcroute.js b/generated/crds/gateway/v1/grpcroute.js index 628299e..dd9c35a 100644 --- a/generated/crds/gateway/v1/grpcroute.js +++ b/generated/crds/gateway/v1/grpcroute.js @@ -81,6 +81,8 @@ class GRPCRoute extends pulumi.CustomResource { resourceInputs["status"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); + const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha2:GRPCRoute" }] }; + opts = pulumi.mergeOptions(opts, aliasOpts); super(GRPCRoute.__pulumiType, name, resourceInputs, opts); } } diff --git a/generated/crds/gateway/v1/grpcroute.ts b/generated/crds/gateway/v1/grpcroute.ts index 4e9a8e7..4d9a4ff 100644 --- a/generated/crds/gateway/v1/grpcroute.ts +++ b/generated/crds/gateway/v1/grpcroute.ts @@ -101,6 +101,8 @@ export class GRPCRoute extends pulumi.CustomResource { resourceInputs["status"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); + const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha2:GRPCRoute" }] }; + opts = pulumi.mergeOptions(opts, aliasOpts); super(GRPCRoute.__pulumiType, name, resourceInputs, opts); } } diff --git a/generated/crds/gateway/v1/grpcroutePatch.js b/generated/crds/gateway/v1/grpcroutePatch.js index dc53a8f..7968b37 100644 --- a/generated/crds/gateway/v1/grpcroutePatch.js +++ b/generated/crds/gateway/v1/grpcroutePatch.js @@ -87,6 +87,8 @@ class GRPCRoutePatch extends pulumi.CustomResource { resourceInputs["status"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); + const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha2:GRPCRoutePatch" }] }; + opts = pulumi.mergeOptions(opts, aliasOpts); super(GRPCRoutePatch.__pulumiType, name, resourceInputs, opts); } } diff --git a/generated/crds/gateway/v1/grpcroutePatch.ts b/generated/crds/gateway/v1/grpcroutePatch.ts index 1807eb2..1f0e1e9 100644 --- a/generated/crds/gateway/v1/grpcroutePatch.ts +++ b/generated/crds/gateway/v1/grpcroutePatch.ts @@ -107,6 +107,8 @@ export class GRPCRoutePatch extends pulumi.CustomResource { resourceInputs["status"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); + const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha2:GRPCRoutePatch" }] }; + opts = pulumi.mergeOptions(opts, aliasOpts); super(GRPCRoutePatch.__pulumiType, name, resourceInputs, opts); } } diff --git a/generated/crds/gateway/v1/index.d.ts b/generated/crds/gateway/v1/index.d.ts index 6ef6dd9..8d76f81 100644 --- a/generated/crds/gateway/v1/index.d.ts +++ b/generated/crds/gateway/v1/index.d.ts @@ -1,12 +1,3 @@ -export { BackendTLSPolicyArgs } from "./backendTLSPolicy"; -export type BackendTLSPolicy = import("./backendTLSPolicy").BackendTLSPolicy; -export declare const BackendTLSPolicy: typeof import("./backendTLSPolicy").BackendTLSPolicy; -export { BackendTLSPolicyListArgs } from "./backendTLSPolicyList"; -export type BackendTLSPolicyList = import("./backendTLSPolicyList").BackendTLSPolicyList; -export declare const BackendTLSPolicyList: typeof import("./backendTLSPolicyList").BackendTLSPolicyList; -export { BackendTLSPolicyPatchArgs } from "./backendTLSPolicyPatch"; -export type BackendTLSPolicyPatch = import("./backendTLSPolicyPatch").BackendTLSPolicyPatch; -export declare const BackendTLSPolicyPatch: typeof import("./backendTLSPolicyPatch").BackendTLSPolicyPatch; export { GatewayArgs } from "./gateway"; export type Gateway = import("./gateway").Gateway; export declare const Gateway: typeof import("./gateway").Gateway; diff --git a/generated/crds/gateway/v1/index.js b/generated/crds/gateway/v1/index.js index 3d3147f..224a594 100644 --- a/generated/crds/gateway/v1/index.js +++ b/generated/crds/gateway/v1/index.js @@ -2,15 +2,9 @@ // *** WARNING: this file was generated by crd2pulumi. *** // *** Do not edit by hand unless you're certain you know what you are doing! *** Object.defineProperty(exports, "__esModule", { value: true }); -exports.HTTPRoutePatch = exports.HTTPRouteList = exports.HTTPRoute = exports.GRPCRoutePatch = exports.GRPCRouteList = exports.GRPCRoute = exports.GatewayPatch = exports.GatewayList = exports.GatewayClassPatch = exports.GatewayClassList = exports.GatewayClass = exports.Gateway = exports.BackendTLSPolicyPatch = exports.BackendTLSPolicyList = exports.BackendTLSPolicy = void 0; +exports.HTTPRoutePatch = exports.HTTPRouteList = exports.HTTPRoute = exports.GRPCRoutePatch = exports.GRPCRouteList = exports.GRPCRoute = exports.GatewayPatch = exports.GatewayList = exports.GatewayClassPatch = exports.GatewayClassList = exports.GatewayClass = exports.Gateway = void 0; const pulumi = require("@pulumi/pulumi"); const utilities = require("../../utilities"); -exports.BackendTLSPolicy = null; -utilities.lazyLoad(exports, ["BackendTLSPolicy"], () => require("./backendTLSPolicy")); -exports.BackendTLSPolicyList = null; -utilities.lazyLoad(exports, ["BackendTLSPolicyList"], () => require("./backendTLSPolicyList")); -exports.BackendTLSPolicyPatch = null; -utilities.lazyLoad(exports, ["BackendTLSPolicyPatch"], () => require("./backendTLSPolicyPatch")); exports.Gateway = null; utilities.lazyLoad(exports, ["Gateway"], () => require("./gateway")); exports.GatewayClass = null; @@ -39,12 +33,6 @@ const _module = { version: utilities.getVersion(), construct: (name, type, urn) => { switch (type) { - case "kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicy": - return new exports.BackendTLSPolicy(name, undefined, { urn }); - case "kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicyList": - return new exports.BackendTLSPolicyList(name, undefined, { urn }); - case "kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicyPatch": - return new exports.BackendTLSPolicyPatch(name, undefined, { urn }); case "kubernetes:gateway.networking.k8s.io/v1:GRPCRoute": return new exports.GRPCRoute(name, undefined, { urn }); case "kubernetes:gateway.networking.k8s.io/v1:GRPCRouteList": diff --git a/generated/crds/gateway/v1/index.ts b/generated/crds/gateway/v1/index.ts index 6df6065..c32f35d 100644 --- a/generated/crds/gateway/v1/index.ts +++ b/generated/crds/gateway/v1/index.ts @@ -5,21 +5,6 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "../../utilities"; // Export members: -export { BackendTLSPolicyArgs } from "./backendTLSPolicy"; -export type BackendTLSPolicy = import("./backendTLSPolicy").BackendTLSPolicy; -export const BackendTLSPolicy: typeof import("./backendTLSPolicy").BackendTLSPolicy = null as any; -utilities.lazyLoad(exports, ["BackendTLSPolicy"], () => require("./backendTLSPolicy")); - -export { BackendTLSPolicyListArgs } from "./backendTLSPolicyList"; -export type BackendTLSPolicyList = import("./backendTLSPolicyList").BackendTLSPolicyList; -export const BackendTLSPolicyList: typeof import("./backendTLSPolicyList").BackendTLSPolicyList = null as any; -utilities.lazyLoad(exports, ["BackendTLSPolicyList"], () => require("./backendTLSPolicyList")); - -export { BackendTLSPolicyPatchArgs } from "./backendTLSPolicyPatch"; -export type BackendTLSPolicyPatch = import("./backendTLSPolicyPatch").BackendTLSPolicyPatch; -export const BackendTLSPolicyPatch: typeof import("./backendTLSPolicyPatch").BackendTLSPolicyPatch = null as any; -utilities.lazyLoad(exports, ["BackendTLSPolicyPatch"], () => require("./backendTLSPolicyPatch")); - export { GatewayArgs } from "./gateway"; export type Gateway = import("./gateway").Gateway; export const Gateway: typeof import("./gateway").Gateway = null as any; @@ -85,12 +70,6 @@ const _module = { version: utilities.getVersion(), construct: (name: string, type: string, urn: string): pulumi.Resource => { switch (type) { - case "kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicy": - return new BackendTLSPolicy(name, undefined, { urn }) - case "kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicyList": - return new BackendTLSPolicyList(name, undefined, { urn }) - case "kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicyPatch": - return new BackendTLSPolicyPatch(name, undefined, { urn }) case "kubernetes:gateway.networking.k8s.io/v1:GRPCRoute": return new GRPCRoute(name, undefined, { urn }) case "kubernetes:gateway.networking.k8s.io/v1:GRPCRouteList": diff --git a/generated/crds/gateway/v1alpha1/index.d.ts b/generated/crds/gateway/v1alpha1/index.d.ts deleted file mode 100644 index c25dcc0..0000000 --- a/generated/crds/gateway/v1alpha1/index.d.ts +++ /dev/null @@ -1,27 +0,0 @@ -export { XBackendTrafficPolicyArgs } from "./xbackendTrafficPolicy"; -export type XBackendTrafficPolicy = import("./xbackendTrafficPolicy").XBackendTrafficPolicy; -export declare const XBackendTrafficPolicy: typeof import("./xbackendTrafficPolicy").XBackendTrafficPolicy; -export { XBackendTrafficPolicyListArgs } from "./xbackendTrafficPolicyList"; -export type XBackendTrafficPolicyList = import("./xbackendTrafficPolicyList").XBackendTrafficPolicyList; -export declare const XBackendTrafficPolicyList: typeof import("./xbackendTrafficPolicyList").XBackendTrafficPolicyList; -export { XBackendTrafficPolicyPatchArgs } from "./xbackendTrafficPolicyPatch"; -export type XBackendTrafficPolicyPatch = import("./xbackendTrafficPolicyPatch").XBackendTrafficPolicyPatch; -export declare const XBackendTrafficPolicyPatch: typeof import("./xbackendTrafficPolicyPatch").XBackendTrafficPolicyPatch; -export { XListenerSetArgs } from "./xlistenerSet"; -export type XListenerSet = import("./xlistenerSet").XListenerSet; -export declare const XListenerSet: typeof import("./xlistenerSet").XListenerSet; -export { XListenerSetListArgs } from "./xlistenerSetList"; -export type XListenerSetList = import("./xlistenerSetList").XListenerSetList; -export declare const XListenerSetList: typeof import("./xlistenerSetList").XListenerSetList; -export { XListenerSetPatchArgs } from "./xlistenerSetPatch"; -export type XListenerSetPatch = import("./xlistenerSetPatch").XListenerSetPatch; -export declare const XListenerSetPatch: typeof import("./xlistenerSetPatch").XListenerSetPatch; -export { XMeshArgs } from "./xmesh"; -export type XMesh = import("./xmesh").XMesh; -export declare const XMesh: typeof import("./xmesh").XMesh; -export { XMeshListArgs } from "./xmeshList"; -export type XMeshList = import("./xmeshList").XMeshList; -export declare const XMeshList: typeof import("./xmeshList").XMeshList; -export { XMeshPatchArgs } from "./xmeshPatch"; -export type XMeshPatch = import("./xmeshPatch").XMeshPatch; -export declare const XMeshPatch: typeof import("./xmeshPatch").XMeshPatch; diff --git a/generated/crds/gateway/v1alpha1/index.js b/generated/crds/gateway/v1alpha1/index.js deleted file mode 100644 index 75e3ad1..0000000 --- a/generated/crds/gateway/v1alpha1/index.js +++ /dev/null @@ -1,53 +0,0 @@ -"use strict"; -// *** WARNING: this file was generated by crd2pulumi. *** -// *** Do not edit by hand unless you're certain you know what you are doing! *** -Object.defineProperty(exports, "__esModule", { value: true }); -exports.XMeshPatch = exports.XMeshList = exports.XMesh = exports.XListenerSetPatch = exports.XListenerSetList = exports.XListenerSet = exports.XBackendTrafficPolicyPatch = exports.XBackendTrafficPolicyList = exports.XBackendTrafficPolicy = void 0; -const pulumi = require("@pulumi/pulumi"); -const utilities = require("../../utilities"); -exports.XBackendTrafficPolicy = null; -utilities.lazyLoad(exports, ["XBackendTrafficPolicy"], () => require("./xbackendTrafficPolicy")); -exports.XBackendTrafficPolicyList = null; -utilities.lazyLoad(exports, ["XBackendTrafficPolicyList"], () => require("./xbackendTrafficPolicyList")); -exports.XBackendTrafficPolicyPatch = null; -utilities.lazyLoad(exports, ["XBackendTrafficPolicyPatch"], () => require("./xbackendTrafficPolicyPatch")); -exports.XListenerSet = null; -utilities.lazyLoad(exports, ["XListenerSet"], () => require("./xlistenerSet")); -exports.XListenerSetList = null; -utilities.lazyLoad(exports, ["XListenerSetList"], () => require("./xlistenerSetList")); -exports.XListenerSetPatch = null; -utilities.lazyLoad(exports, ["XListenerSetPatch"], () => require("./xlistenerSetPatch")); -exports.XMesh = null; -utilities.lazyLoad(exports, ["XMesh"], () => require("./xmesh")); -exports.XMeshList = null; -utilities.lazyLoad(exports, ["XMeshList"], () => require("./xmeshList")); -exports.XMeshPatch = null; -utilities.lazyLoad(exports, ["XMeshPatch"], () => require("./xmeshPatch")); -const _module = { - version: utilities.getVersion(), - construct: (name, type, urn) => { - switch (type) { - case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicy": - return new exports.XBackendTrafficPolicy(name, undefined, { urn }); - case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicyList": - return new exports.XBackendTrafficPolicyList(name, undefined, { urn }); - case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicyPatch": - return new exports.XBackendTrafficPolicyPatch(name, undefined, { urn }); - case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSet": - return new exports.XListenerSet(name, undefined, { urn }); - case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSetList": - return new exports.XListenerSetList(name, undefined, { urn }); - case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSetPatch": - return new exports.XListenerSetPatch(name, undefined, { urn }); - case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMesh": - return new exports.XMesh(name, undefined, { urn }); - case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMeshList": - return new exports.XMeshList(name, undefined, { urn }); - case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMeshPatch": - return new exports.XMeshPatch(name, undefined, { urn }); - default: - throw new Error(`unknown resource type ${type}`); - } - }, -}; -pulumi.runtime.registerResourceModule("crds", "gateway.networking.x-k8s.io/v1alpha1", _module); diff --git a/generated/crds/gateway/v1alpha1/index.ts b/generated/crds/gateway/v1alpha1/index.ts deleted file mode 100644 index fad4e1a..0000000 --- a/generated/crds/gateway/v1alpha1/index.ts +++ /dev/null @@ -1,81 +0,0 @@ -// *** WARNING: this file was generated by crd2pulumi. *** -// *** Do not edit by hand unless you're certain you know what you are doing! *** - -import * as pulumi from "@pulumi/pulumi"; -import * as utilities from "../../utilities"; - -// Export members: -export { XBackendTrafficPolicyArgs } from "./xbackendTrafficPolicy"; -export type XBackendTrafficPolicy = import("./xbackendTrafficPolicy").XBackendTrafficPolicy; -export const XBackendTrafficPolicy: typeof import("./xbackendTrafficPolicy").XBackendTrafficPolicy = null as any; -utilities.lazyLoad(exports, ["XBackendTrafficPolicy"], () => require("./xbackendTrafficPolicy")); - -export { XBackendTrafficPolicyListArgs } from "./xbackendTrafficPolicyList"; -export type XBackendTrafficPolicyList = import("./xbackendTrafficPolicyList").XBackendTrafficPolicyList; -export const XBackendTrafficPolicyList: typeof import("./xbackendTrafficPolicyList").XBackendTrafficPolicyList = null as any; -utilities.lazyLoad(exports, ["XBackendTrafficPolicyList"], () => require("./xbackendTrafficPolicyList")); - -export { XBackendTrafficPolicyPatchArgs } from "./xbackendTrafficPolicyPatch"; -export type XBackendTrafficPolicyPatch = import("./xbackendTrafficPolicyPatch").XBackendTrafficPolicyPatch; -export const XBackendTrafficPolicyPatch: typeof import("./xbackendTrafficPolicyPatch").XBackendTrafficPolicyPatch = null as any; -utilities.lazyLoad(exports, ["XBackendTrafficPolicyPatch"], () => require("./xbackendTrafficPolicyPatch")); - -export { XListenerSetArgs } from "./xlistenerSet"; -export type XListenerSet = import("./xlistenerSet").XListenerSet; -export const XListenerSet: typeof import("./xlistenerSet").XListenerSet = null as any; -utilities.lazyLoad(exports, ["XListenerSet"], () => require("./xlistenerSet")); - -export { XListenerSetListArgs } from "./xlistenerSetList"; -export type XListenerSetList = import("./xlistenerSetList").XListenerSetList; -export const XListenerSetList: typeof import("./xlistenerSetList").XListenerSetList = null as any; -utilities.lazyLoad(exports, ["XListenerSetList"], () => require("./xlistenerSetList")); - -export { XListenerSetPatchArgs } from "./xlistenerSetPatch"; -export type XListenerSetPatch = import("./xlistenerSetPatch").XListenerSetPatch; -export const XListenerSetPatch: typeof import("./xlistenerSetPatch").XListenerSetPatch = null as any; -utilities.lazyLoad(exports, ["XListenerSetPatch"], () => require("./xlistenerSetPatch")); - -export { XMeshArgs } from "./xmesh"; -export type XMesh = import("./xmesh").XMesh; -export const XMesh: typeof import("./xmesh").XMesh = null as any; -utilities.lazyLoad(exports, ["XMesh"], () => require("./xmesh")); - -export { XMeshListArgs } from "./xmeshList"; -export type XMeshList = import("./xmeshList").XMeshList; -export const XMeshList: typeof import("./xmeshList").XMeshList = null as any; -utilities.lazyLoad(exports, ["XMeshList"], () => require("./xmeshList")); - -export { XMeshPatchArgs } from "./xmeshPatch"; -export type XMeshPatch = import("./xmeshPatch").XMeshPatch; -export const XMeshPatch: typeof import("./xmeshPatch").XMeshPatch = null as any; -utilities.lazyLoad(exports, ["XMeshPatch"], () => require("./xmeshPatch")); - - -const _module = { - version: utilities.getVersion(), - construct: (name: string, type: string, urn: string): pulumi.Resource => { - switch (type) { - case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicy": - return new XBackendTrafficPolicy(name, undefined, { urn }) - case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicyList": - return new XBackendTrafficPolicyList(name, undefined, { urn }) - case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicyPatch": - return new XBackendTrafficPolicyPatch(name, undefined, { urn }) - case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSet": - return new XListenerSet(name, undefined, { urn }) - case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSetList": - return new XListenerSetList(name, undefined, { urn }) - case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSetPatch": - return new XListenerSetPatch(name, undefined, { urn }) - case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMesh": - return new XMesh(name, undefined, { urn }) - case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMeshList": - return new XMeshList(name, undefined, { urn }) - case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMeshPatch": - return new XMeshPatch(name, undefined, { urn }) - default: - throw new Error(`unknown resource type ${type}`); - } - }, -}; -pulumi.runtime.registerResourceModule("crds", "gateway.networking.x-k8s.io/v1alpha1", _module) diff --git a/generated/crds/gateway/v1alpha1/xbackendTrafficPolicy.d.ts b/generated/crds/gateway/v1alpha1/xbackendTrafficPolicy.d.ts deleted file mode 100644 index 2499b52..0000000 --- a/generated/crds/gateway/v1alpha1/xbackendTrafficPolicy.d.ts +++ /dev/null @@ -1,65 +0,0 @@ -import * as pulumi from "@pulumi/pulumi"; -import * as inputs from "../../types/input"; -import * as outputs from "../../types/output"; -/** - * XBackendTrafficPolicy defines the configuration for how traffic to a - * target backend should be handled. - */ -export declare class XBackendTrafficPolicy extends pulumi.CustomResource { - /** - * Get an existing XBackendTrafficPolicy resource's state with the given name, ID, and optional extra - * properties used to qualify the lookup. - * - * @param name The _unique_ name of the resulting resource. - * @param id The _unique_ provider ID of the resource to lookup. - * @param opts Optional settings to control the behavior of the CustomResource. - */ - static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): XBackendTrafficPolicy; - /** @internal */ - static readonly __pulumiType = "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicy"; - /** - * Returns true if the given object is an instance of XBackendTrafficPolicy. This is designed to work even - * when multiple copies of the Pulumi SDK have been loaded into the same process. - */ - static isInstance(obj: any): obj is XBackendTrafficPolicy; - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - readonly apiVersion: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - readonly kind: pulumi.Output<"XBackendTrafficPolicy">; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - readonly metadata: pulumi.Output; - readonly spec: pulumi.Output; - readonly status: pulumi.Output; - /** - * Create a XBackendTrafficPolicy resource with the given unique name, arguments, and options. - * - * @param name The _unique_ name of the resource. - * @param args The arguments to use to populate this resource's properties. - * @param opts A bag of options that control this resource's behavior. - */ - constructor(name: string, args?: XBackendTrafficPolicyArgs, opts?: pulumi.CustomResourceOptions); -} -/** - * The set of arguments for constructing a XBackendTrafficPolicy resource. - */ -export interface XBackendTrafficPolicyArgs { - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - kind?: pulumi.Input<"XBackendTrafficPolicy">; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - metadata?: pulumi.Input; - spec?: pulumi.Input; -} diff --git a/generated/crds/gateway/v1alpha1/xbackendTrafficPolicy.js b/generated/crds/gateway/v1alpha1/xbackendTrafficPolicy.js deleted file mode 100644 index 13ab344..0000000 --- a/generated/crds/gateway/v1alpha1/xbackendTrafficPolicy.js +++ /dev/null @@ -1,64 +0,0 @@ -"use strict"; -// *** WARNING: this file was generated by crd2pulumi. *** -// *** Do not edit by hand unless you're certain you know what you are doing! *** -Object.defineProperty(exports, "__esModule", { value: true }); -exports.XBackendTrafficPolicy = void 0; -const pulumi = require("@pulumi/pulumi"); -const utilities = require("../../utilities"); -/** - * XBackendTrafficPolicy defines the configuration for how traffic to a - * target backend should be handled. - */ -class XBackendTrafficPolicy extends pulumi.CustomResource { - /** - * Get an existing XBackendTrafficPolicy resource's state with the given name, ID, and optional extra - * properties used to qualify the lookup. - * - * @param name The _unique_ name of the resulting resource. - * @param id The _unique_ provider ID of the resource to lookup. - * @param opts Optional settings to control the behavior of the CustomResource. - */ - static get(name, id, opts) { - return new XBackendTrafficPolicy(name, undefined, { ...opts, id: id }); - } - /** - * Returns true if the given object is an instance of XBackendTrafficPolicy. This is designed to work even - * when multiple copies of the Pulumi SDK have been loaded into the same process. - */ - static isInstance(obj) { - if (obj === undefined || obj === null) { - return false; - } - return obj['__pulumiType'] === XBackendTrafficPolicy.__pulumiType; - } - /** - * Create a XBackendTrafficPolicy resource with the given unique name, arguments, and options. - * - * @param name The _unique_ name of the resource. - * @param args The arguments to use to populate this resource's properties. - * @param opts A bag of options that control this resource's behavior. - */ - constructor(name, args, opts) { - let resourceInputs = {}; - opts = opts || {}; - if (!opts.id) { - resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1"; - resourceInputs["kind"] = "XBackendTrafficPolicy"; - resourceInputs["metadata"] = args ? args.metadata : undefined; - resourceInputs["spec"] = args ? args.spec : undefined; - resourceInputs["status"] = undefined /*out*/; - } - else { - resourceInputs["apiVersion"] = undefined /*out*/; - resourceInputs["kind"] = undefined /*out*/; - resourceInputs["metadata"] = undefined /*out*/; - resourceInputs["spec"] = undefined /*out*/; - resourceInputs["status"] = undefined /*out*/; - } - opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - super(XBackendTrafficPolicy.__pulumiType, name, resourceInputs, opts); - } -} -exports.XBackendTrafficPolicy = XBackendTrafficPolicy; -/** @internal */ -XBackendTrafficPolicy.__pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicy'; diff --git a/generated/crds/gateway/v1alpha1/xbackendTrafficPolicy.ts b/generated/crds/gateway/v1alpha1/xbackendTrafficPolicy.ts deleted file mode 100644 index 471cb7f..0000000 --- a/generated/crds/gateway/v1alpha1/xbackendTrafficPolicy.ts +++ /dev/null @@ -1,100 +0,0 @@ -// *** WARNING: this file was generated by crd2pulumi. *** -// *** Do not edit by hand unless you're certain you know what you are doing! *** - -import * as pulumi from "@pulumi/pulumi"; -import * as inputs from "../../types/input"; -import * as outputs from "../../types/output"; -import * as utilities from "../../utilities"; - -/** - * XBackendTrafficPolicy defines the configuration for how traffic to a - * target backend should be handled. - */ -export class XBackendTrafficPolicy extends pulumi.CustomResource { - /** - * Get an existing XBackendTrafficPolicy resource's state with the given name, ID, and optional extra - * properties used to qualify the lookup. - * - * @param name The _unique_ name of the resulting resource. - * @param id The _unique_ provider ID of the resource to lookup. - * @param opts Optional settings to control the behavior of the CustomResource. - */ - public static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): XBackendTrafficPolicy { - return new XBackendTrafficPolicy(name, undefined as any, { ...opts, id: id }); - } - - /** @internal */ - public static readonly __pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicy'; - - /** - * Returns true if the given object is an instance of XBackendTrafficPolicy. This is designed to work even - * when multiple copies of the Pulumi SDK have been loaded into the same process. - */ - public static isInstance(obj: any): obj is XBackendTrafficPolicy { - if (obj === undefined || obj === null) { - return false; - } - return obj['__pulumiType'] === XBackendTrafficPolicy.__pulumiType; - } - - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - public readonly apiVersion!: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - public readonly kind!: pulumi.Output<"XBackendTrafficPolicy">; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - public readonly metadata!: pulumi.Output; - public readonly spec!: pulumi.Output; - public /*out*/ readonly status!: pulumi.Output; - - /** - * Create a XBackendTrafficPolicy resource with the given unique name, arguments, and options. - * - * @param name The _unique_ name of the resource. - * @param args The arguments to use to populate this resource's properties. - * @param opts A bag of options that control this resource's behavior. - */ - constructor(name: string, args?: XBackendTrafficPolicyArgs, opts?: pulumi.CustomResourceOptions) { - let resourceInputs: pulumi.Inputs = {}; - opts = opts || {}; - if (!opts.id) { - resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1"; - resourceInputs["kind"] = "XBackendTrafficPolicy"; - resourceInputs["metadata"] = args ? args.metadata : undefined; - resourceInputs["spec"] = args ? args.spec : undefined; - resourceInputs["status"] = undefined /*out*/; - } else { - resourceInputs["apiVersion"] = undefined /*out*/; - resourceInputs["kind"] = undefined /*out*/; - resourceInputs["metadata"] = undefined /*out*/; - resourceInputs["spec"] = undefined /*out*/; - resourceInputs["status"] = undefined /*out*/; - } - opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - super(XBackendTrafficPolicy.__pulumiType, name, resourceInputs, opts); - } -} - -/** - * The set of arguments for constructing a XBackendTrafficPolicy resource. - */ -export interface XBackendTrafficPolicyArgs { - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - kind?: pulumi.Input<"XBackendTrafficPolicy">; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - metadata?: pulumi.Input; - spec?: pulumi.Input; -} diff --git a/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyList.d.ts b/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyList.d.ts deleted file mode 100644 index af63b79..0000000 --- a/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyList.d.ts +++ /dev/null @@ -1,69 +0,0 @@ -import * as pulumi from "@pulumi/pulumi"; -import * as inputs from "../../types/input"; -import * as outputs from "../../types/output"; -/** - * XBackendTrafficPolicyList is a list of XBackendTrafficPolicy - */ -export declare class XBackendTrafficPolicyList extends pulumi.CustomResource { - /** - * Get an existing XBackendTrafficPolicyList resource's state with the given name, ID, and optional extra - * properties used to qualify the lookup. - * - * @param name The _unique_ name of the resulting resource. - * @param id The _unique_ provider ID of the resource to lookup. - * @param opts Optional settings to control the behavior of the CustomResource. - */ - static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): XBackendTrafficPolicyList; - /** @internal */ - static readonly __pulumiType = "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicyList"; - /** - * Returns true if the given object is an instance of XBackendTrafficPolicyList. This is designed to work even - * when multiple copies of the Pulumi SDK have been loaded into the same process. - */ - static isInstance(obj: any): obj is XBackendTrafficPolicyList; - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - readonly apiVersion: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">; - /** - * List of xbackendtrafficpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md - */ - readonly items: pulumi.Output; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - readonly kind: pulumi.Output<"XBackendTrafficPolicyList">; - /** - * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - readonly metadata: pulumi.Output; - /** - * Create a XBackendTrafficPolicyList resource with the given unique name, arguments, and options. - * - * @param name The _unique_ name of the resource. - * @param args The arguments to use to populate this resource's properties. - * @param opts A bag of options that control this resource's behavior. - */ - constructor(name: string, args?: XBackendTrafficPolicyListArgs, opts?: pulumi.CustomResourceOptions); -} -/** - * The set of arguments for constructing a XBackendTrafficPolicyList resource. - */ -export interface XBackendTrafficPolicyListArgs { - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">; - /** - * List of xbackendtrafficpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md - */ - items: pulumi.Input[]>; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - kind?: pulumi.Input<"XBackendTrafficPolicyList">; - /** - * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - metadata?: pulumi.Input; -} diff --git a/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyList.js b/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyList.js deleted file mode 100644 index 0d96f86..0000000 --- a/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyList.js +++ /dev/null @@ -1,64 +0,0 @@ -"use strict"; -// *** WARNING: this file was generated by crd2pulumi. *** -// *** Do not edit by hand unless you're certain you know what you are doing! *** -Object.defineProperty(exports, "__esModule", { value: true }); -exports.XBackendTrafficPolicyList = void 0; -const pulumi = require("@pulumi/pulumi"); -const utilities = require("../../utilities"); -/** - * XBackendTrafficPolicyList is a list of XBackendTrafficPolicy - */ -class XBackendTrafficPolicyList extends pulumi.CustomResource { - /** - * Get an existing XBackendTrafficPolicyList resource's state with the given name, ID, and optional extra - * properties used to qualify the lookup. - * - * @param name The _unique_ name of the resulting resource. - * @param id The _unique_ provider ID of the resource to lookup. - * @param opts Optional settings to control the behavior of the CustomResource. - */ - static get(name, id, opts) { - return new XBackendTrafficPolicyList(name, undefined, { ...opts, id: id }); - } - /** - * Returns true if the given object is an instance of XBackendTrafficPolicyList. This is designed to work even - * when multiple copies of the Pulumi SDK have been loaded into the same process. - */ - static isInstance(obj) { - if (obj === undefined || obj === null) { - return false; - } - return obj['__pulumiType'] === XBackendTrafficPolicyList.__pulumiType; - } - /** - * Create a XBackendTrafficPolicyList resource with the given unique name, arguments, and options. - * - * @param name The _unique_ name of the resource. - * @param args The arguments to use to populate this resource's properties. - * @param opts A bag of options that control this resource's behavior. - */ - constructor(name, args, opts) { - let resourceInputs = {}; - opts = opts || {}; - if (!opts.id) { - if ((!args || args.items === undefined) && !opts.urn) { - throw new Error("Missing required property 'items'"); - } - resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1"; - resourceInputs["items"] = args ? args.items : undefined; - resourceInputs["kind"] = "XBackendTrafficPolicyList"; - resourceInputs["metadata"] = args ? args.metadata : undefined; - } - else { - resourceInputs["apiVersion"] = undefined /*out*/; - resourceInputs["items"] = undefined /*out*/; - resourceInputs["kind"] = undefined /*out*/; - resourceInputs["metadata"] = undefined /*out*/; - } - opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - super(XBackendTrafficPolicyList.__pulumiType, name, resourceInputs, opts); - } -} -exports.XBackendTrafficPolicyList = XBackendTrafficPolicyList; -/** @internal */ -XBackendTrafficPolicyList.__pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicyList'; diff --git a/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyList.ts b/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyList.ts deleted file mode 100644 index a12df0e..0000000 --- a/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyList.ts +++ /dev/null @@ -1,105 +0,0 @@ -// *** WARNING: this file was generated by crd2pulumi. *** -// *** Do not edit by hand unless you're certain you know what you are doing! *** - -import * as pulumi from "@pulumi/pulumi"; -import * as inputs from "../../types/input"; -import * as outputs from "../../types/output"; -import * as utilities from "../../utilities"; - -/** - * XBackendTrafficPolicyList is a list of XBackendTrafficPolicy - */ -export class XBackendTrafficPolicyList extends pulumi.CustomResource { - /** - * Get an existing XBackendTrafficPolicyList resource's state with the given name, ID, and optional extra - * properties used to qualify the lookup. - * - * @param name The _unique_ name of the resulting resource. - * @param id The _unique_ provider ID of the resource to lookup. - * @param opts Optional settings to control the behavior of the CustomResource. - */ - public static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): XBackendTrafficPolicyList { - return new XBackendTrafficPolicyList(name, undefined as any, { ...opts, id: id }); - } - - /** @internal */ - public static readonly __pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicyList'; - - /** - * Returns true if the given object is an instance of XBackendTrafficPolicyList. This is designed to work even - * when multiple copies of the Pulumi SDK have been loaded into the same process. - */ - public static isInstance(obj: any): obj is XBackendTrafficPolicyList { - if (obj === undefined || obj === null) { - return false; - } - return obj['__pulumiType'] === XBackendTrafficPolicyList.__pulumiType; - } - - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - public readonly apiVersion!: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">; - /** - * List of xbackendtrafficpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md - */ - public readonly items!: pulumi.Output; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - public readonly kind!: pulumi.Output<"XBackendTrafficPolicyList">; - /** - * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - public readonly metadata!: pulumi.Output; - - /** - * Create a XBackendTrafficPolicyList resource with the given unique name, arguments, and options. - * - * @param name The _unique_ name of the resource. - * @param args The arguments to use to populate this resource's properties. - * @param opts A bag of options that control this resource's behavior. - */ - constructor(name: string, args?: XBackendTrafficPolicyListArgs, opts?: pulumi.CustomResourceOptions) { - let resourceInputs: pulumi.Inputs = {}; - opts = opts || {}; - if (!opts.id) { - if ((!args || args.items === undefined) && !opts.urn) { - throw new Error("Missing required property 'items'"); - } - resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1"; - resourceInputs["items"] = args ? args.items : undefined; - resourceInputs["kind"] = "XBackendTrafficPolicyList"; - resourceInputs["metadata"] = args ? args.metadata : undefined; - } else { - resourceInputs["apiVersion"] = undefined /*out*/; - resourceInputs["items"] = undefined /*out*/; - resourceInputs["kind"] = undefined /*out*/; - resourceInputs["metadata"] = undefined /*out*/; - } - opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - super(XBackendTrafficPolicyList.__pulumiType, name, resourceInputs, opts); - } -} - -/** - * The set of arguments for constructing a XBackendTrafficPolicyList resource. - */ -export interface XBackendTrafficPolicyListArgs { - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">; - /** - * List of xbackendtrafficpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md - */ - items: pulumi.Input[]>; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - kind?: pulumi.Input<"XBackendTrafficPolicyList">; - /** - * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - metadata?: pulumi.Input; -} diff --git a/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyPatch.d.ts b/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyPatch.d.ts deleted file mode 100644 index 9810e7a..0000000 --- a/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyPatch.d.ts +++ /dev/null @@ -1,71 +0,0 @@ -import * as pulumi from "@pulumi/pulumi"; -import * as inputs from "../../types/input"; -import * as outputs from "../../types/output"; -/** - * Patch resources are used to modify existing Kubernetes resources by using - * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than - * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource. - * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the - * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for - * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi. - * XBackendTrafficPolicy defines the configuration for how traffic to a - * target backend should be handled. - */ -export declare class XBackendTrafficPolicyPatch extends pulumi.CustomResource { - /** - * Get an existing XBackendTrafficPolicyPatch resource's state with the given name, ID, and optional extra - * properties used to qualify the lookup. - * - * @param name The _unique_ name of the resulting resource. - * @param id The _unique_ provider ID of the resource to lookup. - * @param opts Optional settings to control the behavior of the CustomResource. - */ - static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): XBackendTrafficPolicyPatch; - /** @internal */ - static readonly __pulumiType = "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicyPatch"; - /** - * Returns true if the given object is an instance of XBackendTrafficPolicyPatch. This is designed to work even - * when multiple copies of the Pulumi SDK have been loaded into the same process. - */ - static isInstance(obj: any): obj is XBackendTrafficPolicyPatch; - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - readonly apiVersion: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - readonly kind: pulumi.Output<"XBackendTrafficPolicy">; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - readonly metadata: pulumi.Output; - readonly spec: pulumi.Output; - readonly status: pulumi.Output; - /** - * Create a XBackendTrafficPolicyPatch resource with the given unique name, arguments, and options. - * - * @param name The _unique_ name of the resource. - * @param args The arguments to use to populate this resource's properties. - * @param opts A bag of options that control this resource's behavior. - */ - constructor(name: string, args?: XBackendTrafficPolicyPatchArgs, opts?: pulumi.CustomResourceOptions); -} -/** - * The set of arguments for constructing a XBackendTrafficPolicyPatch resource. - */ -export interface XBackendTrafficPolicyPatchArgs { - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - kind?: pulumi.Input<"XBackendTrafficPolicy">; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - metadata?: pulumi.Input; - spec?: pulumi.Input; -} diff --git a/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyPatch.js b/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyPatch.js deleted file mode 100644 index 027697c..0000000 --- a/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyPatch.js +++ /dev/null @@ -1,70 +0,0 @@ -"use strict"; -// *** WARNING: this file was generated by crd2pulumi. *** -// *** Do not edit by hand unless you're certain you know what you are doing! *** -Object.defineProperty(exports, "__esModule", { value: true }); -exports.XBackendTrafficPolicyPatch = void 0; -const pulumi = require("@pulumi/pulumi"); -const utilities = require("../../utilities"); -/** - * Patch resources are used to modify existing Kubernetes resources by using - * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than - * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource. - * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the - * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for - * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi. - * XBackendTrafficPolicy defines the configuration for how traffic to a - * target backend should be handled. - */ -class XBackendTrafficPolicyPatch extends pulumi.CustomResource { - /** - * Get an existing XBackendTrafficPolicyPatch resource's state with the given name, ID, and optional extra - * properties used to qualify the lookup. - * - * @param name The _unique_ name of the resulting resource. - * @param id The _unique_ provider ID of the resource to lookup. - * @param opts Optional settings to control the behavior of the CustomResource. - */ - static get(name, id, opts) { - return new XBackendTrafficPolicyPatch(name, undefined, { ...opts, id: id }); - } - /** - * Returns true if the given object is an instance of XBackendTrafficPolicyPatch. This is designed to work even - * when multiple copies of the Pulumi SDK have been loaded into the same process. - */ - static isInstance(obj) { - if (obj === undefined || obj === null) { - return false; - } - return obj['__pulumiType'] === XBackendTrafficPolicyPatch.__pulumiType; - } - /** - * Create a XBackendTrafficPolicyPatch resource with the given unique name, arguments, and options. - * - * @param name The _unique_ name of the resource. - * @param args The arguments to use to populate this resource's properties. - * @param opts A bag of options that control this resource's behavior. - */ - constructor(name, args, opts) { - let resourceInputs = {}; - opts = opts || {}; - if (!opts.id) { - resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1"; - resourceInputs["kind"] = "XBackendTrafficPolicy"; - resourceInputs["metadata"] = args ? args.metadata : undefined; - resourceInputs["spec"] = args ? args.spec : undefined; - resourceInputs["status"] = undefined /*out*/; - } - else { - resourceInputs["apiVersion"] = undefined /*out*/; - resourceInputs["kind"] = undefined /*out*/; - resourceInputs["metadata"] = undefined /*out*/; - resourceInputs["spec"] = undefined /*out*/; - resourceInputs["status"] = undefined /*out*/; - } - opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - super(XBackendTrafficPolicyPatch.__pulumiType, name, resourceInputs, opts); - } -} -exports.XBackendTrafficPolicyPatch = XBackendTrafficPolicyPatch; -/** @internal */ -XBackendTrafficPolicyPatch.__pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicyPatch'; diff --git a/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyPatch.ts b/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyPatch.ts deleted file mode 100644 index de47d3c..0000000 --- a/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyPatch.ts +++ /dev/null @@ -1,106 +0,0 @@ -// *** WARNING: this file was generated by crd2pulumi. *** -// *** Do not edit by hand unless you're certain you know what you are doing! *** - -import * as pulumi from "@pulumi/pulumi"; -import * as inputs from "../../types/input"; -import * as outputs from "../../types/output"; -import * as utilities from "../../utilities"; - -/** - * Patch resources are used to modify existing Kubernetes resources by using - * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than - * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource. - * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the - * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for - * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi. - * XBackendTrafficPolicy defines the configuration for how traffic to a - * target backend should be handled. - */ -export class XBackendTrafficPolicyPatch extends pulumi.CustomResource { - /** - * Get an existing XBackendTrafficPolicyPatch resource's state with the given name, ID, and optional extra - * properties used to qualify the lookup. - * - * @param name The _unique_ name of the resulting resource. - * @param id The _unique_ provider ID of the resource to lookup. - * @param opts Optional settings to control the behavior of the CustomResource. - */ - public static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): XBackendTrafficPolicyPatch { - return new XBackendTrafficPolicyPatch(name, undefined as any, { ...opts, id: id }); - } - - /** @internal */ - public static readonly __pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicyPatch'; - - /** - * Returns true if the given object is an instance of XBackendTrafficPolicyPatch. This is designed to work even - * when multiple copies of the Pulumi SDK have been loaded into the same process. - */ - public static isInstance(obj: any): obj is XBackendTrafficPolicyPatch { - if (obj === undefined || obj === null) { - return false; - } - return obj['__pulumiType'] === XBackendTrafficPolicyPatch.__pulumiType; - } - - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - public readonly apiVersion!: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - public readonly kind!: pulumi.Output<"XBackendTrafficPolicy">; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - public readonly metadata!: pulumi.Output; - public readonly spec!: pulumi.Output; - public /*out*/ readonly status!: pulumi.Output; - - /** - * Create a XBackendTrafficPolicyPatch resource with the given unique name, arguments, and options. - * - * @param name The _unique_ name of the resource. - * @param args The arguments to use to populate this resource's properties. - * @param opts A bag of options that control this resource's behavior. - */ - constructor(name: string, args?: XBackendTrafficPolicyPatchArgs, opts?: pulumi.CustomResourceOptions) { - let resourceInputs: pulumi.Inputs = {}; - opts = opts || {}; - if (!opts.id) { - resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1"; - resourceInputs["kind"] = "XBackendTrafficPolicy"; - resourceInputs["metadata"] = args ? args.metadata : undefined; - resourceInputs["spec"] = args ? args.spec : undefined; - resourceInputs["status"] = undefined /*out*/; - } else { - resourceInputs["apiVersion"] = undefined /*out*/; - resourceInputs["kind"] = undefined /*out*/; - resourceInputs["metadata"] = undefined /*out*/; - resourceInputs["spec"] = undefined /*out*/; - resourceInputs["status"] = undefined /*out*/; - } - opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - super(XBackendTrafficPolicyPatch.__pulumiType, name, resourceInputs, opts); - } -} - -/** - * The set of arguments for constructing a XBackendTrafficPolicyPatch resource. - */ -export interface XBackendTrafficPolicyPatchArgs { - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - kind?: pulumi.Input<"XBackendTrafficPolicy">; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - metadata?: pulumi.Input; - spec?: pulumi.Input; -} diff --git a/generated/crds/gateway/v1alpha1/xlistenerSet.d.ts b/generated/crds/gateway/v1alpha1/xlistenerSet.d.ts deleted file mode 100644 index 56dac3a..0000000 --- a/generated/crds/gateway/v1alpha1/xlistenerSet.d.ts +++ /dev/null @@ -1,90 +0,0 @@ -import * as pulumi from "@pulumi/pulumi"; -import * as inputs from "../../types/input"; -import * as outputs from "../../types/output"; -/** - * XListenerSet defines a set of additional listeners to attach to an existing Gateway. - * This resource provides a mechanism to merge multiple listeners into a single Gateway. - * - * The parent Gateway must explicitly allow ListenerSet attachment through its - * AllowedListeners configuration. By default, Gateways do not allow ListenerSet - * attachment. - * - * Routes can attach to a ListenerSet by specifying it as a parentRef, and can - * optionally target specific listeners using the sectionName field. - * - * Policy Attachment: - * - Policies that attach to a ListenerSet apply to all listeners defined in that resource - * - Policies do not impact listeners in the parent Gateway - * - Different ListenerSets attached to the same Gateway can have different policies - * - If an implementation cannot apply a policy to specific listeners, it should reject the policy - * - * ReferenceGrant Semantics: - * - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets - * - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners - * - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant - * - * Gateway Integration: - * - The parent Gateway's status will include an "AttachedListenerSets" condition - * - This condition will be: - * - True: when AllowedListeners is set and at least one child ListenerSet is attached - * - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false - * - Unknown: when no AllowedListeners config is present - */ -export declare class XListenerSet extends pulumi.CustomResource { - /** - * Get an existing XListenerSet resource's state with the given name, ID, and optional extra - * properties used to qualify the lookup. - * - * @param name The _unique_ name of the resulting resource. - * @param id The _unique_ provider ID of the resource to lookup. - * @param opts Optional settings to control the behavior of the CustomResource. - */ - static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): XListenerSet; - /** @internal */ - static readonly __pulumiType = "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSet"; - /** - * Returns true if the given object is an instance of XListenerSet. This is designed to work even - * when multiple copies of the Pulumi SDK have been loaded into the same process. - */ - static isInstance(obj: any): obj is XListenerSet; - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - readonly apiVersion: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - readonly kind: pulumi.Output<"XListenerSet">; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - readonly metadata: pulumi.Output; - readonly spec: pulumi.Output; - readonly status: pulumi.Output; - /** - * Create a XListenerSet resource with the given unique name, arguments, and options. - * - * @param name The _unique_ name of the resource. - * @param args The arguments to use to populate this resource's properties. - * @param opts A bag of options that control this resource's behavior. - */ - constructor(name: string, args?: XListenerSetArgs, opts?: pulumi.CustomResourceOptions); -} -/** - * The set of arguments for constructing a XListenerSet resource. - */ -export interface XListenerSetArgs { - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - kind?: pulumi.Input<"XListenerSet">; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - metadata?: pulumi.Input; - spec?: pulumi.Input; -} diff --git a/generated/crds/gateway/v1alpha1/xlistenerSet.js b/generated/crds/gateway/v1alpha1/xlistenerSet.js deleted file mode 100644 index 92c6b15..0000000 --- a/generated/crds/gateway/v1alpha1/xlistenerSet.js +++ /dev/null @@ -1,89 +0,0 @@ -"use strict"; -// *** WARNING: this file was generated by crd2pulumi. *** -// *** Do not edit by hand unless you're certain you know what you are doing! *** -Object.defineProperty(exports, "__esModule", { value: true }); -exports.XListenerSet = void 0; -const pulumi = require("@pulumi/pulumi"); -const utilities = require("../../utilities"); -/** - * XListenerSet defines a set of additional listeners to attach to an existing Gateway. - * This resource provides a mechanism to merge multiple listeners into a single Gateway. - * - * The parent Gateway must explicitly allow ListenerSet attachment through its - * AllowedListeners configuration. By default, Gateways do not allow ListenerSet - * attachment. - * - * Routes can attach to a ListenerSet by specifying it as a parentRef, and can - * optionally target specific listeners using the sectionName field. - * - * Policy Attachment: - * - Policies that attach to a ListenerSet apply to all listeners defined in that resource - * - Policies do not impact listeners in the parent Gateway - * - Different ListenerSets attached to the same Gateway can have different policies - * - If an implementation cannot apply a policy to specific listeners, it should reject the policy - * - * ReferenceGrant Semantics: - * - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets - * - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners - * - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant - * - * Gateway Integration: - * - The parent Gateway's status will include an "AttachedListenerSets" condition - * - This condition will be: - * - True: when AllowedListeners is set and at least one child ListenerSet is attached - * - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false - * - Unknown: when no AllowedListeners config is present - */ -class XListenerSet extends pulumi.CustomResource { - /** - * Get an existing XListenerSet resource's state with the given name, ID, and optional extra - * properties used to qualify the lookup. - * - * @param name The _unique_ name of the resulting resource. - * @param id The _unique_ provider ID of the resource to lookup. - * @param opts Optional settings to control the behavior of the CustomResource. - */ - static get(name, id, opts) { - return new XListenerSet(name, undefined, { ...opts, id: id }); - } - /** - * Returns true if the given object is an instance of XListenerSet. This is designed to work even - * when multiple copies of the Pulumi SDK have been loaded into the same process. - */ - static isInstance(obj) { - if (obj === undefined || obj === null) { - return false; - } - return obj['__pulumiType'] === XListenerSet.__pulumiType; - } - /** - * Create a XListenerSet resource with the given unique name, arguments, and options. - * - * @param name The _unique_ name of the resource. - * @param args The arguments to use to populate this resource's properties. - * @param opts A bag of options that control this resource's behavior. - */ - constructor(name, args, opts) { - let resourceInputs = {}; - opts = opts || {}; - if (!opts.id) { - resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1"; - resourceInputs["kind"] = "XListenerSet"; - resourceInputs["metadata"] = args ? args.metadata : undefined; - resourceInputs["spec"] = args ? args.spec : undefined; - resourceInputs["status"] = undefined /*out*/; - } - else { - resourceInputs["apiVersion"] = undefined /*out*/; - resourceInputs["kind"] = undefined /*out*/; - resourceInputs["metadata"] = undefined /*out*/; - resourceInputs["spec"] = undefined /*out*/; - resourceInputs["status"] = undefined /*out*/; - } - opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - super(XListenerSet.__pulumiType, name, resourceInputs, opts); - } -} -exports.XListenerSet = XListenerSet; -/** @internal */ -XListenerSet.__pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSet'; diff --git a/generated/crds/gateway/v1alpha1/xlistenerSet.ts b/generated/crds/gateway/v1alpha1/xlistenerSet.ts deleted file mode 100644 index a2e8757..0000000 --- a/generated/crds/gateway/v1alpha1/xlistenerSet.ts +++ /dev/null @@ -1,125 +0,0 @@ -// *** WARNING: this file was generated by crd2pulumi. *** -// *** Do not edit by hand unless you're certain you know what you are doing! *** - -import * as pulumi from "@pulumi/pulumi"; -import * as inputs from "../../types/input"; -import * as outputs from "../../types/output"; -import * as utilities from "../../utilities"; - -/** - * XListenerSet defines a set of additional listeners to attach to an existing Gateway. - * This resource provides a mechanism to merge multiple listeners into a single Gateway. - * - * The parent Gateway must explicitly allow ListenerSet attachment through its - * AllowedListeners configuration. By default, Gateways do not allow ListenerSet - * attachment. - * - * Routes can attach to a ListenerSet by specifying it as a parentRef, and can - * optionally target specific listeners using the sectionName field. - * - * Policy Attachment: - * - Policies that attach to a ListenerSet apply to all listeners defined in that resource - * - Policies do not impact listeners in the parent Gateway - * - Different ListenerSets attached to the same Gateway can have different policies - * - If an implementation cannot apply a policy to specific listeners, it should reject the policy - * - * ReferenceGrant Semantics: - * - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets - * - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners - * - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant - * - * Gateway Integration: - * - The parent Gateway's status will include an "AttachedListenerSets" condition - * - This condition will be: - * - True: when AllowedListeners is set and at least one child ListenerSet is attached - * - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false - * - Unknown: when no AllowedListeners config is present - */ -export class XListenerSet extends pulumi.CustomResource { - /** - * Get an existing XListenerSet resource's state with the given name, ID, and optional extra - * properties used to qualify the lookup. - * - * @param name The _unique_ name of the resulting resource. - * @param id The _unique_ provider ID of the resource to lookup. - * @param opts Optional settings to control the behavior of the CustomResource. - */ - public static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): XListenerSet { - return new XListenerSet(name, undefined as any, { ...opts, id: id }); - } - - /** @internal */ - public static readonly __pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSet'; - - /** - * Returns true if the given object is an instance of XListenerSet. This is designed to work even - * when multiple copies of the Pulumi SDK have been loaded into the same process. - */ - public static isInstance(obj: any): obj is XListenerSet { - if (obj === undefined || obj === null) { - return false; - } - return obj['__pulumiType'] === XListenerSet.__pulumiType; - } - - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - public readonly apiVersion!: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - public readonly kind!: pulumi.Output<"XListenerSet">; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - public readonly metadata!: pulumi.Output; - public readonly spec!: pulumi.Output; - public /*out*/ readonly status!: pulumi.Output; - - /** - * Create a XListenerSet resource with the given unique name, arguments, and options. - * - * @param name The _unique_ name of the resource. - * @param args The arguments to use to populate this resource's properties. - * @param opts A bag of options that control this resource's behavior. - */ - constructor(name: string, args?: XListenerSetArgs, opts?: pulumi.CustomResourceOptions) { - let resourceInputs: pulumi.Inputs = {}; - opts = opts || {}; - if (!opts.id) { - resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1"; - resourceInputs["kind"] = "XListenerSet"; - resourceInputs["metadata"] = args ? args.metadata : undefined; - resourceInputs["spec"] = args ? args.spec : undefined; - resourceInputs["status"] = undefined /*out*/; - } else { - resourceInputs["apiVersion"] = undefined /*out*/; - resourceInputs["kind"] = undefined /*out*/; - resourceInputs["metadata"] = undefined /*out*/; - resourceInputs["spec"] = undefined /*out*/; - resourceInputs["status"] = undefined /*out*/; - } - opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - super(XListenerSet.__pulumiType, name, resourceInputs, opts); - } -} - -/** - * The set of arguments for constructing a XListenerSet resource. - */ -export interface XListenerSetArgs { - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - kind?: pulumi.Input<"XListenerSet">; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - metadata?: pulumi.Input; - spec?: pulumi.Input; -} diff --git a/generated/crds/gateway/v1alpha1/xlistenerSetList.d.ts b/generated/crds/gateway/v1alpha1/xlistenerSetList.d.ts deleted file mode 100644 index 2b0dc76..0000000 --- a/generated/crds/gateway/v1alpha1/xlistenerSetList.d.ts +++ /dev/null @@ -1,69 +0,0 @@ -import * as pulumi from "@pulumi/pulumi"; -import * as inputs from "../../types/input"; -import * as outputs from "../../types/output"; -/** - * XListenerSetList is a list of XListenerSet - */ -export declare class XListenerSetList extends pulumi.CustomResource { - /** - * Get an existing XListenerSetList resource's state with the given name, ID, and optional extra - * properties used to qualify the lookup. - * - * @param name The _unique_ name of the resulting resource. - * @param id The _unique_ provider ID of the resource to lookup. - * @param opts Optional settings to control the behavior of the CustomResource. - */ - static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): XListenerSetList; - /** @internal */ - static readonly __pulumiType = "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSetList"; - /** - * Returns true if the given object is an instance of XListenerSetList. This is designed to work even - * when multiple copies of the Pulumi SDK have been loaded into the same process. - */ - static isInstance(obj: any): obj is XListenerSetList; - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - readonly apiVersion: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">; - /** - * List of xlistenersets. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md - */ - readonly items: pulumi.Output; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - readonly kind: pulumi.Output<"XListenerSetList">; - /** - * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - readonly metadata: pulumi.Output; - /** - * Create a XListenerSetList resource with the given unique name, arguments, and options. - * - * @param name The _unique_ name of the resource. - * @param args The arguments to use to populate this resource's properties. - * @param opts A bag of options that control this resource's behavior. - */ - constructor(name: string, args?: XListenerSetListArgs, opts?: pulumi.CustomResourceOptions); -} -/** - * The set of arguments for constructing a XListenerSetList resource. - */ -export interface XListenerSetListArgs { - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">; - /** - * List of xlistenersets. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md - */ - items: pulumi.Input[]>; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - kind?: pulumi.Input<"XListenerSetList">; - /** - * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - metadata?: pulumi.Input; -} diff --git a/generated/crds/gateway/v1alpha1/xlistenerSetList.ts b/generated/crds/gateway/v1alpha1/xlistenerSetList.ts deleted file mode 100644 index eafa88c..0000000 --- a/generated/crds/gateway/v1alpha1/xlistenerSetList.ts +++ /dev/null @@ -1,105 +0,0 @@ -// *** WARNING: this file was generated by crd2pulumi. *** -// *** Do not edit by hand unless you're certain you know what you are doing! *** - -import * as pulumi from "@pulumi/pulumi"; -import * as inputs from "../../types/input"; -import * as outputs from "../../types/output"; -import * as utilities from "../../utilities"; - -/** - * XListenerSetList is a list of XListenerSet - */ -export class XListenerSetList extends pulumi.CustomResource { - /** - * Get an existing XListenerSetList resource's state with the given name, ID, and optional extra - * properties used to qualify the lookup. - * - * @param name The _unique_ name of the resulting resource. - * @param id The _unique_ provider ID of the resource to lookup. - * @param opts Optional settings to control the behavior of the CustomResource. - */ - public static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): XListenerSetList { - return new XListenerSetList(name, undefined as any, { ...opts, id: id }); - } - - /** @internal */ - public static readonly __pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSetList'; - - /** - * Returns true if the given object is an instance of XListenerSetList. This is designed to work even - * when multiple copies of the Pulumi SDK have been loaded into the same process. - */ - public static isInstance(obj: any): obj is XListenerSetList { - if (obj === undefined || obj === null) { - return false; - } - return obj['__pulumiType'] === XListenerSetList.__pulumiType; - } - - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - public readonly apiVersion!: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">; - /** - * List of xlistenersets. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md - */ - public readonly items!: pulumi.Output; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - public readonly kind!: pulumi.Output<"XListenerSetList">; - /** - * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - public readonly metadata!: pulumi.Output; - - /** - * Create a XListenerSetList resource with the given unique name, arguments, and options. - * - * @param name The _unique_ name of the resource. - * @param args The arguments to use to populate this resource's properties. - * @param opts A bag of options that control this resource's behavior. - */ - constructor(name: string, args?: XListenerSetListArgs, opts?: pulumi.CustomResourceOptions) { - let resourceInputs: pulumi.Inputs = {}; - opts = opts || {}; - if (!opts.id) { - if ((!args || args.items === undefined) && !opts.urn) { - throw new Error("Missing required property 'items'"); - } - resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1"; - resourceInputs["items"] = args ? args.items : undefined; - resourceInputs["kind"] = "XListenerSetList"; - resourceInputs["metadata"] = args ? args.metadata : undefined; - } else { - resourceInputs["apiVersion"] = undefined /*out*/; - resourceInputs["items"] = undefined /*out*/; - resourceInputs["kind"] = undefined /*out*/; - resourceInputs["metadata"] = undefined /*out*/; - } - opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - super(XListenerSetList.__pulumiType, name, resourceInputs, opts); - } -} - -/** - * The set of arguments for constructing a XListenerSetList resource. - */ -export interface XListenerSetListArgs { - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">; - /** - * List of xlistenersets. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md - */ - items: pulumi.Input[]>; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - kind?: pulumi.Input<"XListenerSetList">; - /** - * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - metadata?: pulumi.Input; -} diff --git a/generated/crds/gateway/v1alpha1/xlistenerSetPatch.js b/generated/crds/gateway/v1alpha1/xlistenerSetPatch.js deleted file mode 100644 index c4a679c..0000000 --- a/generated/crds/gateway/v1alpha1/xlistenerSetPatch.js +++ /dev/null @@ -1,95 +0,0 @@ -"use strict"; -// *** WARNING: this file was generated by crd2pulumi. *** -// *** Do not edit by hand unless you're certain you know what you are doing! *** -Object.defineProperty(exports, "__esModule", { value: true }); -exports.XListenerSetPatch = void 0; -const pulumi = require("@pulumi/pulumi"); -const utilities = require("../../utilities"); -/** - * Patch resources are used to modify existing Kubernetes resources by using - * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than - * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource. - * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the - * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for - * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi. - * XListenerSet defines a set of additional listeners to attach to an existing Gateway. - * This resource provides a mechanism to merge multiple listeners into a single Gateway. - * - * The parent Gateway must explicitly allow ListenerSet attachment through its - * AllowedListeners configuration. By default, Gateways do not allow ListenerSet - * attachment. - * - * Routes can attach to a ListenerSet by specifying it as a parentRef, and can - * optionally target specific listeners using the sectionName field. - * - * Policy Attachment: - * - Policies that attach to a ListenerSet apply to all listeners defined in that resource - * - Policies do not impact listeners in the parent Gateway - * - Different ListenerSets attached to the same Gateway can have different policies - * - If an implementation cannot apply a policy to specific listeners, it should reject the policy - * - * ReferenceGrant Semantics: - * - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets - * - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners - * - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant - * - * Gateway Integration: - * - The parent Gateway's status will include an "AttachedListenerSets" condition - * - This condition will be: - * - True: when AllowedListeners is set and at least one child ListenerSet is attached - * - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false - * - Unknown: when no AllowedListeners config is present - */ -class XListenerSetPatch extends pulumi.CustomResource { - /** - * Get an existing XListenerSetPatch resource's state with the given name, ID, and optional extra - * properties used to qualify the lookup. - * - * @param name The _unique_ name of the resulting resource. - * @param id The _unique_ provider ID of the resource to lookup. - * @param opts Optional settings to control the behavior of the CustomResource. - */ - static get(name, id, opts) { - return new XListenerSetPatch(name, undefined, { ...opts, id: id }); - } - /** - * Returns true if the given object is an instance of XListenerSetPatch. This is designed to work even - * when multiple copies of the Pulumi SDK have been loaded into the same process. - */ - static isInstance(obj) { - if (obj === undefined || obj === null) { - return false; - } - return obj['__pulumiType'] === XListenerSetPatch.__pulumiType; - } - /** - * Create a XListenerSetPatch resource with the given unique name, arguments, and options. - * - * @param name The _unique_ name of the resource. - * @param args The arguments to use to populate this resource's properties. - * @param opts A bag of options that control this resource's behavior. - */ - constructor(name, args, opts) { - let resourceInputs = {}; - opts = opts || {}; - if (!opts.id) { - resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1"; - resourceInputs["kind"] = "XListenerSet"; - resourceInputs["metadata"] = args ? args.metadata : undefined; - resourceInputs["spec"] = args ? args.spec : undefined; - resourceInputs["status"] = undefined /*out*/; - } - else { - resourceInputs["apiVersion"] = undefined /*out*/; - resourceInputs["kind"] = undefined /*out*/; - resourceInputs["metadata"] = undefined /*out*/; - resourceInputs["spec"] = undefined /*out*/; - resourceInputs["status"] = undefined /*out*/; - } - opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - super(XListenerSetPatch.__pulumiType, name, resourceInputs, opts); - } -} -exports.XListenerSetPatch = XListenerSetPatch; -/** @internal */ -XListenerSetPatch.__pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSetPatch'; diff --git a/generated/crds/gateway/v1alpha1/xlistenerSetPatch.ts b/generated/crds/gateway/v1alpha1/xlistenerSetPatch.ts deleted file mode 100644 index 4243259..0000000 --- a/generated/crds/gateway/v1alpha1/xlistenerSetPatch.ts +++ /dev/null @@ -1,131 +0,0 @@ -// *** WARNING: this file was generated by crd2pulumi. *** -// *** Do not edit by hand unless you're certain you know what you are doing! *** - -import * as pulumi from "@pulumi/pulumi"; -import * as inputs from "../../types/input"; -import * as outputs from "../../types/output"; -import * as utilities from "../../utilities"; - -/** - * Patch resources are used to modify existing Kubernetes resources by using - * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than - * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource. - * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the - * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for - * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi. - * XListenerSet defines a set of additional listeners to attach to an existing Gateway. - * This resource provides a mechanism to merge multiple listeners into a single Gateway. - * - * The parent Gateway must explicitly allow ListenerSet attachment through its - * AllowedListeners configuration. By default, Gateways do not allow ListenerSet - * attachment. - * - * Routes can attach to a ListenerSet by specifying it as a parentRef, and can - * optionally target specific listeners using the sectionName field. - * - * Policy Attachment: - * - Policies that attach to a ListenerSet apply to all listeners defined in that resource - * - Policies do not impact listeners in the parent Gateway - * - Different ListenerSets attached to the same Gateway can have different policies - * - If an implementation cannot apply a policy to specific listeners, it should reject the policy - * - * ReferenceGrant Semantics: - * - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets - * - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners - * - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant - * - * Gateway Integration: - * - The parent Gateway's status will include an "AttachedListenerSets" condition - * - This condition will be: - * - True: when AllowedListeners is set and at least one child ListenerSet is attached - * - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false - * - Unknown: when no AllowedListeners config is present - */ -export class XListenerSetPatch extends pulumi.CustomResource { - /** - * Get an existing XListenerSetPatch resource's state with the given name, ID, and optional extra - * properties used to qualify the lookup. - * - * @param name The _unique_ name of the resulting resource. - * @param id The _unique_ provider ID of the resource to lookup. - * @param opts Optional settings to control the behavior of the CustomResource. - */ - public static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): XListenerSetPatch { - return new XListenerSetPatch(name, undefined as any, { ...opts, id: id }); - } - - /** @internal */ - public static readonly __pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSetPatch'; - - /** - * Returns true if the given object is an instance of XListenerSetPatch. This is designed to work even - * when multiple copies of the Pulumi SDK have been loaded into the same process. - */ - public static isInstance(obj: any): obj is XListenerSetPatch { - if (obj === undefined || obj === null) { - return false; - } - return obj['__pulumiType'] === XListenerSetPatch.__pulumiType; - } - - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - public readonly apiVersion!: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - public readonly kind!: pulumi.Output<"XListenerSet">; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - public readonly metadata!: pulumi.Output; - public readonly spec!: pulumi.Output; - public /*out*/ readonly status!: pulumi.Output; - - /** - * Create a XListenerSetPatch resource with the given unique name, arguments, and options. - * - * @param name The _unique_ name of the resource. - * @param args The arguments to use to populate this resource's properties. - * @param opts A bag of options that control this resource's behavior. - */ - constructor(name: string, args?: XListenerSetPatchArgs, opts?: pulumi.CustomResourceOptions) { - let resourceInputs: pulumi.Inputs = {}; - opts = opts || {}; - if (!opts.id) { - resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1"; - resourceInputs["kind"] = "XListenerSet"; - resourceInputs["metadata"] = args ? args.metadata : undefined; - resourceInputs["spec"] = args ? args.spec : undefined; - resourceInputs["status"] = undefined /*out*/; - } else { - resourceInputs["apiVersion"] = undefined /*out*/; - resourceInputs["kind"] = undefined /*out*/; - resourceInputs["metadata"] = undefined /*out*/; - resourceInputs["spec"] = undefined /*out*/; - resourceInputs["status"] = undefined /*out*/; - } - opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - super(XListenerSetPatch.__pulumiType, name, resourceInputs, opts); - } -} - -/** - * The set of arguments for constructing a XListenerSetPatch resource. - */ -export interface XListenerSetPatchArgs { - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - kind?: pulumi.Input<"XListenerSet">; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - metadata?: pulumi.Input; - spec?: pulumi.Input; -} diff --git a/generated/crds/gateway/v1alpha1/xmesh.d.ts b/generated/crds/gateway/v1alpha1/xmesh.d.ts deleted file mode 100644 index d4bc618..0000000 --- a/generated/crds/gateway/v1alpha1/xmesh.d.ts +++ /dev/null @@ -1,64 +0,0 @@ -import * as pulumi from "@pulumi/pulumi"; -import * as inputs from "../../types/input"; -import * as outputs from "../../types/output"; -/** - * XMesh defines mesh-wide characteristics of a GAMMA-compliant service mesh. - */ -export declare class XMesh extends pulumi.CustomResource { - /** - * Get an existing XMesh resource's state with the given name, ID, and optional extra - * properties used to qualify the lookup. - * - * @param name The _unique_ name of the resulting resource. - * @param id The _unique_ provider ID of the resource to lookup. - * @param opts Optional settings to control the behavior of the CustomResource. - */ - static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): XMesh; - /** @internal */ - static readonly __pulumiType = "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMesh"; - /** - * Returns true if the given object is an instance of XMesh. This is designed to work even - * when multiple copies of the Pulumi SDK have been loaded into the same process. - */ - static isInstance(obj: any): obj is XMesh; - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - readonly apiVersion: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - readonly kind: pulumi.Output<"XMesh">; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - readonly metadata: pulumi.Output; - readonly spec: pulumi.Output; - readonly status: pulumi.Output; - /** - * Create a XMesh resource with the given unique name, arguments, and options. - * - * @param name The _unique_ name of the resource. - * @param args The arguments to use to populate this resource's properties. - * @param opts A bag of options that control this resource's behavior. - */ - constructor(name: string, args?: XMeshArgs, opts?: pulumi.CustomResourceOptions); -} -/** - * The set of arguments for constructing a XMesh resource. - */ -export interface XMeshArgs { - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - kind?: pulumi.Input<"XMesh">; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - metadata?: pulumi.Input; - spec?: pulumi.Input; -} diff --git a/generated/crds/gateway/v1alpha1/xmesh.js b/generated/crds/gateway/v1alpha1/xmesh.js deleted file mode 100644 index dc69782..0000000 --- a/generated/crds/gateway/v1alpha1/xmesh.js +++ /dev/null @@ -1,63 +0,0 @@ -"use strict"; -// *** WARNING: this file was generated by crd2pulumi. *** -// *** Do not edit by hand unless you're certain you know what you are doing! *** -Object.defineProperty(exports, "__esModule", { value: true }); -exports.XMesh = void 0; -const pulumi = require("@pulumi/pulumi"); -const utilities = require("../../utilities"); -/** - * XMesh defines mesh-wide characteristics of a GAMMA-compliant service mesh. - */ -class XMesh extends pulumi.CustomResource { - /** - * Get an existing XMesh resource's state with the given name, ID, and optional extra - * properties used to qualify the lookup. - * - * @param name The _unique_ name of the resulting resource. - * @param id The _unique_ provider ID of the resource to lookup. - * @param opts Optional settings to control the behavior of the CustomResource. - */ - static get(name, id, opts) { - return new XMesh(name, undefined, { ...opts, id: id }); - } - /** - * Returns true if the given object is an instance of XMesh. This is designed to work even - * when multiple copies of the Pulumi SDK have been loaded into the same process. - */ - static isInstance(obj) { - if (obj === undefined || obj === null) { - return false; - } - return obj['__pulumiType'] === XMesh.__pulumiType; - } - /** - * Create a XMesh resource with the given unique name, arguments, and options. - * - * @param name The _unique_ name of the resource. - * @param args The arguments to use to populate this resource's properties. - * @param opts A bag of options that control this resource's behavior. - */ - constructor(name, args, opts) { - let resourceInputs = {}; - opts = opts || {}; - if (!opts.id) { - resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1"; - resourceInputs["kind"] = "XMesh"; - resourceInputs["metadata"] = args ? args.metadata : undefined; - resourceInputs["spec"] = args ? args.spec : undefined; - resourceInputs["status"] = undefined /*out*/; - } - else { - resourceInputs["apiVersion"] = undefined /*out*/; - resourceInputs["kind"] = undefined /*out*/; - resourceInputs["metadata"] = undefined /*out*/; - resourceInputs["spec"] = undefined /*out*/; - resourceInputs["status"] = undefined /*out*/; - } - opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - super(XMesh.__pulumiType, name, resourceInputs, opts); - } -} -exports.XMesh = XMesh; -/** @internal */ -XMesh.__pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMesh'; diff --git a/generated/crds/gateway/v1alpha1/xmeshList.js b/generated/crds/gateway/v1alpha1/xmeshList.js deleted file mode 100644 index 44c0cac..0000000 --- a/generated/crds/gateway/v1alpha1/xmeshList.js +++ /dev/null @@ -1,64 +0,0 @@ -"use strict"; -// *** WARNING: this file was generated by crd2pulumi. *** -// *** Do not edit by hand unless you're certain you know what you are doing! *** -Object.defineProperty(exports, "__esModule", { value: true }); -exports.XMeshList = void 0; -const pulumi = require("@pulumi/pulumi"); -const utilities = require("../../utilities"); -/** - * XMeshList is a list of XMesh - */ -class XMeshList extends pulumi.CustomResource { - /** - * Get an existing XMeshList resource's state with the given name, ID, and optional extra - * properties used to qualify the lookup. - * - * @param name The _unique_ name of the resulting resource. - * @param id The _unique_ provider ID of the resource to lookup. - * @param opts Optional settings to control the behavior of the CustomResource. - */ - static get(name, id, opts) { - return new XMeshList(name, undefined, { ...opts, id: id }); - } - /** - * Returns true if the given object is an instance of XMeshList. This is designed to work even - * when multiple copies of the Pulumi SDK have been loaded into the same process. - */ - static isInstance(obj) { - if (obj === undefined || obj === null) { - return false; - } - return obj['__pulumiType'] === XMeshList.__pulumiType; - } - /** - * Create a XMeshList resource with the given unique name, arguments, and options. - * - * @param name The _unique_ name of the resource. - * @param args The arguments to use to populate this resource's properties. - * @param opts A bag of options that control this resource's behavior. - */ - constructor(name, args, opts) { - let resourceInputs = {}; - opts = opts || {}; - if (!opts.id) { - if ((!args || args.items === undefined) && !opts.urn) { - throw new Error("Missing required property 'items'"); - } - resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1"; - resourceInputs["items"] = args ? args.items : undefined; - resourceInputs["kind"] = "XMeshList"; - resourceInputs["metadata"] = args ? args.metadata : undefined; - } - else { - resourceInputs["apiVersion"] = undefined /*out*/; - resourceInputs["items"] = undefined /*out*/; - resourceInputs["kind"] = undefined /*out*/; - resourceInputs["metadata"] = undefined /*out*/; - } - opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - super(XMeshList.__pulumiType, name, resourceInputs, opts); - } -} -exports.XMeshList = XMeshList; -/** @internal */ -XMeshList.__pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMeshList'; diff --git a/generated/crds/gateway/v1alpha1/xmeshPatch.d.ts b/generated/crds/gateway/v1alpha1/xmeshPatch.d.ts deleted file mode 100644 index d16ded4..0000000 --- a/generated/crds/gateway/v1alpha1/xmeshPatch.d.ts +++ /dev/null @@ -1,70 +0,0 @@ -import * as pulumi from "@pulumi/pulumi"; -import * as inputs from "../../types/input"; -import * as outputs from "../../types/output"; -/** - * Patch resources are used to modify existing Kubernetes resources by using - * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than - * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource. - * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the - * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for - * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi. - * XMesh defines mesh-wide characteristics of a GAMMA-compliant service mesh. - */ -export declare class XMeshPatch extends pulumi.CustomResource { - /** - * Get an existing XMeshPatch resource's state with the given name, ID, and optional extra - * properties used to qualify the lookup. - * - * @param name The _unique_ name of the resulting resource. - * @param id The _unique_ provider ID of the resource to lookup. - * @param opts Optional settings to control the behavior of the CustomResource. - */ - static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): XMeshPatch; - /** @internal */ - static readonly __pulumiType = "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMeshPatch"; - /** - * Returns true if the given object is an instance of XMeshPatch. This is designed to work even - * when multiple copies of the Pulumi SDK have been loaded into the same process. - */ - static isInstance(obj: any): obj is XMeshPatch; - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - readonly apiVersion: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - readonly kind: pulumi.Output<"XMesh">; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - readonly metadata: pulumi.Output; - readonly spec: pulumi.Output; - readonly status: pulumi.Output; - /** - * Create a XMeshPatch resource with the given unique name, arguments, and options. - * - * @param name The _unique_ name of the resource. - * @param args The arguments to use to populate this resource's properties. - * @param opts A bag of options that control this resource's behavior. - */ - constructor(name: string, args?: XMeshPatchArgs, opts?: pulumi.CustomResourceOptions); -} -/** - * The set of arguments for constructing a XMeshPatch resource. - */ -export interface XMeshPatchArgs { - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - kind?: pulumi.Input<"XMesh">; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - metadata?: pulumi.Input; - spec?: pulumi.Input; -} diff --git a/generated/crds/gateway/v1/backendTLSPolicy.d.ts b/generated/crds/gateway/v1alpha2/backendLBPolicy.d.ts similarity index 70% rename from generated/crds/gateway/v1/backendTLSPolicy.d.ts rename to generated/crds/gateway/v1alpha2/backendLBPolicy.d.ts index 81ba223..445632c 100644 --- a/generated/crds/gateway/v1/backendTLSPolicy.d.ts +++ b/generated/crds/gateway/v1alpha2/backendLBPolicy.d.ts @@ -2,64 +2,64 @@ import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../../types/input"; import * as outputs from "../../types/output"; /** - * BackendTLSPolicy provides a way to configure how a Gateway - * connects to a Backend via TLS. + * BackendLBPolicy provides a way to define load balancing rules + * for a backend. */ -export declare class BackendTLSPolicy extends pulumi.CustomResource { +export declare class BackendLBPolicy extends pulumi.CustomResource { /** - * Get an existing BackendTLSPolicy resource's state with the given name, ID, and optional extra + * Get an existing BackendLBPolicy resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ - static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): BackendTLSPolicy; + static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): BackendLBPolicy; /** @internal */ - static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicy"; + static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1alpha2:BackendLBPolicy"; /** - * Returns true if the given object is an instance of BackendTLSPolicy. This is designed to work even + * Returns true if the given object is an instance of BackendLBPolicy. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ - static isInstance(obj: any): obj is BackendTLSPolicy; + static isInstance(obj: any): obj is BackendLBPolicy; /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1">; + readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - readonly kind: pulumi.Output<"BackendTLSPolicy">; + readonly kind: pulumi.Output<"BackendLBPolicy">; /** * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata */ readonly metadata: pulumi.Output; - readonly spec: pulumi.Output; - readonly status: pulumi.Output; + readonly spec: pulumi.Output; + readonly status: pulumi.Output; /** - * Create a BackendTLSPolicy resource with the given unique name, arguments, and options. + * Create a BackendLBPolicy resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ - constructor(name: string, args?: BackendTLSPolicyArgs, opts?: pulumi.CustomResourceOptions); + constructor(name: string, args?: BackendLBPolicyArgs, opts?: pulumi.CustomResourceOptions); } /** - * The set of arguments for constructing a BackendTLSPolicy resource. + * The set of arguments for constructing a BackendLBPolicy resource. */ -export interface BackendTLSPolicyArgs { +export interface BackendLBPolicyArgs { /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">; + apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - kind?: pulumi.Input<"BackendTLSPolicy">; + kind?: pulumi.Input<"BackendLBPolicy">; /** * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata */ metadata?: pulumi.Input; - spec?: pulumi.Input; + spec?: pulumi.Input; } diff --git a/generated/crds/gateway/v1/backendTLSPolicy.js b/generated/crds/gateway/v1alpha2/backendLBPolicy.js similarity index 65% rename from generated/crds/gateway/v1/backendTLSPolicy.js rename to generated/crds/gateway/v1alpha2/backendLBPolicy.js index 326091e..cb8243b 100644 --- a/generated/crds/gateway/v1/backendTLSPolicy.js +++ b/generated/crds/gateway/v1alpha2/backendLBPolicy.js @@ -2,16 +2,16 @@ // *** WARNING: this file was generated by crd2pulumi. *** // *** Do not edit by hand unless you're certain you know what you are doing! *** Object.defineProperty(exports, "__esModule", { value: true }); -exports.BackendTLSPolicy = void 0; +exports.BackendLBPolicy = void 0; const pulumi = require("@pulumi/pulumi"); const utilities = require("../../utilities"); /** - * BackendTLSPolicy provides a way to configure how a Gateway - * connects to a Backend via TLS. + * BackendLBPolicy provides a way to define load balancing rules + * for a backend. */ -class BackendTLSPolicy extends pulumi.CustomResource { +class BackendLBPolicy extends pulumi.CustomResource { /** - * Get an existing BackendTLSPolicy resource's state with the given name, ID, and optional extra + * Get an existing BackendLBPolicy resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. @@ -19,20 +19,20 @@ class BackendTLSPolicy extends pulumi.CustomResource { * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name, id, opts) { - return new BackendTLSPolicy(name, undefined, { ...opts, id: id }); + return new BackendLBPolicy(name, undefined, { ...opts, id: id }); } /** - * Returns true if the given object is an instance of BackendTLSPolicy. This is designed to work even + * Returns true if the given object is an instance of BackendLBPolicy. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj) { if (obj === undefined || obj === null) { return false; } - return obj['__pulumiType'] === BackendTLSPolicy.__pulumiType; + return obj['__pulumiType'] === BackendLBPolicy.__pulumiType; } /** - * Create a BackendTLSPolicy resource with the given unique name, arguments, and options. + * Create a BackendLBPolicy resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. @@ -42,8 +42,8 @@ class BackendTLSPolicy extends pulumi.CustomResource { let resourceInputs = {}; opts = opts || {}; if (!opts.id) { - resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1"; - resourceInputs["kind"] = "BackendTLSPolicy"; + resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2"; + resourceInputs["kind"] = "BackendLBPolicy"; resourceInputs["metadata"] = args ? args.metadata : undefined; resourceInputs["spec"] = args ? args.spec : undefined; resourceInputs["status"] = undefined /*out*/; @@ -56,11 +56,9 @@ class BackendTLSPolicy extends pulumi.CustomResource { resourceInputs["status"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha3:BackendTLSPolicy" }] }; - opts = pulumi.mergeOptions(opts, aliasOpts); - super(BackendTLSPolicy.__pulumiType, name, resourceInputs, opts); + super(BackendLBPolicy.__pulumiType, name, resourceInputs, opts); } } -exports.BackendTLSPolicy = BackendTLSPolicy; +exports.BackendLBPolicy = BackendLBPolicy; /** @internal */ -BackendTLSPolicy.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicy'; +BackendLBPolicy.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:BackendLBPolicy'; diff --git a/generated/crds/gateway/v1alpha1/xmesh.ts b/generated/crds/gateway/v1alpha2/backendLBPolicy.ts similarity index 71% rename from generated/crds/gateway/v1alpha1/xmesh.ts rename to generated/crds/gateway/v1alpha2/backendLBPolicy.ts index cc9ab6f..8bd4762 100644 --- a/generated/crds/gateway/v1alpha1/xmesh.ts +++ b/generated/crds/gateway/v1alpha2/backendLBPolicy.ts @@ -7,63 +7,64 @@ import * as outputs from "../../types/output"; import * as utilities from "../../utilities"; /** - * XMesh defines mesh-wide characteristics of a GAMMA-compliant service mesh. + * BackendLBPolicy provides a way to define load balancing rules + * for a backend. */ -export class XMesh extends pulumi.CustomResource { +export class BackendLBPolicy extends pulumi.CustomResource { /** - * Get an existing XMesh resource's state with the given name, ID, and optional extra + * Get an existing BackendLBPolicy resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ - public static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): XMesh { - return new XMesh(name, undefined as any, { ...opts, id: id }); + public static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): BackendLBPolicy { + return new BackendLBPolicy(name, undefined as any, { ...opts, id: id }); } /** @internal */ - public static readonly __pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMesh'; + public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:BackendLBPolicy'; /** - * Returns true if the given object is an instance of XMesh. This is designed to work even + * Returns true if the given object is an instance of BackendLBPolicy. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ - public static isInstance(obj: any): obj is XMesh { + public static isInstance(obj: any): obj is BackendLBPolicy { if (obj === undefined || obj === null) { return false; } - return obj['__pulumiType'] === XMesh.__pulumiType; + return obj['__pulumiType'] === BackendLBPolicy.__pulumiType; } /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - public readonly apiVersion!: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">; + public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - public readonly kind!: pulumi.Output<"XMesh">; + public readonly kind!: pulumi.Output<"BackendLBPolicy">; /** * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata */ public readonly metadata!: pulumi.Output; - public readonly spec!: pulumi.Output; - public /*out*/ readonly status!: pulumi.Output; + public readonly spec!: pulumi.Output; + public /*out*/ readonly status!: pulumi.Output; /** - * Create a XMesh resource with the given unique name, arguments, and options. + * Create a BackendLBPolicy resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ - constructor(name: string, args?: XMeshArgs, opts?: pulumi.CustomResourceOptions) { + constructor(name: string, args?: BackendLBPolicyArgs, opts?: pulumi.CustomResourceOptions) { let resourceInputs: pulumi.Inputs = {}; opts = opts || {}; if (!opts.id) { - resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1"; - resourceInputs["kind"] = "XMesh"; + resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2"; + resourceInputs["kind"] = "BackendLBPolicy"; resourceInputs["metadata"] = args ? args.metadata : undefined; resourceInputs["spec"] = args ? args.spec : undefined; resourceInputs["status"] = undefined /*out*/; @@ -75,25 +76,25 @@ export class XMesh extends pulumi.CustomResource { resourceInputs["status"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - super(XMesh.__pulumiType, name, resourceInputs, opts); + super(BackendLBPolicy.__pulumiType, name, resourceInputs, opts); } } /** - * The set of arguments for constructing a XMesh resource. + * The set of arguments for constructing a BackendLBPolicy resource. */ -export interface XMeshArgs { +export interface BackendLBPolicyArgs { /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">; + apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - kind?: pulumi.Input<"XMesh">; + kind?: pulumi.Input<"BackendLBPolicy">; /** * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata */ metadata?: pulumi.Input; - spec?: pulumi.Input; + spec?: pulumi.Input; } diff --git a/generated/crds/gateway/v1/backendTLSPolicyList.d.ts b/generated/crds/gateway/v1alpha2/backendLBPolicyList.d.ts similarity index 67% rename from generated/crds/gateway/v1/backendTLSPolicyList.d.ts rename to generated/crds/gateway/v1alpha2/backendLBPolicyList.d.ts index fb14bbb..ae60a8e 100644 --- a/generated/crds/gateway/v1/backendTLSPolicyList.d.ts +++ b/generated/crds/gateway/v1alpha2/backendLBPolicyList.d.ts @@ -2,66 +2,66 @@ import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../../types/input"; import * as outputs from "../../types/output"; /** - * BackendTLSPolicyList is a list of BackendTLSPolicy + * BackendLBPolicyList is a list of BackendLBPolicy */ -export declare class BackendTLSPolicyList extends pulumi.CustomResource { +export declare class BackendLBPolicyList extends pulumi.CustomResource { /** - * Get an existing BackendTLSPolicyList resource's state with the given name, ID, and optional extra + * Get an existing BackendLBPolicyList resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ - static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): BackendTLSPolicyList; + static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): BackendLBPolicyList; /** @internal */ - static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicyList"; + static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1alpha2:BackendLBPolicyList"; /** - * Returns true if the given object is an instance of BackendTLSPolicyList. This is designed to work even + * Returns true if the given object is an instance of BackendLBPolicyList. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ - static isInstance(obj: any): obj is BackendTLSPolicyList; + static isInstance(obj: any): obj is BackendLBPolicyList; /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1">; + readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">; /** - * List of backendtlspolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md + * List of backendlbpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md */ - readonly items: pulumi.Output; + readonly items: pulumi.Output; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - readonly kind: pulumi.Output<"BackendTLSPolicyList">; + readonly kind: pulumi.Output<"BackendLBPolicyList">; /** * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ readonly metadata: pulumi.Output; /** - * Create a BackendTLSPolicyList resource with the given unique name, arguments, and options. + * Create a BackendLBPolicyList resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ - constructor(name: string, args?: BackendTLSPolicyListArgs, opts?: pulumi.CustomResourceOptions); + constructor(name: string, args?: BackendLBPolicyListArgs, opts?: pulumi.CustomResourceOptions); } /** - * The set of arguments for constructing a BackendTLSPolicyList resource. + * The set of arguments for constructing a BackendLBPolicyList resource. */ -export interface BackendTLSPolicyListArgs { +export interface BackendLBPolicyListArgs { /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">; + apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">; /** - * List of backendtlspolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md + * List of backendlbpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md */ - items: pulumi.Input[]>; + items: pulumi.Input[]>; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - kind?: pulumi.Input<"BackendTLSPolicyList">; + kind?: pulumi.Input<"BackendLBPolicyList">; /** * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ diff --git a/generated/crds/gateway/v1/backendTLSPolicyList.js b/generated/crds/gateway/v1alpha2/backendLBPolicyList.js similarity index 70% rename from generated/crds/gateway/v1/backendTLSPolicyList.js rename to generated/crds/gateway/v1alpha2/backendLBPolicyList.js index a2ce1cd..bb3ad02 100644 --- a/generated/crds/gateway/v1/backendTLSPolicyList.js +++ b/generated/crds/gateway/v1alpha2/backendLBPolicyList.js @@ -2,15 +2,15 @@ // *** WARNING: this file was generated by crd2pulumi. *** // *** Do not edit by hand unless you're certain you know what you are doing! *** Object.defineProperty(exports, "__esModule", { value: true }); -exports.BackendTLSPolicyList = void 0; +exports.BackendLBPolicyList = void 0; const pulumi = require("@pulumi/pulumi"); const utilities = require("../../utilities"); /** - * BackendTLSPolicyList is a list of BackendTLSPolicy + * BackendLBPolicyList is a list of BackendLBPolicy */ -class BackendTLSPolicyList extends pulumi.CustomResource { +class BackendLBPolicyList extends pulumi.CustomResource { /** - * Get an existing BackendTLSPolicyList resource's state with the given name, ID, and optional extra + * Get an existing BackendLBPolicyList resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. @@ -18,20 +18,20 @@ class BackendTLSPolicyList extends pulumi.CustomResource { * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name, id, opts) { - return new BackendTLSPolicyList(name, undefined, { ...opts, id: id }); + return new BackendLBPolicyList(name, undefined, { ...opts, id: id }); } /** - * Returns true if the given object is an instance of BackendTLSPolicyList. This is designed to work even + * Returns true if the given object is an instance of BackendLBPolicyList. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj) { if (obj === undefined || obj === null) { return false; } - return obj['__pulumiType'] === BackendTLSPolicyList.__pulumiType; + return obj['__pulumiType'] === BackendLBPolicyList.__pulumiType; } /** - * Create a BackendTLSPolicyList resource with the given unique name, arguments, and options. + * Create a BackendLBPolicyList resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. @@ -44,9 +44,9 @@ class BackendTLSPolicyList extends pulumi.CustomResource { if ((!args || args.items === undefined) && !opts.urn) { throw new Error("Missing required property 'items'"); } - resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1"; + resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2"; resourceInputs["items"] = args ? args.items : undefined; - resourceInputs["kind"] = "BackendTLSPolicyList"; + resourceInputs["kind"] = "BackendLBPolicyList"; resourceInputs["metadata"] = args ? args.metadata : undefined; } else { @@ -56,9 +56,9 @@ class BackendTLSPolicyList extends pulumi.CustomResource { resourceInputs["metadata"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - super(BackendTLSPolicyList.__pulumiType, name, resourceInputs, opts); + super(BackendLBPolicyList.__pulumiType, name, resourceInputs, opts); } } -exports.BackendTLSPolicyList = BackendTLSPolicyList; +exports.BackendLBPolicyList = BackendLBPolicyList; /** @internal */ -BackendTLSPolicyList.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicyList'; +BackendLBPolicyList.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:BackendLBPolicyList'; diff --git a/generated/crds/gateway/v1/backendTLSPolicyList.ts b/generated/crds/gateway/v1alpha2/backendLBPolicyList.ts similarity index 69% rename from generated/crds/gateway/v1/backendTLSPolicyList.ts rename to generated/crds/gateway/v1alpha2/backendLBPolicyList.ts index 52509ff..d6925d3 100644 --- a/generated/crds/gateway/v1/backendTLSPolicyList.ts +++ b/generated/crds/gateway/v1alpha2/backendLBPolicyList.ts @@ -7,69 +7,69 @@ import * as outputs from "../../types/output"; import * as utilities from "../../utilities"; /** - * BackendTLSPolicyList is a list of BackendTLSPolicy + * BackendLBPolicyList is a list of BackendLBPolicy */ -export class BackendTLSPolicyList extends pulumi.CustomResource { +export class BackendLBPolicyList extends pulumi.CustomResource { /** - * Get an existing BackendTLSPolicyList resource's state with the given name, ID, and optional extra + * Get an existing BackendLBPolicyList resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ - public static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): BackendTLSPolicyList { - return new BackendTLSPolicyList(name, undefined as any, { ...opts, id: id }); + public static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): BackendLBPolicyList { + return new BackendLBPolicyList(name, undefined as any, { ...opts, id: id }); } /** @internal */ - public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicyList'; + public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:BackendLBPolicyList'; /** - * Returns true if the given object is an instance of BackendTLSPolicyList. This is designed to work even + * Returns true if the given object is an instance of BackendLBPolicyList. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ - public static isInstance(obj: any): obj is BackendTLSPolicyList { + public static isInstance(obj: any): obj is BackendLBPolicyList { if (obj === undefined || obj === null) { return false; } - return obj['__pulumiType'] === BackendTLSPolicyList.__pulumiType; + return obj['__pulumiType'] === BackendLBPolicyList.__pulumiType; } /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1">; + public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">; /** - * List of backendtlspolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md + * List of backendlbpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md */ - public readonly items!: pulumi.Output; + public readonly items!: pulumi.Output; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - public readonly kind!: pulumi.Output<"BackendTLSPolicyList">; + public readonly kind!: pulumi.Output<"BackendLBPolicyList">; /** * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ public readonly metadata!: pulumi.Output; /** - * Create a BackendTLSPolicyList resource with the given unique name, arguments, and options. + * Create a BackendLBPolicyList resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ - constructor(name: string, args?: BackendTLSPolicyListArgs, opts?: pulumi.CustomResourceOptions) { + constructor(name: string, args?: BackendLBPolicyListArgs, opts?: pulumi.CustomResourceOptions) { let resourceInputs: pulumi.Inputs = {}; opts = opts || {}; if (!opts.id) { if ((!args || args.items === undefined) && !opts.urn) { throw new Error("Missing required property 'items'"); } - resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1"; + resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2"; resourceInputs["items"] = args ? args.items : undefined; - resourceInputs["kind"] = "BackendTLSPolicyList"; + resourceInputs["kind"] = "BackendLBPolicyList"; resourceInputs["metadata"] = args ? args.metadata : undefined; } else { resourceInputs["apiVersion"] = undefined /*out*/; @@ -78,26 +78,26 @@ export class BackendTLSPolicyList extends pulumi.CustomResource { resourceInputs["metadata"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - super(BackendTLSPolicyList.__pulumiType, name, resourceInputs, opts); + super(BackendLBPolicyList.__pulumiType, name, resourceInputs, opts); } } /** - * The set of arguments for constructing a BackendTLSPolicyList resource. + * The set of arguments for constructing a BackendLBPolicyList resource. */ -export interface BackendTLSPolicyListArgs { +export interface BackendLBPolicyListArgs { /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">; + apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">; /** - * List of backendtlspolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md + * List of backendlbpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md */ - items: pulumi.Input[]>; + items: pulumi.Input[]>; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - kind?: pulumi.Input<"BackendTLSPolicyList">; + kind?: pulumi.Input<"BackendLBPolicyList">; /** * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ diff --git a/generated/crds/gateway/v1/backendTLSPolicyPatch.d.ts b/generated/crds/gateway/v1alpha2/backendLBPolicyPatch.d.ts similarity index 73% rename from generated/crds/gateway/v1/backendTLSPolicyPatch.d.ts rename to generated/crds/gateway/v1alpha2/backendLBPolicyPatch.d.ts index 7eca469..722e055 100644 --- a/generated/crds/gateway/v1/backendTLSPolicyPatch.d.ts +++ b/generated/crds/gateway/v1alpha2/backendLBPolicyPatch.d.ts @@ -8,64 +8,64 @@ import * as outputs from "../../types/output"; * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi. - * BackendTLSPolicy provides a way to configure how a Gateway - * connects to a Backend via TLS. + * BackendLBPolicy provides a way to define load balancing rules + * for a backend. */ -export declare class BackendTLSPolicyPatch extends pulumi.CustomResource { +export declare class BackendLBPolicyPatch extends pulumi.CustomResource { /** - * Get an existing BackendTLSPolicyPatch resource's state with the given name, ID, and optional extra + * Get an existing BackendLBPolicyPatch resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ - static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): BackendTLSPolicyPatch; + static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): BackendLBPolicyPatch; /** @internal */ - static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicyPatch"; + static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1alpha2:BackendLBPolicyPatch"; /** - * Returns true if the given object is an instance of BackendTLSPolicyPatch. This is designed to work even + * Returns true if the given object is an instance of BackendLBPolicyPatch. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ - static isInstance(obj: any): obj is BackendTLSPolicyPatch; + static isInstance(obj: any): obj is BackendLBPolicyPatch; /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1">; + readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - readonly kind: pulumi.Output<"BackendTLSPolicy">; + readonly kind: pulumi.Output<"BackendLBPolicy">; /** * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata */ readonly metadata: pulumi.Output; - readonly spec: pulumi.Output; - readonly status: pulumi.Output; + readonly spec: pulumi.Output; + readonly status: pulumi.Output; /** - * Create a BackendTLSPolicyPatch resource with the given unique name, arguments, and options. + * Create a BackendLBPolicyPatch resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ - constructor(name: string, args?: BackendTLSPolicyPatchArgs, opts?: pulumi.CustomResourceOptions); + constructor(name: string, args?: BackendLBPolicyPatchArgs, opts?: pulumi.CustomResourceOptions); } /** - * The set of arguments for constructing a BackendTLSPolicyPatch resource. + * The set of arguments for constructing a BackendLBPolicyPatch resource. */ -export interface BackendTLSPolicyPatchArgs { +export interface BackendLBPolicyPatchArgs { /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">; + apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - kind?: pulumi.Input<"BackendTLSPolicy">; + kind?: pulumi.Input<"BackendLBPolicy">; /** * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata */ metadata?: pulumi.Input; - spec?: pulumi.Input; + spec?: pulumi.Input; } diff --git a/generated/crds/gateway/v1alpha1/xmeshPatch.js b/generated/crds/gateway/v1alpha2/backendLBPolicyPatch.js similarity index 71% rename from generated/crds/gateway/v1alpha1/xmeshPatch.js rename to generated/crds/gateway/v1alpha2/backendLBPolicyPatch.js index fd9701c..2cfe2ca 100644 --- a/generated/crds/gateway/v1alpha1/xmeshPatch.js +++ b/generated/crds/gateway/v1alpha2/backendLBPolicyPatch.js @@ -2,7 +2,7 @@ // *** WARNING: this file was generated by crd2pulumi. *** // *** Do not edit by hand unless you're certain you know what you are doing! *** Object.defineProperty(exports, "__esModule", { value: true }); -exports.XMeshPatch = void 0; +exports.BackendLBPolicyPatch = void 0; const pulumi = require("@pulumi/pulumi"); const utilities = require("../../utilities"); /** @@ -12,11 +12,12 @@ const utilities = require("../../utilities"); * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi. - * XMesh defines mesh-wide characteristics of a GAMMA-compliant service mesh. + * BackendLBPolicy provides a way to define load balancing rules + * for a backend. */ -class XMeshPatch extends pulumi.CustomResource { +class BackendLBPolicyPatch extends pulumi.CustomResource { /** - * Get an existing XMeshPatch resource's state with the given name, ID, and optional extra + * Get an existing BackendLBPolicyPatch resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. @@ -24,20 +25,20 @@ class XMeshPatch extends pulumi.CustomResource { * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name, id, opts) { - return new XMeshPatch(name, undefined, { ...opts, id: id }); + return new BackendLBPolicyPatch(name, undefined, { ...opts, id: id }); } /** - * Returns true if the given object is an instance of XMeshPatch. This is designed to work even + * Returns true if the given object is an instance of BackendLBPolicyPatch. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj) { if (obj === undefined || obj === null) { return false; } - return obj['__pulumiType'] === XMeshPatch.__pulumiType; + return obj['__pulumiType'] === BackendLBPolicyPatch.__pulumiType; } /** - * Create a XMeshPatch resource with the given unique name, arguments, and options. + * Create a BackendLBPolicyPatch resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. @@ -47,8 +48,8 @@ class XMeshPatch extends pulumi.CustomResource { let resourceInputs = {}; opts = opts || {}; if (!opts.id) { - resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1"; - resourceInputs["kind"] = "XMesh"; + resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2"; + resourceInputs["kind"] = "BackendLBPolicy"; resourceInputs["metadata"] = args ? args.metadata : undefined; resourceInputs["spec"] = args ? args.spec : undefined; resourceInputs["status"] = undefined /*out*/; @@ -61,9 +62,9 @@ class XMeshPatch extends pulumi.CustomResource { resourceInputs["status"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - super(XMeshPatch.__pulumiType, name, resourceInputs, opts); + super(BackendLBPolicyPatch.__pulumiType, name, resourceInputs, opts); } } -exports.XMeshPatch = XMeshPatch; +exports.BackendLBPolicyPatch = BackendLBPolicyPatch; /** @internal */ -XMeshPatch.__pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMeshPatch'; +BackendLBPolicyPatch.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:BackendLBPolicyPatch'; diff --git a/generated/crds/gateway/v1alpha1/xmeshPatch.ts b/generated/crds/gateway/v1alpha2/backendLBPolicyPatch.ts similarity index 74% rename from generated/crds/gateway/v1alpha1/xmeshPatch.ts rename to generated/crds/gateway/v1alpha2/backendLBPolicyPatch.ts index ba3e50f..f245237 100644 --- a/generated/crds/gateway/v1alpha1/xmeshPatch.ts +++ b/generated/crds/gateway/v1alpha2/backendLBPolicyPatch.ts @@ -13,63 +13,64 @@ import * as utilities from "../../utilities"; * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi. - * XMesh defines mesh-wide characteristics of a GAMMA-compliant service mesh. + * BackendLBPolicy provides a way to define load balancing rules + * for a backend. */ -export class XMeshPatch extends pulumi.CustomResource { +export class BackendLBPolicyPatch extends pulumi.CustomResource { /** - * Get an existing XMeshPatch resource's state with the given name, ID, and optional extra + * Get an existing BackendLBPolicyPatch resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ - public static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): XMeshPatch { - return new XMeshPatch(name, undefined as any, { ...opts, id: id }); + public static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): BackendLBPolicyPatch { + return new BackendLBPolicyPatch(name, undefined as any, { ...opts, id: id }); } /** @internal */ - public static readonly __pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMeshPatch'; + public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:BackendLBPolicyPatch'; /** - * Returns true if the given object is an instance of XMeshPatch. This is designed to work even + * Returns true if the given object is an instance of BackendLBPolicyPatch. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ - public static isInstance(obj: any): obj is XMeshPatch { + public static isInstance(obj: any): obj is BackendLBPolicyPatch { if (obj === undefined || obj === null) { return false; } - return obj['__pulumiType'] === XMeshPatch.__pulumiType; + return obj['__pulumiType'] === BackendLBPolicyPatch.__pulumiType; } /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - public readonly apiVersion!: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">; + public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - public readonly kind!: pulumi.Output<"XMesh">; + public readonly kind!: pulumi.Output<"BackendLBPolicy">; /** * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata */ public readonly metadata!: pulumi.Output; - public readonly spec!: pulumi.Output; - public /*out*/ readonly status!: pulumi.Output; + public readonly spec!: pulumi.Output; + public /*out*/ readonly status!: pulumi.Output; /** - * Create a XMeshPatch resource with the given unique name, arguments, and options. + * Create a BackendLBPolicyPatch resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ - constructor(name: string, args?: XMeshPatchArgs, opts?: pulumi.CustomResourceOptions) { + constructor(name: string, args?: BackendLBPolicyPatchArgs, opts?: pulumi.CustomResourceOptions) { let resourceInputs: pulumi.Inputs = {}; opts = opts || {}; if (!opts.id) { - resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1"; - resourceInputs["kind"] = "XMesh"; + resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2"; + resourceInputs["kind"] = "BackendLBPolicy"; resourceInputs["metadata"] = args ? args.metadata : undefined; resourceInputs["spec"] = args ? args.spec : undefined; resourceInputs["status"] = undefined /*out*/; @@ -81,25 +82,25 @@ export class XMeshPatch extends pulumi.CustomResource { resourceInputs["status"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - super(XMeshPatch.__pulumiType, name, resourceInputs, opts); + super(BackendLBPolicyPatch.__pulumiType, name, resourceInputs, opts); } } /** - * The set of arguments for constructing a XMeshPatch resource. + * The set of arguments for constructing a BackendLBPolicyPatch resource. */ -export interface XMeshPatchArgs { +export interface BackendLBPolicyPatchArgs { /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">; + apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - kind?: pulumi.Input<"XMesh">; + kind?: pulumi.Input<"BackendLBPolicy">; /** * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata */ metadata?: pulumi.Input; - spec?: pulumi.Input; + spec?: pulumi.Input; } diff --git a/generated/crds/gateway/v1alpha2/grpcroute.d.ts b/generated/crds/gateway/v1alpha2/grpcroute.d.ts new file mode 100644 index 0000000..cfaac00 --- /dev/null +++ b/generated/crds/gateway/v1alpha2/grpcroute.d.ts @@ -0,0 +1,90 @@ +import * as pulumi from "@pulumi/pulumi"; +import * as inputs from "../../types/input"; +import * as outputs from "../../types/output"; +/** + * GRPCRoute provides a way to route gRPC requests. This includes the capability + * to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. + * Filters can be used to specify additional processing steps. Backends specify + * where matching requests will be routed. + * + * GRPCRoute falls under extended support within the Gateway API. Within the + * following specification, the word "MUST" indicates that an implementation + * supporting GRPCRoute must conform to the indicated requirement, but an + * implementation not supporting this route type need not follow the requirement + * unless explicitly indicated. + * + * Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST + * accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via + * ALPN. If the implementation does not support this, then it MUST set the + * "Accepted" condition to "False" for the affected listener with a reason of + * "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections + * with an upgrade from HTTP/1. + * + * Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST + * support HTTP/2 over cleartext TCP (h2c, + * https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial + * upgrade from HTTP/1.1, i.e. with prior knowledge + * (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation + * does not support this, then it MUST set the "Accepted" condition to "False" + * for the affected listener with a reason of "UnsupportedProtocol". + * Implementations MAY also accept HTTP/2 connections with an upgrade from + * HTTP/1, i.e. without prior knowledge. + */ +export declare class GRPCRoute extends pulumi.CustomResource { + /** + * Get an existing GRPCRoute resource's state with the given name, ID, and optional extra + * properties used to qualify the lookup. + * + * @param name The _unique_ name of the resulting resource. + * @param id The _unique_ provider ID of the resource to lookup. + * @param opts Optional settings to control the behavior of the CustomResource. + */ + static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): GRPCRoute; + /** @internal */ + static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1alpha2:GRPCRoute"; + /** + * Returns true if the given object is an instance of GRPCRoute. This is designed to work even + * when multiple copies of the Pulumi SDK have been loaded into the same process. + */ + static isInstance(obj: any): obj is GRPCRoute; + /** + * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + */ + readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">; + /** + * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + */ + readonly kind: pulumi.Output<"GRPCRoute">; + /** + * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + */ + readonly metadata: pulumi.Output; + readonly spec: pulumi.Output; + readonly status: pulumi.Output; + /** + * Create a GRPCRoute resource with the given unique name, arguments, and options. + * + * @param name The _unique_ name of the resource. + * @param args The arguments to use to populate this resource's properties. + * @param opts A bag of options that control this resource's behavior. + */ + constructor(name: string, args?: GRPCRouteArgs, opts?: pulumi.CustomResourceOptions); +} +/** + * The set of arguments for constructing a GRPCRoute resource. + */ +export interface GRPCRouteArgs { + /** + * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + */ + apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">; + /** + * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + */ + kind?: pulumi.Input<"GRPCRoute">; + /** + * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + */ + metadata?: pulumi.Input; + spec?: pulumi.Input; +} diff --git a/generated/crds/gateway/v1alpha2/grpcroute.js b/generated/crds/gateway/v1alpha2/grpcroute.js new file mode 100644 index 0000000..d10e060 --- /dev/null +++ b/generated/crds/gateway/v1alpha2/grpcroute.js @@ -0,0 +1,91 @@ +"use strict"; +// *** WARNING: this file was generated by crd2pulumi. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** +Object.defineProperty(exports, "__esModule", { value: true }); +exports.GRPCRoute = void 0; +const pulumi = require("@pulumi/pulumi"); +const utilities = require("../../utilities"); +/** + * GRPCRoute provides a way to route gRPC requests. This includes the capability + * to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. + * Filters can be used to specify additional processing steps. Backends specify + * where matching requests will be routed. + * + * GRPCRoute falls under extended support within the Gateway API. Within the + * following specification, the word "MUST" indicates that an implementation + * supporting GRPCRoute must conform to the indicated requirement, but an + * implementation not supporting this route type need not follow the requirement + * unless explicitly indicated. + * + * Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST + * accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via + * ALPN. If the implementation does not support this, then it MUST set the + * "Accepted" condition to "False" for the affected listener with a reason of + * "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections + * with an upgrade from HTTP/1. + * + * Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST + * support HTTP/2 over cleartext TCP (h2c, + * https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial + * upgrade from HTTP/1.1, i.e. with prior knowledge + * (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation + * does not support this, then it MUST set the "Accepted" condition to "False" + * for the affected listener with a reason of "UnsupportedProtocol". + * Implementations MAY also accept HTTP/2 connections with an upgrade from + * HTTP/1, i.e. without prior knowledge. + */ +class GRPCRoute extends pulumi.CustomResource { + /** + * Get an existing GRPCRoute resource's state with the given name, ID, and optional extra + * properties used to qualify the lookup. + * + * @param name The _unique_ name of the resulting resource. + * @param id The _unique_ provider ID of the resource to lookup. + * @param opts Optional settings to control the behavior of the CustomResource. + */ + static get(name, id, opts) { + return new GRPCRoute(name, undefined, { ...opts, id: id }); + } + /** + * Returns true if the given object is an instance of GRPCRoute. This is designed to work even + * when multiple copies of the Pulumi SDK have been loaded into the same process. + */ + static isInstance(obj) { + if (obj === undefined || obj === null) { + return false; + } + return obj['__pulumiType'] === GRPCRoute.__pulumiType; + } + /** + * Create a GRPCRoute resource with the given unique name, arguments, and options. + * + * @param name The _unique_ name of the resource. + * @param args The arguments to use to populate this resource's properties. + * @param opts A bag of options that control this resource's behavior. + */ + constructor(name, args, opts) { + let resourceInputs = {}; + opts = opts || {}; + if (!opts.id) { + resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2"; + resourceInputs["kind"] = "GRPCRoute"; + resourceInputs["metadata"] = args ? args.metadata : undefined; + resourceInputs["spec"] = args ? args.spec : undefined; + resourceInputs["status"] = undefined /*out*/; + } + else { + resourceInputs["apiVersion"] = undefined /*out*/; + resourceInputs["kind"] = undefined /*out*/; + resourceInputs["metadata"] = undefined /*out*/; + resourceInputs["spec"] = undefined /*out*/; + resourceInputs["status"] = undefined /*out*/; + } + opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); + const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1:GRPCRoute" }] }; + opts = pulumi.mergeOptions(opts, aliasOpts); + super(GRPCRoute.__pulumiType, name, resourceInputs, opts); + } +} +exports.GRPCRoute = GRPCRoute; +/** @internal */ +GRPCRoute.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:GRPCRoute'; diff --git a/generated/crds/gateway/v1/backendTLSPolicy.ts b/generated/crds/gateway/v1alpha2/grpcroute.ts similarity index 56% rename from generated/crds/gateway/v1/backendTLSPolicy.ts rename to generated/crds/gateway/v1alpha2/grpcroute.ts index 5d91fa2..67812ba 100644 --- a/generated/crds/gateway/v1/backendTLSPolicy.ts +++ b/generated/crds/gateway/v1alpha2/grpcroute.ts @@ -7,64 +7,89 @@ import * as outputs from "../../types/output"; import * as utilities from "../../utilities"; /** - * BackendTLSPolicy provides a way to configure how a Gateway - * connects to a Backend via TLS. + * GRPCRoute provides a way to route gRPC requests. This includes the capability + * to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. + * Filters can be used to specify additional processing steps. Backends specify + * where matching requests will be routed. + * + * GRPCRoute falls under extended support within the Gateway API. Within the + * following specification, the word "MUST" indicates that an implementation + * supporting GRPCRoute must conform to the indicated requirement, but an + * implementation not supporting this route type need not follow the requirement + * unless explicitly indicated. + * + * Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST + * accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via + * ALPN. If the implementation does not support this, then it MUST set the + * "Accepted" condition to "False" for the affected listener with a reason of + * "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections + * with an upgrade from HTTP/1. + * + * Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST + * support HTTP/2 over cleartext TCP (h2c, + * https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial + * upgrade from HTTP/1.1, i.e. with prior knowledge + * (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation + * does not support this, then it MUST set the "Accepted" condition to "False" + * for the affected listener with a reason of "UnsupportedProtocol". + * Implementations MAY also accept HTTP/2 connections with an upgrade from + * HTTP/1, i.e. without prior knowledge. */ -export class BackendTLSPolicy extends pulumi.CustomResource { +export class GRPCRoute extends pulumi.CustomResource { /** - * Get an existing BackendTLSPolicy resource's state with the given name, ID, and optional extra + * Get an existing GRPCRoute resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ - public static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): BackendTLSPolicy { - return new BackendTLSPolicy(name, undefined as any, { ...opts, id: id }); + public static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): GRPCRoute { + return new GRPCRoute(name, undefined as any, { ...opts, id: id }); } /** @internal */ - public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicy'; + public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:GRPCRoute'; /** - * Returns true if the given object is an instance of BackendTLSPolicy. This is designed to work even + * Returns true if the given object is an instance of GRPCRoute. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ - public static isInstance(obj: any): obj is BackendTLSPolicy { + public static isInstance(obj: any): obj is GRPCRoute { if (obj === undefined || obj === null) { return false; } - return obj['__pulumiType'] === BackendTLSPolicy.__pulumiType; + return obj['__pulumiType'] === GRPCRoute.__pulumiType; } /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1">; + public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - public readonly kind!: pulumi.Output<"BackendTLSPolicy">; + public readonly kind!: pulumi.Output<"GRPCRoute">; /** * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata */ public readonly metadata!: pulumi.Output; - public readonly spec!: pulumi.Output; - public /*out*/ readonly status!: pulumi.Output; + public readonly spec!: pulumi.Output; + public /*out*/ readonly status!: pulumi.Output; /** - * Create a BackendTLSPolicy resource with the given unique name, arguments, and options. + * Create a GRPCRoute resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ - constructor(name: string, args?: BackendTLSPolicyArgs, opts?: pulumi.CustomResourceOptions) { + constructor(name: string, args?: GRPCRouteArgs, opts?: pulumi.CustomResourceOptions) { let resourceInputs: pulumi.Inputs = {}; opts = opts || {}; if (!opts.id) { - resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1"; - resourceInputs["kind"] = "BackendTLSPolicy"; + resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2"; + resourceInputs["kind"] = "GRPCRoute"; resourceInputs["metadata"] = args ? args.metadata : undefined; resourceInputs["spec"] = args ? args.spec : undefined; resourceInputs["status"] = undefined /*out*/; @@ -76,27 +101,27 @@ export class BackendTLSPolicy extends pulumi.CustomResource { resourceInputs["status"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha3:BackendTLSPolicy" }] }; + const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1:GRPCRoute" }] }; opts = pulumi.mergeOptions(opts, aliasOpts); - super(BackendTLSPolicy.__pulumiType, name, resourceInputs, opts); + super(GRPCRoute.__pulumiType, name, resourceInputs, opts); } } /** - * The set of arguments for constructing a BackendTLSPolicy resource. + * The set of arguments for constructing a GRPCRoute resource. */ -export interface BackendTLSPolicyArgs { +export interface GRPCRouteArgs { /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">; + apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - kind?: pulumi.Input<"BackendTLSPolicy">; + kind?: pulumi.Input<"GRPCRoute">; /** * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata */ metadata?: pulumi.Input; - spec?: pulumi.Input; + spec?: pulumi.Input; } diff --git a/generated/crds/gateway/v1alpha3/tlsrouteList.d.ts b/generated/crds/gateway/v1alpha2/grpcrouteList.d.ts similarity index 69% rename from generated/crds/gateway/v1alpha3/tlsrouteList.d.ts rename to generated/crds/gateway/v1alpha2/grpcrouteList.d.ts index 010b8fe..2444fd4 100644 --- a/generated/crds/gateway/v1alpha3/tlsrouteList.d.ts +++ b/generated/crds/gateway/v1alpha2/grpcrouteList.d.ts @@ -2,66 +2,66 @@ import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../../types/input"; import * as outputs from "../../types/output"; /** - * TLSRouteList is a list of TLSRoute + * GRPCRouteList is a list of GRPCRoute */ -export declare class TLSRouteList extends pulumi.CustomResource { +export declare class GRPCRouteList extends pulumi.CustomResource { /** - * Get an existing TLSRouteList resource's state with the given name, ID, and optional extra + * Get an existing GRPCRouteList resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ - static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): TLSRouteList; + static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): GRPCRouteList; /** @internal */ - static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRouteList"; + static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1alpha2:GRPCRouteList"; /** - * Returns true if the given object is an instance of TLSRouteList. This is designed to work even + * Returns true if the given object is an instance of GRPCRouteList. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ - static isInstance(obj: any): obj is TLSRouteList; + static isInstance(obj: any): obj is GRPCRouteList; /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1alpha3">; + readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">; /** - * List of tlsroutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md + * List of grpcroutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md */ - readonly items: pulumi.Output; + readonly items: pulumi.Output; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - readonly kind: pulumi.Output<"TLSRouteList">; + readonly kind: pulumi.Output<"GRPCRouteList">; /** * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ readonly metadata: pulumi.Output; /** - * Create a TLSRouteList resource with the given unique name, arguments, and options. + * Create a GRPCRouteList resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ - constructor(name: string, args?: TLSRouteListArgs, opts?: pulumi.CustomResourceOptions); + constructor(name: string, args?: GRPCRouteListArgs, opts?: pulumi.CustomResourceOptions); } /** - * The set of arguments for constructing a TLSRouteList resource. + * The set of arguments for constructing a GRPCRouteList resource. */ -export interface TLSRouteListArgs { +export interface GRPCRouteListArgs { /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha3">; + apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">; /** - * List of tlsroutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md + * List of grpcroutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md */ - items: pulumi.Input[]>; + items: pulumi.Input[]>; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - kind?: pulumi.Input<"TLSRouteList">; + kind?: pulumi.Input<"GRPCRouteList">; /** * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ diff --git a/generated/crds/gateway/v1alpha3/tlsrouteList.js b/generated/crds/gateway/v1alpha2/grpcrouteList.js similarity index 70% rename from generated/crds/gateway/v1alpha3/tlsrouteList.js rename to generated/crds/gateway/v1alpha2/grpcrouteList.js index 41f3575..bf2b5f3 100644 --- a/generated/crds/gateway/v1alpha3/tlsrouteList.js +++ b/generated/crds/gateway/v1alpha2/grpcrouteList.js @@ -2,15 +2,15 @@ // *** WARNING: this file was generated by crd2pulumi. *** // *** Do not edit by hand unless you're certain you know what you are doing! *** Object.defineProperty(exports, "__esModule", { value: true }); -exports.TLSRouteList = void 0; +exports.GRPCRouteList = void 0; const pulumi = require("@pulumi/pulumi"); const utilities = require("../../utilities"); /** - * TLSRouteList is a list of TLSRoute + * GRPCRouteList is a list of GRPCRoute */ -class TLSRouteList extends pulumi.CustomResource { +class GRPCRouteList extends pulumi.CustomResource { /** - * Get an existing TLSRouteList resource's state with the given name, ID, and optional extra + * Get an existing GRPCRouteList resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. @@ -18,20 +18,20 @@ class TLSRouteList extends pulumi.CustomResource { * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name, id, opts) { - return new TLSRouteList(name, undefined, { ...opts, id: id }); + return new GRPCRouteList(name, undefined, { ...opts, id: id }); } /** - * Returns true if the given object is an instance of TLSRouteList. This is designed to work even + * Returns true if the given object is an instance of GRPCRouteList. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj) { if (obj === undefined || obj === null) { return false; } - return obj['__pulumiType'] === TLSRouteList.__pulumiType; + return obj['__pulumiType'] === GRPCRouteList.__pulumiType; } /** - * Create a TLSRouteList resource with the given unique name, arguments, and options. + * Create a GRPCRouteList resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. @@ -44,9 +44,9 @@ class TLSRouteList extends pulumi.CustomResource { if ((!args || args.items === undefined) && !opts.urn) { throw new Error("Missing required property 'items'"); } - resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha3"; + resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2"; resourceInputs["items"] = args ? args.items : undefined; - resourceInputs["kind"] = "TLSRouteList"; + resourceInputs["kind"] = "GRPCRouteList"; resourceInputs["metadata"] = args ? args.metadata : undefined; } else { @@ -56,9 +56,9 @@ class TLSRouteList extends pulumi.CustomResource { resourceInputs["metadata"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - super(TLSRouteList.__pulumiType, name, resourceInputs, opts); + super(GRPCRouteList.__pulumiType, name, resourceInputs, opts); } } -exports.TLSRouteList = TLSRouteList; +exports.GRPCRouteList = GRPCRouteList; /** @internal */ -TLSRouteList.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRouteList'; +GRPCRouteList.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:GRPCRouteList'; diff --git a/generated/crds/gateway/v1alpha3/tlsrouteList.ts b/generated/crds/gateway/v1alpha2/grpcrouteList.ts similarity index 72% rename from generated/crds/gateway/v1alpha3/tlsrouteList.ts rename to generated/crds/gateway/v1alpha2/grpcrouteList.ts index 20b35ce..71ba27d 100644 --- a/generated/crds/gateway/v1alpha3/tlsrouteList.ts +++ b/generated/crds/gateway/v1alpha2/grpcrouteList.ts @@ -7,69 +7,69 @@ import * as outputs from "../../types/output"; import * as utilities from "../../utilities"; /** - * TLSRouteList is a list of TLSRoute + * GRPCRouteList is a list of GRPCRoute */ -export class TLSRouteList extends pulumi.CustomResource { +export class GRPCRouteList extends pulumi.CustomResource { /** - * Get an existing TLSRouteList resource's state with the given name, ID, and optional extra + * Get an existing GRPCRouteList resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ - public static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): TLSRouteList { - return new TLSRouteList(name, undefined as any, { ...opts, id: id }); + public static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): GRPCRouteList { + return new GRPCRouteList(name, undefined as any, { ...opts, id: id }); } /** @internal */ - public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRouteList'; + public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:GRPCRouteList'; /** - * Returns true if the given object is an instance of TLSRouteList. This is designed to work even + * Returns true if the given object is an instance of GRPCRouteList. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ - public static isInstance(obj: any): obj is TLSRouteList { + public static isInstance(obj: any): obj is GRPCRouteList { if (obj === undefined || obj === null) { return false; } - return obj['__pulumiType'] === TLSRouteList.__pulumiType; + return obj['__pulumiType'] === GRPCRouteList.__pulumiType; } /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1alpha3">; + public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">; /** - * List of tlsroutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md + * List of grpcroutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md */ - public readonly items!: pulumi.Output; + public readonly items!: pulumi.Output; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - public readonly kind!: pulumi.Output<"TLSRouteList">; + public readonly kind!: pulumi.Output<"GRPCRouteList">; /** * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ public readonly metadata!: pulumi.Output; /** - * Create a TLSRouteList resource with the given unique name, arguments, and options. + * Create a GRPCRouteList resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ - constructor(name: string, args?: TLSRouteListArgs, opts?: pulumi.CustomResourceOptions) { + constructor(name: string, args?: GRPCRouteListArgs, opts?: pulumi.CustomResourceOptions) { let resourceInputs: pulumi.Inputs = {}; opts = opts || {}; if (!opts.id) { if ((!args || args.items === undefined) && !opts.urn) { throw new Error("Missing required property 'items'"); } - resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha3"; + resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2"; resourceInputs["items"] = args ? args.items : undefined; - resourceInputs["kind"] = "TLSRouteList"; + resourceInputs["kind"] = "GRPCRouteList"; resourceInputs["metadata"] = args ? args.metadata : undefined; } else { resourceInputs["apiVersion"] = undefined /*out*/; @@ -78,26 +78,26 @@ export class TLSRouteList extends pulumi.CustomResource { resourceInputs["metadata"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - super(TLSRouteList.__pulumiType, name, resourceInputs, opts); + super(GRPCRouteList.__pulumiType, name, resourceInputs, opts); } } /** - * The set of arguments for constructing a TLSRouteList resource. + * The set of arguments for constructing a GRPCRouteList resource. */ -export interface TLSRouteListArgs { +export interface GRPCRouteListArgs { /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha3">; + apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">; /** - * List of tlsroutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md + * List of grpcroutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md */ - items: pulumi.Input[]>; + items: pulumi.Input[]>; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - kind?: pulumi.Input<"TLSRouteList">; + kind?: pulumi.Input<"GRPCRouteList">; /** * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ diff --git a/generated/crds/gateway/v1alpha1/xlistenerSetPatch.d.ts b/generated/crds/gateway/v1alpha2/grpcroutePatch.d.ts similarity index 54% rename from generated/crds/gateway/v1alpha1/xlistenerSetPatch.d.ts rename to generated/crds/gateway/v1alpha2/grpcroutePatch.d.ts index 456ab67..6a968a2 100644 --- a/generated/crds/gateway/v1alpha1/xlistenerSetPatch.d.ts +++ b/generated/crds/gateway/v1alpha2/grpcroutePatch.d.ts @@ -8,89 +8,89 @@ import * as outputs from "../../types/output"; * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi. - * XListenerSet defines a set of additional listeners to attach to an existing Gateway. - * This resource provides a mechanism to merge multiple listeners into a single Gateway. + * GRPCRoute provides a way to route gRPC requests. This includes the capability + * to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. + * Filters can be used to specify additional processing steps. Backends specify + * where matching requests will be routed. * - * The parent Gateway must explicitly allow ListenerSet attachment through its - * AllowedListeners configuration. By default, Gateways do not allow ListenerSet - * attachment. + * GRPCRoute falls under extended support within the Gateway API. Within the + * following specification, the word "MUST" indicates that an implementation + * supporting GRPCRoute must conform to the indicated requirement, but an + * implementation not supporting this route type need not follow the requirement + * unless explicitly indicated. * - * Routes can attach to a ListenerSet by specifying it as a parentRef, and can - * optionally target specific listeners using the sectionName field. + * Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST + * accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via + * ALPN. If the implementation does not support this, then it MUST set the + * "Accepted" condition to "False" for the affected listener with a reason of + * "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections + * with an upgrade from HTTP/1. * - * Policy Attachment: - * - Policies that attach to a ListenerSet apply to all listeners defined in that resource - * - Policies do not impact listeners in the parent Gateway - * - Different ListenerSets attached to the same Gateway can have different policies - * - If an implementation cannot apply a policy to specific listeners, it should reject the policy - * - * ReferenceGrant Semantics: - * - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets - * - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners - * - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant - * - * Gateway Integration: - * - The parent Gateway's status will include an "AttachedListenerSets" condition - * - This condition will be: - * - True: when AllowedListeners is set and at least one child ListenerSet is attached - * - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false - * - Unknown: when no AllowedListeners config is present + * Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST + * support HTTP/2 over cleartext TCP (h2c, + * https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial + * upgrade from HTTP/1.1, i.e. with prior knowledge + * (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation + * does not support this, then it MUST set the "Accepted" condition to "False" + * for the affected listener with a reason of "UnsupportedProtocol". + * Implementations MAY also accept HTTP/2 connections with an upgrade from + * HTTP/1, i.e. without prior knowledge. */ -export declare class XListenerSetPatch extends pulumi.CustomResource { +export declare class GRPCRoutePatch extends pulumi.CustomResource { /** - * Get an existing XListenerSetPatch resource's state with the given name, ID, and optional extra + * Get an existing GRPCRoutePatch resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ - static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): XListenerSetPatch; + static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): GRPCRoutePatch; /** @internal */ - static readonly __pulumiType = "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSetPatch"; + static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1alpha2:GRPCRoutePatch"; /** - * Returns true if the given object is an instance of XListenerSetPatch. This is designed to work even + * Returns true if the given object is an instance of GRPCRoutePatch. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ - static isInstance(obj: any): obj is XListenerSetPatch; + static isInstance(obj: any): obj is GRPCRoutePatch; /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - readonly apiVersion: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">; + readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - readonly kind: pulumi.Output<"XListenerSet">; + readonly kind: pulumi.Output<"GRPCRoute">; /** * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata */ readonly metadata: pulumi.Output; - readonly spec: pulumi.Output; - readonly status: pulumi.Output; + readonly spec: pulumi.Output; + readonly status: pulumi.Output; /** - * Create a XListenerSetPatch resource with the given unique name, arguments, and options. + * Create a GRPCRoutePatch resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ - constructor(name: string, args?: XListenerSetPatchArgs, opts?: pulumi.CustomResourceOptions); + constructor(name: string, args?: GRPCRoutePatchArgs, opts?: pulumi.CustomResourceOptions); } /** - * The set of arguments for constructing a XListenerSetPatch resource. + * The set of arguments for constructing a GRPCRoutePatch resource. */ -export interface XListenerSetPatchArgs { +export interface GRPCRoutePatchArgs { /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">; + apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - kind?: pulumi.Input<"XListenerSet">; + kind?: pulumi.Input<"GRPCRoute">; /** * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata */ metadata?: pulumi.Input; - spec?: pulumi.Input; + spec?: pulumi.Input; } diff --git a/generated/crds/gateway/v1/backendTLSPolicyPatch.js b/generated/crds/gateway/v1alpha2/grpcroutePatch.js similarity index 52% rename from generated/crds/gateway/v1/backendTLSPolicyPatch.js rename to generated/crds/gateway/v1alpha2/grpcroutePatch.js index abb0cce..1458def 100644 --- a/generated/crds/gateway/v1/backendTLSPolicyPatch.js +++ b/generated/crds/gateway/v1alpha2/grpcroutePatch.js @@ -2,7 +2,7 @@ // *** WARNING: this file was generated by crd2pulumi. *** // *** Do not edit by hand unless you're certain you know what you are doing! *** Object.defineProperty(exports, "__esModule", { value: true }); -exports.BackendTLSPolicyPatch = void 0; +exports.GRPCRoutePatch = void 0; const pulumi = require("@pulumi/pulumi"); const utilities = require("../../utilities"); /** @@ -12,12 +12,37 @@ const utilities = require("../../utilities"); * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi. - * BackendTLSPolicy provides a way to configure how a Gateway - * connects to a Backend via TLS. + * GRPCRoute provides a way to route gRPC requests. This includes the capability + * to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. + * Filters can be used to specify additional processing steps. Backends specify + * where matching requests will be routed. + * + * GRPCRoute falls under extended support within the Gateway API. Within the + * following specification, the word "MUST" indicates that an implementation + * supporting GRPCRoute must conform to the indicated requirement, but an + * implementation not supporting this route type need not follow the requirement + * unless explicitly indicated. + * + * Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST + * accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via + * ALPN. If the implementation does not support this, then it MUST set the + * "Accepted" condition to "False" for the affected listener with a reason of + * "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections + * with an upgrade from HTTP/1. + * + * Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST + * support HTTP/2 over cleartext TCP (h2c, + * https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial + * upgrade from HTTP/1.1, i.e. with prior knowledge + * (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation + * does not support this, then it MUST set the "Accepted" condition to "False" + * for the affected listener with a reason of "UnsupportedProtocol". + * Implementations MAY also accept HTTP/2 connections with an upgrade from + * HTTP/1, i.e. without prior knowledge. */ -class BackendTLSPolicyPatch extends pulumi.CustomResource { +class GRPCRoutePatch extends pulumi.CustomResource { /** - * Get an existing BackendTLSPolicyPatch resource's state with the given name, ID, and optional extra + * Get an existing GRPCRoutePatch resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. @@ -25,20 +50,20 @@ class BackendTLSPolicyPatch extends pulumi.CustomResource { * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name, id, opts) { - return new BackendTLSPolicyPatch(name, undefined, { ...opts, id: id }); + return new GRPCRoutePatch(name, undefined, { ...opts, id: id }); } /** - * Returns true if the given object is an instance of BackendTLSPolicyPatch. This is designed to work even + * Returns true if the given object is an instance of GRPCRoutePatch. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj) { if (obj === undefined || obj === null) { return false; } - return obj['__pulumiType'] === BackendTLSPolicyPatch.__pulumiType; + return obj['__pulumiType'] === GRPCRoutePatch.__pulumiType; } /** - * Create a BackendTLSPolicyPatch resource with the given unique name, arguments, and options. + * Create a GRPCRoutePatch resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. @@ -48,8 +73,8 @@ class BackendTLSPolicyPatch extends pulumi.CustomResource { let resourceInputs = {}; opts = opts || {}; if (!opts.id) { - resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1"; - resourceInputs["kind"] = "BackendTLSPolicy"; + resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2"; + resourceInputs["kind"] = "GRPCRoute"; resourceInputs["metadata"] = args ? args.metadata : undefined; resourceInputs["spec"] = args ? args.spec : undefined; resourceInputs["status"] = undefined /*out*/; @@ -62,11 +87,11 @@ class BackendTLSPolicyPatch extends pulumi.CustomResource { resourceInputs["status"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha3:BackendTLSPolicyPatch" }] }; + const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1:GRPCRoutePatch" }] }; opts = pulumi.mergeOptions(opts, aliasOpts); - super(BackendTLSPolicyPatch.__pulumiType, name, resourceInputs, opts); + super(GRPCRoutePatch.__pulumiType, name, resourceInputs, opts); } } -exports.BackendTLSPolicyPatch = BackendTLSPolicyPatch; +exports.GRPCRoutePatch = GRPCRoutePatch; /** @internal */ -BackendTLSPolicyPatch.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicyPatch'; +GRPCRoutePatch.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:GRPCRoutePatch'; diff --git a/generated/crds/gateway/v1/backendTLSPolicyPatch.ts b/generated/crds/gateway/v1alpha2/grpcroutePatch.ts similarity index 60% rename from generated/crds/gateway/v1/backendTLSPolicyPatch.ts rename to generated/crds/gateway/v1alpha2/grpcroutePatch.ts index fbc5981..71cea9b 100644 --- a/generated/crds/gateway/v1/backendTLSPolicyPatch.ts +++ b/generated/crds/gateway/v1alpha2/grpcroutePatch.ts @@ -13,64 +13,89 @@ import * as utilities from "../../utilities"; * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi. - * BackendTLSPolicy provides a way to configure how a Gateway - * connects to a Backend via TLS. + * GRPCRoute provides a way to route gRPC requests. This includes the capability + * to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. + * Filters can be used to specify additional processing steps. Backends specify + * where matching requests will be routed. + * + * GRPCRoute falls under extended support within the Gateway API. Within the + * following specification, the word "MUST" indicates that an implementation + * supporting GRPCRoute must conform to the indicated requirement, but an + * implementation not supporting this route type need not follow the requirement + * unless explicitly indicated. + * + * Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST + * accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via + * ALPN. If the implementation does not support this, then it MUST set the + * "Accepted" condition to "False" for the affected listener with a reason of + * "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections + * with an upgrade from HTTP/1. + * + * Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST + * support HTTP/2 over cleartext TCP (h2c, + * https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial + * upgrade from HTTP/1.1, i.e. with prior knowledge + * (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation + * does not support this, then it MUST set the "Accepted" condition to "False" + * for the affected listener with a reason of "UnsupportedProtocol". + * Implementations MAY also accept HTTP/2 connections with an upgrade from + * HTTP/1, i.e. without prior knowledge. */ -export class BackendTLSPolicyPatch extends pulumi.CustomResource { +export class GRPCRoutePatch extends pulumi.CustomResource { /** - * Get an existing BackendTLSPolicyPatch resource's state with the given name, ID, and optional extra + * Get an existing GRPCRoutePatch resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ - public static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): BackendTLSPolicyPatch { - return new BackendTLSPolicyPatch(name, undefined as any, { ...opts, id: id }); + public static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): GRPCRoutePatch { + return new GRPCRoutePatch(name, undefined as any, { ...opts, id: id }); } /** @internal */ - public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicyPatch'; + public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:GRPCRoutePatch'; /** - * Returns true if the given object is an instance of BackendTLSPolicyPatch. This is designed to work even + * Returns true if the given object is an instance of GRPCRoutePatch. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ - public static isInstance(obj: any): obj is BackendTLSPolicyPatch { + public static isInstance(obj: any): obj is GRPCRoutePatch { if (obj === undefined || obj === null) { return false; } - return obj['__pulumiType'] === BackendTLSPolicyPatch.__pulumiType; + return obj['__pulumiType'] === GRPCRoutePatch.__pulumiType; } /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1">; + public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - public readonly kind!: pulumi.Output<"BackendTLSPolicy">; + public readonly kind!: pulumi.Output<"GRPCRoute">; /** * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata */ public readonly metadata!: pulumi.Output; - public readonly spec!: pulumi.Output; - public /*out*/ readonly status!: pulumi.Output; + public readonly spec!: pulumi.Output; + public /*out*/ readonly status!: pulumi.Output; /** - * Create a BackendTLSPolicyPatch resource with the given unique name, arguments, and options. + * Create a GRPCRoutePatch resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ - constructor(name: string, args?: BackendTLSPolicyPatchArgs, opts?: pulumi.CustomResourceOptions) { + constructor(name: string, args?: GRPCRoutePatchArgs, opts?: pulumi.CustomResourceOptions) { let resourceInputs: pulumi.Inputs = {}; opts = opts || {}; if (!opts.id) { - resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1"; - resourceInputs["kind"] = "BackendTLSPolicy"; + resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2"; + resourceInputs["kind"] = "GRPCRoute"; resourceInputs["metadata"] = args ? args.metadata : undefined; resourceInputs["spec"] = args ? args.spec : undefined; resourceInputs["status"] = undefined /*out*/; @@ -82,27 +107,27 @@ export class BackendTLSPolicyPatch extends pulumi.CustomResource { resourceInputs["status"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha3:BackendTLSPolicyPatch" }] }; + const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1:GRPCRoutePatch" }] }; opts = pulumi.mergeOptions(opts, aliasOpts); - super(BackendTLSPolicyPatch.__pulumiType, name, resourceInputs, opts); + super(GRPCRoutePatch.__pulumiType, name, resourceInputs, opts); } } /** - * The set of arguments for constructing a BackendTLSPolicyPatch resource. + * The set of arguments for constructing a GRPCRoutePatch resource. */ -export interface BackendTLSPolicyPatchArgs { +export interface GRPCRoutePatchArgs { /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">; + apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - kind?: pulumi.Input<"BackendTLSPolicy">; + kind?: pulumi.Input<"GRPCRoute">; /** * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata */ metadata?: pulumi.Input; - spec?: pulumi.Input; + spec?: pulumi.Input; } diff --git a/generated/crds/gateway/v1alpha2/index.d.ts b/generated/crds/gateway/v1alpha2/index.d.ts index f6049ab..26b1571 100644 --- a/generated/crds/gateway/v1alpha2/index.d.ts +++ b/generated/crds/gateway/v1alpha2/index.d.ts @@ -1,3 +1,30 @@ +export { BackendLBPolicyArgs } from "./backendLBPolicy"; +export type BackendLBPolicy = import("./backendLBPolicy").BackendLBPolicy; +export declare const BackendLBPolicy: typeof import("./backendLBPolicy").BackendLBPolicy; +export { BackendLBPolicyListArgs } from "./backendLBPolicyList"; +export type BackendLBPolicyList = import("./backendLBPolicyList").BackendLBPolicyList; +export declare const BackendLBPolicyList: typeof import("./backendLBPolicyList").BackendLBPolicyList; +export { BackendLBPolicyPatchArgs } from "./backendLBPolicyPatch"; +export type BackendLBPolicyPatch = import("./backendLBPolicyPatch").BackendLBPolicyPatch; +export declare const BackendLBPolicyPatch: typeof import("./backendLBPolicyPatch").BackendLBPolicyPatch; +export { GRPCRouteArgs } from "./grpcroute"; +export type GRPCRoute = import("./grpcroute").GRPCRoute; +export declare const GRPCRoute: typeof import("./grpcroute").GRPCRoute; +export { GRPCRouteListArgs } from "./grpcrouteList"; +export type GRPCRouteList = import("./grpcrouteList").GRPCRouteList; +export declare const GRPCRouteList: typeof import("./grpcrouteList").GRPCRouteList; +export { GRPCRoutePatchArgs } from "./grpcroutePatch"; +export type GRPCRoutePatch = import("./grpcroutePatch").GRPCRoutePatch; +export declare const GRPCRoutePatch: typeof import("./grpcroutePatch").GRPCRoutePatch; +export { ReferenceGrantArgs } from "./referenceGrant"; +export type ReferenceGrant = import("./referenceGrant").ReferenceGrant; +export declare const ReferenceGrant: typeof import("./referenceGrant").ReferenceGrant; +export { ReferenceGrantListArgs } from "./referenceGrantList"; +export type ReferenceGrantList = import("./referenceGrantList").ReferenceGrantList; +export declare const ReferenceGrantList: typeof import("./referenceGrantList").ReferenceGrantList; +export { ReferenceGrantPatchArgs } from "./referenceGrantPatch"; +export type ReferenceGrantPatch = import("./referenceGrantPatch").ReferenceGrantPatch; +export declare const ReferenceGrantPatch: typeof import("./referenceGrantPatch").ReferenceGrantPatch; export { TCPRouteArgs } from "./tcproute"; export type TCPRoute = import("./tcproute").TCPRoute; export declare const TCPRoute: typeof import("./tcproute").TCPRoute; diff --git a/generated/crds/gateway/v1alpha2/index.js b/generated/crds/gateway/v1alpha2/index.js index e2d0bc8..66d0e57 100644 --- a/generated/crds/gateway/v1alpha2/index.js +++ b/generated/crds/gateway/v1alpha2/index.js @@ -2,9 +2,27 @@ // *** WARNING: this file was generated by crd2pulumi. *** // *** Do not edit by hand unless you're certain you know what you are doing! *** Object.defineProperty(exports, "__esModule", { value: true }); -exports.UDPRoutePatch = exports.UDPRouteList = exports.UDPRoute = exports.TLSRoutePatch = exports.TLSRouteList = exports.TLSRoute = exports.TCPRoutePatch = exports.TCPRouteList = exports.TCPRoute = void 0; +exports.UDPRoutePatch = exports.UDPRouteList = exports.UDPRoute = exports.TLSRoutePatch = exports.TLSRouteList = exports.TLSRoute = exports.TCPRoutePatch = exports.TCPRouteList = exports.TCPRoute = exports.ReferenceGrantPatch = exports.ReferenceGrantList = exports.ReferenceGrant = exports.GRPCRoutePatch = exports.GRPCRouteList = exports.GRPCRoute = exports.BackendLBPolicyPatch = exports.BackendLBPolicyList = exports.BackendLBPolicy = void 0; const pulumi = require("@pulumi/pulumi"); const utilities = require("../../utilities"); +exports.BackendLBPolicy = null; +utilities.lazyLoad(exports, ["BackendLBPolicy"], () => require("./backendLBPolicy")); +exports.BackendLBPolicyList = null; +utilities.lazyLoad(exports, ["BackendLBPolicyList"], () => require("./backendLBPolicyList")); +exports.BackendLBPolicyPatch = null; +utilities.lazyLoad(exports, ["BackendLBPolicyPatch"], () => require("./backendLBPolicyPatch")); +exports.GRPCRoute = null; +utilities.lazyLoad(exports, ["GRPCRoute"], () => require("./grpcroute")); +exports.GRPCRouteList = null; +utilities.lazyLoad(exports, ["GRPCRouteList"], () => require("./grpcrouteList")); +exports.GRPCRoutePatch = null; +utilities.lazyLoad(exports, ["GRPCRoutePatch"], () => require("./grpcroutePatch")); +exports.ReferenceGrant = null; +utilities.lazyLoad(exports, ["ReferenceGrant"], () => require("./referenceGrant")); +exports.ReferenceGrantList = null; +utilities.lazyLoad(exports, ["ReferenceGrantList"], () => require("./referenceGrantList")); +exports.ReferenceGrantPatch = null; +utilities.lazyLoad(exports, ["ReferenceGrantPatch"], () => require("./referenceGrantPatch")); exports.TCPRoute = null; utilities.lazyLoad(exports, ["TCPRoute"], () => require("./tcproute")); exports.TCPRouteList = null; @@ -27,6 +45,24 @@ const _module = { version: utilities.getVersion(), construct: (name, type, urn) => { switch (type) { + case "kubernetes:gateway.networking.k8s.io/v1alpha2:BackendLBPolicy": + return new exports.BackendLBPolicy(name, undefined, { urn }); + case "kubernetes:gateway.networking.k8s.io/v1alpha2:BackendLBPolicyList": + return new exports.BackendLBPolicyList(name, undefined, { urn }); + case "kubernetes:gateway.networking.k8s.io/v1alpha2:BackendLBPolicyPatch": + return new exports.BackendLBPolicyPatch(name, undefined, { urn }); + case "kubernetes:gateway.networking.k8s.io/v1alpha2:GRPCRoute": + return new exports.GRPCRoute(name, undefined, { urn }); + case "kubernetes:gateway.networking.k8s.io/v1alpha2:GRPCRouteList": + return new exports.GRPCRouteList(name, undefined, { urn }); + case "kubernetes:gateway.networking.k8s.io/v1alpha2:GRPCRoutePatch": + return new exports.GRPCRoutePatch(name, undefined, { urn }); + case "kubernetes:gateway.networking.k8s.io/v1alpha2:ReferenceGrant": + return new exports.ReferenceGrant(name, undefined, { urn }); + case "kubernetes:gateway.networking.k8s.io/v1alpha2:ReferenceGrantList": + return new exports.ReferenceGrantList(name, undefined, { urn }); + case "kubernetes:gateway.networking.k8s.io/v1alpha2:ReferenceGrantPatch": + return new exports.ReferenceGrantPatch(name, undefined, { urn }); case "kubernetes:gateway.networking.k8s.io/v1alpha2:TCPRoute": return new exports.TCPRoute(name, undefined, { urn }); case "kubernetes:gateway.networking.k8s.io/v1alpha2:TCPRouteList": diff --git a/generated/crds/gateway/v1alpha2/index.ts b/generated/crds/gateway/v1alpha2/index.ts index 1845db4..bcaaf00 100644 --- a/generated/crds/gateway/v1alpha2/index.ts +++ b/generated/crds/gateway/v1alpha2/index.ts @@ -5,6 +5,51 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "../../utilities"; // Export members: +export { BackendLBPolicyArgs } from "./backendLBPolicy"; +export type BackendLBPolicy = import("./backendLBPolicy").BackendLBPolicy; +export const BackendLBPolicy: typeof import("./backendLBPolicy").BackendLBPolicy = null as any; +utilities.lazyLoad(exports, ["BackendLBPolicy"], () => require("./backendLBPolicy")); + +export { BackendLBPolicyListArgs } from "./backendLBPolicyList"; +export type BackendLBPolicyList = import("./backendLBPolicyList").BackendLBPolicyList; +export const BackendLBPolicyList: typeof import("./backendLBPolicyList").BackendLBPolicyList = null as any; +utilities.lazyLoad(exports, ["BackendLBPolicyList"], () => require("./backendLBPolicyList")); + +export { BackendLBPolicyPatchArgs } from "./backendLBPolicyPatch"; +export type BackendLBPolicyPatch = import("./backendLBPolicyPatch").BackendLBPolicyPatch; +export const BackendLBPolicyPatch: typeof import("./backendLBPolicyPatch").BackendLBPolicyPatch = null as any; +utilities.lazyLoad(exports, ["BackendLBPolicyPatch"], () => require("./backendLBPolicyPatch")); + +export { GRPCRouteArgs } from "./grpcroute"; +export type GRPCRoute = import("./grpcroute").GRPCRoute; +export const GRPCRoute: typeof import("./grpcroute").GRPCRoute = null as any; +utilities.lazyLoad(exports, ["GRPCRoute"], () => require("./grpcroute")); + +export { GRPCRouteListArgs } from "./grpcrouteList"; +export type GRPCRouteList = import("./grpcrouteList").GRPCRouteList; +export const GRPCRouteList: typeof import("./grpcrouteList").GRPCRouteList = null as any; +utilities.lazyLoad(exports, ["GRPCRouteList"], () => require("./grpcrouteList")); + +export { GRPCRoutePatchArgs } from "./grpcroutePatch"; +export type GRPCRoutePatch = import("./grpcroutePatch").GRPCRoutePatch; +export const GRPCRoutePatch: typeof import("./grpcroutePatch").GRPCRoutePatch = null as any; +utilities.lazyLoad(exports, ["GRPCRoutePatch"], () => require("./grpcroutePatch")); + +export { ReferenceGrantArgs } from "./referenceGrant"; +export type ReferenceGrant = import("./referenceGrant").ReferenceGrant; +export const ReferenceGrant: typeof import("./referenceGrant").ReferenceGrant = null as any; +utilities.lazyLoad(exports, ["ReferenceGrant"], () => require("./referenceGrant")); + +export { ReferenceGrantListArgs } from "./referenceGrantList"; +export type ReferenceGrantList = import("./referenceGrantList").ReferenceGrantList; +export const ReferenceGrantList: typeof import("./referenceGrantList").ReferenceGrantList = null as any; +utilities.lazyLoad(exports, ["ReferenceGrantList"], () => require("./referenceGrantList")); + +export { ReferenceGrantPatchArgs } from "./referenceGrantPatch"; +export type ReferenceGrantPatch = import("./referenceGrantPatch").ReferenceGrantPatch; +export const ReferenceGrantPatch: typeof import("./referenceGrantPatch").ReferenceGrantPatch = null as any; +utilities.lazyLoad(exports, ["ReferenceGrantPatch"], () => require("./referenceGrantPatch")); + export { TCPRouteArgs } from "./tcproute"; export type TCPRoute = import("./tcproute").TCPRoute; export const TCPRoute: typeof import("./tcproute").TCPRoute = null as any; @@ -55,6 +100,24 @@ const _module = { version: utilities.getVersion(), construct: (name: string, type: string, urn: string): pulumi.Resource => { switch (type) { + case "kubernetes:gateway.networking.k8s.io/v1alpha2:BackendLBPolicy": + return new BackendLBPolicy(name, undefined, { urn }) + case "kubernetes:gateway.networking.k8s.io/v1alpha2:BackendLBPolicyList": + return new BackendLBPolicyList(name, undefined, { urn }) + case "kubernetes:gateway.networking.k8s.io/v1alpha2:BackendLBPolicyPatch": + return new BackendLBPolicyPatch(name, undefined, { urn }) + case "kubernetes:gateway.networking.k8s.io/v1alpha2:GRPCRoute": + return new GRPCRoute(name, undefined, { urn }) + case "kubernetes:gateway.networking.k8s.io/v1alpha2:GRPCRouteList": + return new GRPCRouteList(name, undefined, { urn }) + case "kubernetes:gateway.networking.k8s.io/v1alpha2:GRPCRoutePatch": + return new GRPCRoutePatch(name, undefined, { urn }) + case "kubernetes:gateway.networking.k8s.io/v1alpha2:ReferenceGrant": + return new ReferenceGrant(name, undefined, { urn }) + case "kubernetes:gateway.networking.k8s.io/v1alpha2:ReferenceGrantList": + return new ReferenceGrantList(name, undefined, { urn }) + case "kubernetes:gateway.networking.k8s.io/v1alpha2:ReferenceGrantPatch": + return new ReferenceGrantPatch(name, undefined, { urn }) case "kubernetes:gateway.networking.k8s.io/v1alpha2:TCPRoute": return new TCPRoute(name, undefined, { urn }) case "kubernetes:gateway.networking.k8s.io/v1alpha2:TCPRouteList": diff --git a/generated/crds/gateway/v1alpha3/tlsroute.d.ts b/generated/crds/gateway/v1alpha2/referenceGrant.d.ts similarity index 55% rename from generated/crds/gateway/v1alpha3/tlsroute.d.ts rename to generated/crds/gateway/v1alpha2/referenceGrant.d.ts index 0fcb88c..d875f8f 100644 --- a/generated/crds/gateway/v1alpha3/tlsroute.d.ts +++ b/generated/crds/gateway/v1alpha2/referenceGrant.d.ts @@ -2,68 +2,81 @@ import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../../types/input"; import * as outputs from "../../types/output"; /** - * The TLSRoute resource is similar to TCPRoute, but can be configured - * to match against TLS-specific metadata. This allows more flexibility - * in matching streams for a given TLS listener. + * ReferenceGrant identifies kinds of resources in other namespaces that are + * trusted to reference the specified kinds of resources in the same namespace + * as the policy. * - * If you need to forward traffic to a single target for a TLS listener, you - * could choose to use a TCPRoute with a TLS listener. + * Each ReferenceGrant can be used to represent a unique trust relationship. + * Additional Reference Grants can be used to add to the set of trusted + * sources of inbound references for the namespace they are defined within. + * + * A ReferenceGrant is required for all cross-namespace references in Gateway API + * (with the exception of cross-namespace Route-Gateway attachment, which is + * governed by the AllowedRoutes configuration on the Gateway, and cross-namespace + * Service ParentRefs on a "consumer" mesh Route, which defines routing rules + * applicable only to workloads in the Route namespace). ReferenceGrants allowing + * a reference from a Route to a Service are only applicable to BackendRefs. + * + * ReferenceGrant is a form of runtime verification allowing users to assert + * which cross-namespace object references are permitted. Implementations that + * support ReferenceGrant MUST NOT permit cross-namespace references which have + * no grant, and MUST respond to the removal of a grant by revoking the access + * that the grant allowed. */ -export declare class TLSRoute extends pulumi.CustomResource { +export declare class ReferenceGrant extends pulumi.CustomResource { /** - * Get an existing TLSRoute resource's state with the given name, ID, and optional extra + * Get an existing ReferenceGrant resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ - static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): TLSRoute; + static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): ReferenceGrant; /** @internal */ - static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRoute"; + static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1alpha2:ReferenceGrant"; /** - * Returns true if the given object is an instance of TLSRoute. This is designed to work even + * Returns true if the given object is an instance of ReferenceGrant. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ - static isInstance(obj: any): obj is TLSRoute; + static isInstance(obj: any): obj is ReferenceGrant; /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1alpha3">; + readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - readonly kind: pulumi.Output<"TLSRoute">; + readonly kind: pulumi.Output<"ReferenceGrant">; /** * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata */ readonly metadata: pulumi.Output; - readonly spec: pulumi.Output; - readonly status: pulumi.Output; + readonly spec: pulumi.Output; /** - * Create a TLSRoute resource with the given unique name, arguments, and options. + * Create a ReferenceGrant resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ - constructor(name: string, args?: TLSRouteArgs, opts?: pulumi.CustomResourceOptions); + constructor(name: string, args?: ReferenceGrantArgs, opts?: pulumi.CustomResourceOptions); } /** - * The set of arguments for constructing a TLSRoute resource. + * The set of arguments for constructing a ReferenceGrant resource. */ -export interface TLSRouteArgs { +export interface ReferenceGrantArgs { /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha3">; + apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - kind?: pulumi.Input<"TLSRoute">; + kind?: pulumi.Input<"ReferenceGrant">; /** * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata */ metadata?: pulumi.Input; - spec?: pulumi.Input; + spec?: pulumi.Input; } diff --git a/generated/crds/gateway/v1alpha2/referenceGrant.js b/generated/crds/gateway/v1alpha2/referenceGrant.js new file mode 100644 index 0000000..3cde596 --- /dev/null +++ b/generated/crds/gateway/v1alpha2/referenceGrant.js @@ -0,0 +1,82 @@ +"use strict"; +// *** WARNING: this file was generated by crd2pulumi. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** +Object.defineProperty(exports, "__esModule", { value: true }); +exports.ReferenceGrant = void 0; +const pulumi = require("@pulumi/pulumi"); +const utilities = require("../../utilities"); +/** + * ReferenceGrant identifies kinds of resources in other namespaces that are + * trusted to reference the specified kinds of resources in the same namespace + * as the policy. + * + * Each ReferenceGrant can be used to represent a unique trust relationship. + * Additional Reference Grants can be used to add to the set of trusted + * sources of inbound references for the namespace they are defined within. + * + * A ReferenceGrant is required for all cross-namespace references in Gateway API + * (with the exception of cross-namespace Route-Gateway attachment, which is + * governed by the AllowedRoutes configuration on the Gateway, and cross-namespace + * Service ParentRefs on a "consumer" mesh Route, which defines routing rules + * applicable only to workloads in the Route namespace). ReferenceGrants allowing + * a reference from a Route to a Service are only applicable to BackendRefs. + * + * ReferenceGrant is a form of runtime verification allowing users to assert + * which cross-namespace object references are permitted. Implementations that + * support ReferenceGrant MUST NOT permit cross-namespace references which have + * no grant, and MUST respond to the removal of a grant by revoking the access + * that the grant allowed. + */ +class ReferenceGrant extends pulumi.CustomResource { + /** + * Get an existing ReferenceGrant resource's state with the given name, ID, and optional extra + * properties used to qualify the lookup. + * + * @param name The _unique_ name of the resulting resource. + * @param id The _unique_ provider ID of the resource to lookup. + * @param opts Optional settings to control the behavior of the CustomResource. + */ + static get(name, id, opts) { + return new ReferenceGrant(name, undefined, { ...opts, id: id }); + } + /** + * Returns true if the given object is an instance of ReferenceGrant. This is designed to work even + * when multiple copies of the Pulumi SDK have been loaded into the same process. + */ + static isInstance(obj) { + if (obj === undefined || obj === null) { + return false; + } + return obj['__pulumiType'] === ReferenceGrant.__pulumiType; + } + /** + * Create a ReferenceGrant resource with the given unique name, arguments, and options. + * + * @param name The _unique_ name of the resource. + * @param args The arguments to use to populate this resource's properties. + * @param opts A bag of options that control this resource's behavior. + */ + constructor(name, args, opts) { + let resourceInputs = {}; + opts = opts || {}; + if (!opts.id) { + resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2"; + resourceInputs["kind"] = "ReferenceGrant"; + resourceInputs["metadata"] = args ? args.metadata : undefined; + resourceInputs["spec"] = args ? args.spec : undefined; + } + else { + resourceInputs["apiVersion"] = undefined /*out*/; + resourceInputs["kind"] = undefined /*out*/; + resourceInputs["metadata"] = undefined /*out*/; + resourceInputs["spec"] = undefined /*out*/; + } + opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); + const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1beta1:ReferenceGrant" }] }; + opts = pulumi.mergeOptions(opts, aliasOpts); + super(ReferenceGrant.__pulumiType, name, resourceInputs, opts); + } +} +exports.ReferenceGrant = ReferenceGrant; +/** @internal */ +ReferenceGrant.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:ReferenceGrant'; diff --git a/generated/crds/gateway/v1alpha3/tlsroute.ts b/generated/crds/gateway/v1alpha2/referenceGrant.ts similarity index 60% rename from generated/crds/gateway/v1alpha3/tlsroute.ts rename to generated/crds/gateway/v1alpha2/referenceGrant.ts index bb339be..c2783de 100644 --- a/generated/crds/gateway/v1alpha3/tlsroute.ts +++ b/generated/crds/gateway/v1alpha2/referenceGrant.ts @@ -7,100 +7,111 @@ import * as outputs from "../../types/output"; import * as utilities from "../../utilities"; /** - * The TLSRoute resource is similar to TCPRoute, but can be configured - * to match against TLS-specific metadata. This allows more flexibility - * in matching streams for a given TLS listener. + * ReferenceGrant identifies kinds of resources in other namespaces that are + * trusted to reference the specified kinds of resources in the same namespace + * as the policy. * - * If you need to forward traffic to a single target for a TLS listener, you - * could choose to use a TCPRoute with a TLS listener. + * Each ReferenceGrant can be used to represent a unique trust relationship. + * Additional Reference Grants can be used to add to the set of trusted + * sources of inbound references for the namespace they are defined within. + * + * A ReferenceGrant is required for all cross-namespace references in Gateway API + * (with the exception of cross-namespace Route-Gateway attachment, which is + * governed by the AllowedRoutes configuration on the Gateway, and cross-namespace + * Service ParentRefs on a "consumer" mesh Route, which defines routing rules + * applicable only to workloads in the Route namespace). ReferenceGrants allowing + * a reference from a Route to a Service are only applicable to BackendRefs. + * + * ReferenceGrant is a form of runtime verification allowing users to assert + * which cross-namespace object references are permitted. Implementations that + * support ReferenceGrant MUST NOT permit cross-namespace references which have + * no grant, and MUST respond to the removal of a grant by revoking the access + * that the grant allowed. */ -export class TLSRoute extends pulumi.CustomResource { +export class ReferenceGrant extends pulumi.CustomResource { /** - * Get an existing TLSRoute resource's state with the given name, ID, and optional extra + * Get an existing ReferenceGrant resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ - public static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): TLSRoute { - return new TLSRoute(name, undefined as any, { ...opts, id: id }); + public static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): ReferenceGrant { + return new ReferenceGrant(name, undefined as any, { ...opts, id: id }); } /** @internal */ - public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRoute'; + public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:ReferenceGrant'; /** - * Returns true if the given object is an instance of TLSRoute. This is designed to work even + * Returns true if the given object is an instance of ReferenceGrant. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ - public static isInstance(obj: any): obj is TLSRoute { + public static isInstance(obj: any): obj is ReferenceGrant { if (obj === undefined || obj === null) { return false; } - return obj['__pulumiType'] === TLSRoute.__pulumiType; + return obj['__pulumiType'] === ReferenceGrant.__pulumiType; } /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1alpha3">; + public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - public readonly kind!: pulumi.Output<"TLSRoute">; + public readonly kind!: pulumi.Output<"ReferenceGrant">; /** * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata */ public readonly metadata!: pulumi.Output; - public readonly spec!: pulumi.Output; - public /*out*/ readonly status!: pulumi.Output; + public readonly spec!: pulumi.Output; /** - * Create a TLSRoute resource with the given unique name, arguments, and options. + * Create a ReferenceGrant resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ - constructor(name: string, args?: TLSRouteArgs, opts?: pulumi.CustomResourceOptions) { + constructor(name: string, args?: ReferenceGrantArgs, opts?: pulumi.CustomResourceOptions) { let resourceInputs: pulumi.Inputs = {}; opts = opts || {}; if (!opts.id) { - resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha3"; - resourceInputs["kind"] = "TLSRoute"; + resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2"; + resourceInputs["kind"] = "ReferenceGrant"; resourceInputs["metadata"] = args ? args.metadata : undefined; resourceInputs["spec"] = args ? args.spec : undefined; - resourceInputs["status"] = undefined /*out*/; } else { resourceInputs["apiVersion"] = undefined /*out*/; resourceInputs["kind"] = undefined /*out*/; resourceInputs["metadata"] = undefined /*out*/; resourceInputs["spec"] = undefined /*out*/; - resourceInputs["status"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha2:TLSRoute" }] }; + const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1beta1:ReferenceGrant" }] }; opts = pulumi.mergeOptions(opts, aliasOpts); - super(TLSRoute.__pulumiType, name, resourceInputs, opts); + super(ReferenceGrant.__pulumiType, name, resourceInputs, opts); } } /** - * The set of arguments for constructing a TLSRoute resource. + * The set of arguments for constructing a ReferenceGrant resource. */ -export interface TLSRouteArgs { +export interface ReferenceGrantArgs { /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha3">; + apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - kind?: pulumi.Input<"TLSRoute">; + kind?: pulumi.Input<"ReferenceGrant">; /** * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata */ metadata?: pulumi.Input; - spec?: pulumi.Input; + spec?: pulumi.Input; } diff --git a/generated/crds/gateway/v1alpha1/xmeshList.d.ts b/generated/crds/gateway/v1alpha2/referenceGrantList.d.ts similarity index 64% rename from generated/crds/gateway/v1alpha1/xmeshList.d.ts rename to generated/crds/gateway/v1alpha2/referenceGrantList.d.ts index 838948b..1158116 100644 --- a/generated/crds/gateway/v1alpha1/xmeshList.d.ts +++ b/generated/crds/gateway/v1alpha2/referenceGrantList.d.ts @@ -2,66 +2,66 @@ import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../../types/input"; import * as outputs from "../../types/output"; /** - * XMeshList is a list of XMesh + * ReferenceGrantList is a list of ReferenceGrant */ -export declare class XMeshList extends pulumi.CustomResource { +export declare class ReferenceGrantList extends pulumi.CustomResource { /** - * Get an existing XMeshList resource's state with the given name, ID, and optional extra + * Get an existing ReferenceGrantList resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ - static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): XMeshList; + static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): ReferenceGrantList; /** @internal */ - static readonly __pulumiType = "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMeshList"; + static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1alpha2:ReferenceGrantList"; /** - * Returns true if the given object is an instance of XMeshList. This is designed to work even + * Returns true if the given object is an instance of ReferenceGrantList. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ - static isInstance(obj: any): obj is XMeshList; + static isInstance(obj: any): obj is ReferenceGrantList; /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - readonly apiVersion: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">; + readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">; /** - * List of xmeshes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md + * List of referencegrants. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md */ - readonly items: pulumi.Output; + readonly items: pulumi.Output; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - readonly kind: pulumi.Output<"XMeshList">; + readonly kind: pulumi.Output<"ReferenceGrantList">; /** * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ readonly metadata: pulumi.Output; /** - * Create a XMeshList resource with the given unique name, arguments, and options. + * Create a ReferenceGrantList resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ - constructor(name: string, args?: XMeshListArgs, opts?: pulumi.CustomResourceOptions); + constructor(name: string, args?: ReferenceGrantListArgs, opts?: pulumi.CustomResourceOptions); } /** - * The set of arguments for constructing a XMeshList resource. + * The set of arguments for constructing a ReferenceGrantList resource. */ -export interface XMeshListArgs { +export interface ReferenceGrantListArgs { /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">; + apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">; /** - * List of xmeshes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md + * List of referencegrants. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md */ - items: pulumi.Input[]>; + items: pulumi.Input[]>; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - kind?: pulumi.Input<"XMeshList">; + kind?: pulumi.Input<"ReferenceGrantList">; /** * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ diff --git a/generated/crds/gateway/v1alpha1/xlistenerSetList.js b/generated/crds/gateway/v1alpha2/referenceGrantList.js similarity index 66% rename from generated/crds/gateway/v1alpha1/xlistenerSetList.js rename to generated/crds/gateway/v1alpha2/referenceGrantList.js index 3e2db37..278029b 100644 --- a/generated/crds/gateway/v1alpha1/xlistenerSetList.js +++ b/generated/crds/gateway/v1alpha2/referenceGrantList.js @@ -2,15 +2,15 @@ // *** WARNING: this file was generated by crd2pulumi. *** // *** Do not edit by hand unless you're certain you know what you are doing! *** Object.defineProperty(exports, "__esModule", { value: true }); -exports.XListenerSetList = void 0; +exports.ReferenceGrantList = void 0; const pulumi = require("@pulumi/pulumi"); const utilities = require("../../utilities"); /** - * XListenerSetList is a list of XListenerSet + * ReferenceGrantList is a list of ReferenceGrant */ -class XListenerSetList extends pulumi.CustomResource { +class ReferenceGrantList extends pulumi.CustomResource { /** - * Get an existing XListenerSetList resource's state with the given name, ID, and optional extra + * Get an existing ReferenceGrantList resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. @@ -18,20 +18,20 @@ class XListenerSetList extends pulumi.CustomResource { * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name, id, opts) { - return new XListenerSetList(name, undefined, { ...opts, id: id }); + return new ReferenceGrantList(name, undefined, { ...opts, id: id }); } /** - * Returns true if the given object is an instance of XListenerSetList. This is designed to work even + * Returns true if the given object is an instance of ReferenceGrantList. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj) { if (obj === undefined || obj === null) { return false; } - return obj['__pulumiType'] === XListenerSetList.__pulumiType; + return obj['__pulumiType'] === ReferenceGrantList.__pulumiType; } /** - * Create a XListenerSetList resource with the given unique name, arguments, and options. + * Create a ReferenceGrantList resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. @@ -44,9 +44,9 @@ class XListenerSetList extends pulumi.CustomResource { if ((!args || args.items === undefined) && !opts.urn) { throw new Error("Missing required property 'items'"); } - resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1"; + resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2"; resourceInputs["items"] = args ? args.items : undefined; - resourceInputs["kind"] = "XListenerSetList"; + resourceInputs["kind"] = "ReferenceGrantList"; resourceInputs["metadata"] = args ? args.metadata : undefined; } else { @@ -56,9 +56,9 @@ class XListenerSetList extends pulumi.CustomResource { resourceInputs["metadata"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - super(XListenerSetList.__pulumiType, name, resourceInputs, opts); + super(ReferenceGrantList.__pulumiType, name, resourceInputs, opts); } } -exports.XListenerSetList = XListenerSetList; +exports.ReferenceGrantList = ReferenceGrantList; /** @internal */ -XListenerSetList.__pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSetList'; +ReferenceGrantList.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:ReferenceGrantList'; diff --git a/generated/crds/gateway/v1alpha1/xmeshList.ts b/generated/crds/gateway/v1alpha2/referenceGrantList.ts similarity index 68% rename from generated/crds/gateway/v1alpha1/xmeshList.ts rename to generated/crds/gateway/v1alpha2/referenceGrantList.ts index d771bb5..b7415f2 100644 --- a/generated/crds/gateway/v1alpha1/xmeshList.ts +++ b/generated/crds/gateway/v1alpha2/referenceGrantList.ts @@ -7,69 +7,69 @@ import * as outputs from "../../types/output"; import * as utilities from "../../utilities"; /** - * XMeshList is a list of XMesh + * ReferenceGrantList is a list of ReferenceGrant */ -export class XMeshList extends pulumi.CustomResource { +export class ReferenceGrantList extends pulumi.CustomResource { /** - * Get an existing XMeshList resource's state with the given name, ID, and optional extra + * Get an existing ReferenceGrantList resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ - public static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): XMeshList { - return new XMeshList(name, undefined as any, { ...opts, id: id }); + public static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): ReferenceGrantList { + return new ReferenceGrantList(name, undefined as any, { ...opts, id: id }); } /** @internal */ - public static readonly __pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMeshList'; + public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:ReferenceGrantList'; /** - * Returns true if the given object is an instance of XMeshList. This is designed to work even + * Returns true if the given object is an instance of ReferenceGrantList. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ - public static isInstance(obj: any): obj is XMeshList { + public static isInstance(obj: any): obj is ReferenceGrantList { if (obj === undefined || obj === null) { return false; } - return obj['__pulumiType'] === XMeshList.__pulumiType; + return obj['__pulumiType'] === ReferenceGrantList.__pulumiType; } /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - public readonly apiVersion!: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">; + public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">; /** - * List of xmeshes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md + * List of referencegrants. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md */ - public readonly items!: pulumi.Output; + public readonly items!: pulumi.Output; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - public readonly kind!: pulumi.Output<"XMeshList">; + public readonly kind!: pulumi.Output<"ReferenceGrantList">; /** * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ public readonly metadata!: pulumi.Output; /** - * Create a XMeshList resource with the given unique name, arguments, and options. + * Create a ReferenceGrantList resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ - constructor(name: string, args?: XMeshListArgs, opts?: pulumi.CustomResourceOptions) { + constructor(name: string, args?: ReferenceGrantListArgs, opts?: pulumi.CustomResourceOptions) { let resourceInputs: pulumi.Inputs = {}; opts = opts || {}; if (!opts.id) { if ((!args || args.items === undefined) && !opts.urn) { throw new Error("Missing required property 'items'"); } - resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1"; + resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2"; resourceInputs["items"] = args ? args.items : undefined; - resourceInputs["kind"] = "XMeshList"; + resourceInputs["kind"] = "ReferenceGrantList"; resourceInputs["metadata"] = args ? args.metadata : undefined; } else { resourceInputs["apiVersion"] = undefined /*out*/; @@ -78,26 +78,26 @@ export class XMeshList extends pulumi.CustomResource { resourceInputs["metadata"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - super(XMeshList.__pulumiType, name, resourceInputs, opts); + super(ReferenceGrantList.__pulumiType, name, resourceInputs, opts); } } /** - * The set of arguments for constructing a XMeshList resource. + * The set of arguments for constructing a ReferenceGrantList resource. */ -export interface XMeshListArgs { +export interface ReferenceGrantListArgs { /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">; + apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">; /** - * List of xmeshes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md + * List of referencegrants. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md */ - items: pulumi.Input[]>; + items: pulumi.Input[]>; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - kind?: pulumi.Input<"XMeshList">; + kind?: pulumi.Input<"ReferenceGrantList">; /** * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ diff --git a/generated/crds/gateway/v1alpha3/tlsroutePatch.d.ts b/generated/crds/gateway/v1alpha2/referenceGrantPatch.d.ts similarity index 60% rename from generated/crds/gateway/v1alpha3/tlsroutePatch.d.ts rename to generated/crds/gateway/v1alpha2/referenceGrantPatch.d.ts index 892a9fc..7dfbb23 100644 --- a/generated/crds/gateway/v1alpha3/tlsroutePatch.d.ts +++ b/generated/crds/gateway/v1alpha2/referenceGrantPatch.d.ts @@ -8,68 +8,81 @@ import * as outputs from "../../types/output"; * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi. - * The TLSRoute resource is similar to TCPRoute, but can be configured - * to match against TLS-specific metadata. This allows more flexibility - * in matching streams for a given TLS listener. + * ReferenceGrant identifies kinds of resources in other namespaces that are + * trusted to reference the specified kinds of resources in the same namespace + * as the policy. * - * If you need to forward traffic to a single target for a TLS listener, you - * could choose to use a TCPRoute with a TLS listener. + * Each ReferenceGrant can be used to represent a unique trust relationship. + * Additional Reference Grants can be used to add to the set of trusted + * sources of inbound references for the namespace they are defined within. + * + * A ReferenceGrant is required for all cross-namespace references in Gateway API + * (with the exception of cross-namespace Route-Gateway attachment, which is + * governed by the AllowedRoutes configuration on the Gateway, and cross-namespace + * Service ParentRefs on a "consumer" mesh Route, which defines routing rules + * applicable only to workloads in the Route namespace). ReferenceGrants allowing + * a reference from a Route to a Service are only applicable to BackendRefs. + * + * ReferenceGrant is a form of runtime verification allowing users to assert + * which cross-namespace object references are permitted. Implementations that + * support ReferenceGrant MUST NOT permit cross-namespace references which have + * no grant, and MUST respond to the removal of a grant by revoking the access + * that the grant allowed. */ -export declare class TLSRoutePatch extends pulumi.CustomResource { +export declare class ReferenceGrantPatch extends pulumi.CustomResource { /** - * Get an existing TLSRoutePatch resource's state with the given name, ID, and optional extra + * Get an existing ReferenceGrantPatch resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ - static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): TLSRoutePatch; + static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): ReferenceGrantPatch; /** @internal */ - static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRoutePatch"; + static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1alpha2:ReferenceGrantPatch"; /** - * Returns true if the given object is an instance of TLSRoutePatch. This is designed to work even + * Returns true if the given object is an instance of ReferenceGrantPatch. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ - static isInstance(obj: any): obj is TLSRoutePatch; + static isInstance(obj: any): obj is ReferenceGrantPatch; /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1alpha3">; + readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - readonly kind: pulumi.Output<"TLSRoute">; + readonly kind: pulumi.Output<"ReferenceGrant">; /** * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata */ readonly metadata: pulumi.Output; - readonly spec: pulumi.Output; - readonly status: pulumi.Output; + readonly spec: pulumi.Output; /** - * Create a TLSRoutePatch resource with the given unique name, arguments, and options. + * Create a ReferenceGrantPatch resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ - constructor(name: string, args?: TLSRoutePatchArgs, opts?: pulumi.CustomResourceOptions); + constructor(name: string, args?: ReferenceGrantPatchArgs, opts?: pulumi.CustomResourceOptions); } /** - * The set of arguments for constructing a TLSRoutePatch resource. + * The set of arguments for constructing a ReferenceGrantPatch resource. */ -export interface TLSRoutePatchArgs { +export interface ReferenceGrantPatchArgs { /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha3">; + apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - kind?: pulumi.Input<"TLSRoute">; + kind?: pulumi.Input<"ReferenceGrant">; /** * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata */ metadata?: pulumi.Input; - spec?: pulumi.Input; + spec?: pulumi.Input; } diff --git a/generated/crds/gateway/v1alpha3/tlsroutePatch.js b/generated/crds/gateway/v1alpha2/referenceGrantPatch.js similarity index 54% rename from generated/crds/gateway/v1alpha3/tlsroutePatch.js rename to generated/crds/gateway/v1alpha2/referenceGrantPatch.js index c7151e4..db38a31 100644 --- a/generated/crds/gateway/v1alpha3/tlsroutePatch.js +++ b/generated/crds/gateway/v1alpha2/referenceGrantPatch.js @@ -2,7 +2,7 @@ // *** WARNING: this file was generated by crd2pulumi. *** // *** Do not edit by hand unless you're certain you know what you are doing! *** Object.defineProperty(exports, "__esModule", { value: true }); -exports.TLSRoutePatch = void 0; +exports.ReferenceGrantPatch = void 0; const pulumi = require("@pulumi/pulumi"); const utilities = require("../../utilities"); /** @@ -12,16 +12,30 @@ const utilities = require("../../utilities"); * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi. - * The TLSRoute resource is similar to TCPRoute, but can be configured - * to match against TLS-specific metadata. This allows more flexibility - * in matching streams for a given TLS listener. + * ReferenceGrant identifies kinds of resources in other namespaces that are + * trusted to reference the specified kinds of resources in the same namespace + * as the policy. * - * If you need to forward traffic to a single target for a TLS listener, you - * could choose to use a TCPRoute with a TLS listener. + * Each ReferenceGrant can be used to represent a unique trust relationship. + * Additional Reference Grants can be used to add to the set of trusted + * sources of inbound references for the namespace they are defined within. + * + * A ReferenceGrant is required for all cross-namespace references in Gateway API + * (with the exception of cross-namespace Route-Gateway attachment, which is + * governed by the AllowedRoutes configuration on the Gateway, and cross-namespace + * Service ParentRefs on a "consumer" mesh Route, which defines routing rules + * applicable only to workloads in the Route namespace). ReferenceGrants allowing + * a reference from a Route to a Service are only applicable to BackendRefs. + * + * ReferenceGrant is a form of runtime verification allowing users to assert + * which cross-namespace object references are permitted. Implementations that + * support ReferenceGrant MUST NOT permit cross-namespace references which have + * no grant, and MUST respond to the removal of a grant by revoking the access + * that the grant allowed. */ -class TLSRoutePatch extends pulumi.CustomResource { +class ReferenceGrantPatch extends pulumi.CustomResource { /** - * Get an existing TLSRoutePatch resource's state with the given name, ID, and optional extra + * Get an existing ReferenceGrantPatch resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. @@ -29,20 +43,20 @@ class TLSRoutePatch extends pulumi.CustomResource { * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name, id, opts) { - return new TLSRoutePatch(name, undefined, { ...opts, id: id }); + return new ReferenceGrantPatch(name, undefined, { ...opts, id: id }); } /** - * Returns true if the given object is an instance of TLSRoutePatch. This is designed to work even + * Returns true if the given object is an instance of ReferenceGrantPatch. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj) { if (obj === undefined || obj === null) { return false; } - return obj['__pulumiType'] === TLSRoutePatch.__pulumiType; + return obj['__pulumiType'] === ReferenceGrantPatch.__pulumiType; } /** - * Create a TLSRoutePatch resource with the given unique name, arguments, and options. + * Create a ReferenceGrantPatch resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. @@ -52,25 +66,23 @@ class TLSRoutePatch extends pulumi.CustomResource { let resourceInputs = {}; opts = opts || {}; if (!opts.id) { - resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha3"; - resourceInputs["kind"] = "TLSRoute"; + resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2"; + resourceInputs["kind"] = "ReferenceGrant"; resourceInputs["metadata"] = args ? args.metadata : undefined; resourceInputs["spec"] = args ? args.spec : undefined; - resourceInputs["status"] = undefined /*out*/; } else { resourceInputs["apiVersion"] = undefined /*out*/; resourceInputs["kind"] = undefined /*out*/; resourceInputs["metadata"] = undefined /*out*/; resourceInputs["spec"] = undefined /*out*/; - resourceInputs["status"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha2:TLSRoutePatch" }] }; + const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1beta1:ReferenceGrantPatch" }] }; opts = pulumi.mergeOptions(opts, aliasOpts); - super(TLSRoutePatch.__pulumiType, name, resourceInputs, opts); + super(ReferenceGrantPatch.__pulumiType, name, resourceInputs, opts); } } -exports.TLSRoutePatch = TLSRoutePatch; +exports.ReferenceGrantPatch = ReferenceGrantPatch; /** @internal */ -TLSRoutePatch.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRoutePatch'; +ReferenceGrantPatch.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:ReferenceGrantPatch'; diff --git a/generated/crds/gateway/v1alpha3/tlsroutePatch.ts b/generated/crds/gateway/v1alpha2/referenceGrantPatch.ts similarity index 63% rename from generated/crds/gateway/v1alpha3/tlsroutePatch.ts rename to generated/crds/gateway/v1alpha2/referenceGrantPatch.ts index 3e6b0ce..26f076d 100644 --- a/generated/crds/gateway/v1alpha3/tlsroutePatch.ts +++ b/generated/crds/gateway/v1alpha2/referenceGrantPatch.ts @@ -13,100 +13,111 @@ import * as utilities from "../../utilities"; * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi. - * The TLSRoute resource is similar to TCPRoute, but can be configured - * to match against TLS-specific metadata. This allows more flexibility - * in matching streams for a given TLS listener. + * ReferenceGrant identifies kinds of resources in other namespaces that are + * trusted to reference the specified kinds of resources in the same namespace + * as the policy. * - * If you need to forward traffic to a single target for a TLS listener, you - * could choose to use a TCPRoute with a TLS listener. + * Each ReferenceGrant can be used to represent a unique trust relationship. + * Additional Reference Grants can be used to add to the set of trusted + * sources of inbound references for the namespace they are defined within. + * + * A ReferenceGrant is required for all cross-namespace references in Gateway API + * (with the exception of cross-namespace Route-Gateway attachment, which is + * governed by the AllowedRoutes configuration on the Gateway, and cross-namespace + * Service ParentRefs on a "consumer" mesh Route, which defines routing rules + * applicable only to workloads in the Route namespace). ReferenceGrants allowing + * a reference from a Route to a Service are only applicable to BackendRefs. + * + * ReferenceGrant is a form of runtime verification allowing users to assert + * which cross-namespace object references are permitted. Implementations that + * support ReferenceGrant MUST NOT permit cross-namespace references which have + * no grant, and MUST respond to the removal of a grant by revoking the access + * that the grant allowed. */ -export class TLSRoutePatch extends pulumi.CustomResource { +export class ReferenceGrantPatch extends pulumi.CustomResource { /** - * Get an existing TLSRoutePatch resource's state with the given name, ID, and optional extra + * Get an existing ReferenceGrantPatch resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ - public static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): TLSRoutePatch { - return new TLSRoutePatch(name, undefined as any, { ...opts, id: id }); + public static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): ReferenceGrantPatch { + return new ReferenceGrantPatch(name, undefined as any, { ...opts, id: id }); } /** @internal */ - public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRoutePatch'; + public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:ReferenceGrantPatch'; /** - * Returns true if the given object is an instance of TLSRoutePatch. This is designed to work even + * Returns true if the given object is an instance of ReferenceGrantPatch. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ - public static isInstance(obj: any): obj is TLSRoutePatch { + public static isInstance(obj: any): obj is ReferenceGrantPatch { if (obj === undefined || obj === null) { return false; } - return obj['__pulumiType'] === TLSRoutePatch.__pulumiType; + return obj['__pulumiType'] === ReferenceGrantPatch.__pulumiType; } /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1alpha3">; + public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - public readonly kind!: pulumi.Output<"TLSRoute">; + public readonly kind!: pulumi.Output<"ReferenceGrant">; /** * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata */ public readonly metadata!: pulumi.Output; - public readonly spec!: pulumi.Output; - public /*out*/ readonly status!: pulumi.Output; + public readonly spec!: pulumi.Output; /** - * Create a TLSRoutePatch resource with the given unique name, arguments, and options. + * Create a ReferenceGrantPatch resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ - constructor(name: string, args?: TLSRoutePatchArgs, opts?: pulumi.CustomResourceOptions) { + constructor(name: string, args?: ReferenceGrantPatchArgs, opts?: pulumi.CustomResourceOptions) { let resourceInputs: pulumi.Inputs = {}; opts = opts || {}; if (!opts.id) { - resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha3"; - resourceInputs["kind"] = "TLSRoute"; + resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2"; + resourceInputs["kind"] = "ReferenceGrant"; resourceInputs["metadata"] = args ? args.metadata : undefined; resourceInputs["spec"] = args ? args.spec : undefined; - resourceInputs["status"] = undefined /*out*/; } else { resourceInputs["apiVersion"] = undefined /*out*/; resourceInputs["kind"] = undefined /*out*/; resourceInputs["metadata"] = undefined /*out*/; resourceInputs["spec"] = undefined /*out*/; - resourceInputs["status"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha2:TLSRoutePatch" }] }; + const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1beta1:ReferenceGrantPatch" }] }; opts = pulumi.mergeOptions(opts, aliasOpts); - super(TLSRoutePatch.__pulumiType, name, resourceInputs, opts); + super(ReferenceGrantPatch.__pulumiType, name, resourceInputs, opts); } } /** - * The set of arguments for constructing a TLSRoutePatch resource. + * The set of arguments for constructing a ReferenceGrantPatch resource. */ -export interface TLSRoutePatchArgs { +export interface ReferenceGrantPatchArgs { /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha3">; + apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - kind?: pulumi.Input<"TLSRoute">; + kind?: pulumi.Input<"ReferenceGrant">; /** * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata */ metadata?: pulumi.Input; - spec?: pulumi.Input; + spec?: pulumi.Input; } diff --git a/generated/crds/gateway/v1alpha2/tlsroute.js b/generated/crds/gateway/v1alpha2/tlsroute.js index 631a2f1..26f51bc 100644 --- a/generated/crds/gateway/v1alpha2/tlsroute.js +++ b/generated/crds/gateway/v1alpha2/tlsroute.js @@ -60,8 +60,6 @@ class TLSRoute extends pulumi.CustomResource { resourceInputs["status"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRoute" }] }; - opts = pulumi.mergeOptions(opts, aliasOpts); super(TLSRoute.__pulumiType, name, resourceInputs, opts); } } diff --git a/generated/crds/gateway/v1alpha2/tlsroute.ts b/generated/crds/gateway/v1alpha2/tlsroute.ts index ba24571..1471382 100644 --- a/generated/crds/gateway/v1alpha2/tlsroute.ts +++ b/generated/crds/gateway/v1alpha2/tlsroute.ts @@ -80,8 +80,6 @@ export class TLSRoute extends pulumi.CustomResource { resourceInputs["status"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRoute" }] }; - opts = pulumi.mergeOptions(opts, aliasOpts); super(TLSRoute.__pulumiType, name, resourceInputs, opts); } } diff --git a/generated/crds/gateway/v1alpha2/tlsroutePatch.js b/generated/crds/gateway/v1alpha2/tlsroutePatch.js index ad8e64d..77f37e7 100644 --- a/generated/crds/gateway/v1alpha2/tlsroutePatch.js +++ b/generated/crds/gateway/v1alpha2/tlsroutePatch.js @@ -66,8 +66,6 @@ class TLSRoutePatch extends pulumi.CustomResource { resourceInputs["status"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRoutePatch" }] }; - opts = pulumi.mergeOptions(opts, aliasOpts); super(TLSRoutePatch.__pulumiType, name, resourceInputs, opts); } } diff --git a/generated/crds/gateway/v1alpha2/tlsroutePatch.ts b/generated/crds/gateway/v1alpha2/tlsroutePatch.ts index 15428bc..f21b4f0 100644 --- a/generated/crds/gateway/v1alpha2/tlsroutePatch.ts +++ b/generated/crds/gateway/v1alpha2/tlsroutePatch.ts @@ -86,8 +86,6 @@ export class TLSRoutePatch extends pulumi.CustomResource { resourceInputs["status"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRoutePatch" }] }; - opts = pulumi.mergeOptions(opts, aliasOpts); super(TLSRoutePatch.__pulumiType, name, resourceInputs, opts); } } diff --git a/generated/crds/gateway/v1alpha3/backendTLSPolicy.js b/generated/crds/gateway/v1alpha3/backendTLSPolicy.js index c833a2e..b00050f 100644 --- a/generated/crds/gateway/v1alpha3/backendTLSPolicy.js +++ b/generated/crds/gateway/v1alpha3/backendTLSPolicy.js @@ -56,8 +56,6 @@ class BackendTLSPolicy extends pulumi.CustomResource { resourceInputs["status"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicy" }] }; - opts = pulumi.mergeOptions(opts, aliasOpts); super(BackendTLSPolicy.__pulumiType, name, resourceInputs, opts); } } diff --git a/generated/crds/gateway/v1alpha3/backendTLSPolicy.ts b/generated/crds/gateway/v1alpha3/backendTLSPolicy.ts index f6959c7..4d73a81 100644 --- a/generated/crds/gateway/v1alpha3/backendTLSPolicy.ts +++ b/generated/crds/gateway/v1alpha3/backendTLSPolicy.ts @@ -76,8 +76,6 @@ export class BackendTLSPolicy extends pulumi.CustomResource { resourceInputs["status"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicy" }] }; - opts = pulumi.mergeOptions(opts, aliasOpts); super(BackendTLSPolicy.__pulumiType, name, resourceInputs, opts); } } diff --git a/generated/crds/gateway/v1alpha3/backendTLSPolicyPatch.js b/generated/crds/gateway/v1alpha3/backendTLSPolicyPatch.js index 507cea5..c82dc85 100644 --- a/generated/crds/gateway/v1alpha3/backendTLSPolicyPatch.js +++ b/generated/crds/gateway/v1alpha3/backendTLSPolicyPatch.js @@ -62,8 +62,6 @@ class BackendTLSPolicyPatch extends pulumi.CustomResource { resourceInputs["status"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicyPatch" }] }; - opts = pulumi.mergeOptions(opts, aliasOpts); super(BackendTLSPolicyPatch.__pulumiType, name, resourceInputs, opts); } } diff --git a/generated/crds/gateway/v1alpha3/backendTLSPolicyPatch.ts b/generated/crds/gateway/v1alpha3/backendTLSPolicyPatch.ts index 7524f34..2d4b4c8 100644 --- a/generated/crds/gateway/v1alpha3/backendTLSPolicyPatch.ts +++ b/generated/crds/gateway/v1alpha3/backendTLSPolicyPatch.ts @@ -82,8 +82,6 @@ export class BackendTLSPolicyPatch extends pulumi.CustomResource { resourceInputs["status"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicyPatch" }] }; - opts = pulumi.mergeOptions(opts, aliasOpts); super(BackendTLSPolicyPatch.__pulumiType, name, resourceInputs, opts); } } diff --git a/generated/crds/gateway/v1alpha3/index.d.ts b/generated/crds/gateway/v1alpha3/index.d.ts index 146a6a1..781d15d 100644 --- a/generated/crds/gateway/v1alpha3/index.d.ts +++ b/generated/crds/gateway/v1alpha3/index.d.ts @@ -7,12 +7,3 @@ export declare const BackendTLSPolicyList: typeof import("./backendTLSPolicyList export { BackendTLSPolicyPatchArgs } from "./backendTLSPolicyPatch"; export type BackendTLSPolicyPatch = import("./backendTLSPolicyPatch").BackendTLSPolicyPatch; export declare const BackendTLSPolicyPatch: typeof import("./backendTLSPolicyPatch").BackendTLSPolicyPatch; -export { TLSRouteArgs } from "./tlsroute"; -export type TLSRoute = import("./tlsroute").TLSRoute; -export declare const TLSRoute: typeof import("./tlsroute").TLSRoute; -export { TLSRouteListArgs } from "./tlsrouteList"; -export type TLSRouteList = import("./tlsrouteList").TLSRouteList; -export declare const TLSRouteList: typeof import("./tlsrouteList").TLSRouteList; -export { TLSRoutePatchArgs } from "./tlsroutePatch"; -export type TLSRoutePatch = import("./tlsroutePatch").TLSRoutePatch; -export declare const TLSRoutePatch: typeof import("./tlsroutePatch").TLSRoutePatch; diff --git a/generated/crds/gateway/v1alpha3/index.js b/generated/crds/gateway/v1alpha3/index.js index a036ec1..17bc000 100644 --- a/generated/crds/gateway/v1alpha3/index.js +++ b/generated/crds/gateway/v1alpha3/index.js @@ -2,7 +2,7 @@ // *** WARNING: this file was generated by crd2pulumi. *** // *** Do not edit by hand unless you're certain you know what you are doing! *** Object.defineProperty(exports, "__esModule", { value: true }); -exports.TLSRoutePatch = exports.TLSRouteList = exports.TLSRoute = exports.BackendTLSPolicyPatch = exports.BackendTLSPolicyList = exports.BackendTLSPolicy = void 0; +exports.BackendTLSPolicyPatch = exports.BackendTLSPolicyList = exports.BackendTLSPolicy = void 0; const pulumi = require("@pulumi/pulumi"); const utilities = require("../../utilities"); exports.BackendTLSPolicy = null; @@ -11,12 +11,6 @@ exports.BackendTLSPolicyList = null; utilities.lazyLoad(exports, ["BackendTLSPolicyList"], () => require("./backendTLSPolicyList")); exports.BackendTLSPolicyPatch = null; utilities.lazyLoad(exports, ["BackendTLSPolicyPatch"], () => require("./backendTLSPolicyPatch")); -exports.TLSRoute = null; -utilities.lazyLoad(exports, ["TLSRoute"], () => require("./tlsroute")); -exports.TLSRouteList = null; -utilities.lazyLoad(exports, ["TLSRouteList"], () => require("./tlsrouteList")); -exports.TLSRoutePatch = null; -utilities.lazyLoad(exports, ["TLSRoutePatch"], () => require("./tlsroutePatch")); const _module = { version: utilities.getVersion(), construct: (name, type, urn) => { @@ -27,12 +21,6 @@ const _module = { return new exports.BackendTLSPolicyList(name, undefined, { urn }); case "kubernetes:gateway.networking.k8s.io/v1alpha3:BackendTLSPolicyPatch": return new exports.BackendTLSPolicyPatch(name, undefined, { urn }); - case "kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRoute": - return new exports.TLSRoute(name, undefined, { urn }); - case "kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRouteList": - return new exports.TLSRouteList(name, undefined, { urn }); - case "kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRoutePatch": - return new exports.TLSRoutePatch(name, undefined, { urn }); default: throw new Error(`unknown resource type ${type}`); } diff --git a/generated/crds/gateway/v1alpha3/index.ts b/generated/crds/gateway/v1alpha3/index.ts index d9e4572..140be39 100644 --- a/generated/crds/gateway/v1alpha3/index.ts +++ b/generated/crds/gateway/v1alpha3/index.ts @@ -20,21 +20,6 @@ export type BackendTLSPolicyPatch = import("./backendTLSPolicyPatch").BackendTLS export const BackendTLSPolicyPatch: typeof import("./backendTLSPolicyPatch").BackendTLSPolicyPatch = null as any; utilities.lazyLoad(exports, ["BackendTLSPolicyPatch"], () => require("./backendTLSPolicyPatch")); -export { TLSRouteArgs } from "./tlsroute"; -export type TLSRoute = import("./tlsroute").TLSRoute; -export const TLSRoute: typeof import("./tlsroute").TLSRoute = null as any; -utilities.lazyLoad(exports, ["TLSRoute"], () => require("./tlsroute")); - -export { TLSRouteListArgs } from "./tlsrouteList"; -export type TLSRouteList = import("./tlsrouteList").TLSRouteList; -export const TLSRouteList: typeof import("./tlsrouteList").TLSRouteList = null as any; -utilities.lazyLoad(exports, ["TLSRouteList"], () => require("./tlsrouteList")); - -export { TLSRoutePatchArgs } from "./tlsroutePatch"; -export type TLSRoutePatch = import("./tlsroutePatch").TLSRoutePatch; -export const TLSRoutePatch: typeof import("./tlsroutePatch").TLSRoutePatch = null as any; -utilities.lazyLoad(exports, ["TLSRoutePatch"], () => require("./tlsroutePatch")); - const _module = { version: utilities.getVersion(), @@ -46,12 +31,6 @@ const _module = { return new BackendTLSPolicyList(name, undefined, { urn }) case "kubernetes:gateway.networking.k8s.io/v1alpha3:BackendTLSPolicyPatch": return new BackendTLSPolicyPatch(name, undefined, { urn }) - case "kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRoute": - return new TLSRoute(name, undefined, { urn }) - case "kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRouteList": - return new TLSRouteList(name, undefined, { urn }) - case "kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRoutePatch": - return new TLSRoutePatch(name, undefined, { urn }) default: throw new Error(`unknown resource type ${type}`); } diff --git a/generated/crds/gateway/v1alpha3/tlsroute.js b/generated/crds/gateway/v1alpha3/tlsroute.js deleted file mode 100644 index 1d16c11..0000000 --- a/generated/crds/gateway/v1alpha3/tlsroute.js +++ /dev/null @@ -1,70 +0,0 @@ -"use strict"; -// *** WARNING: this file was generated by crd2pulumi. *** -// *** Do not edit by hand unless you're certain you know what you are doing! *** -Object.defineProperty(exports, "__esModule", { value: true }); -exports.TLSRoute = void 0; -const pulumi = require("@pulumi/pulumi"); -const utilities = require("../../utilities"); -/** - * The TLSRoute resource is similar to TCPRoute, but can be configured - * to match against TLS-specific metadata. This allows more flexibility - * in matching streams for a given TLS listener. - * - * If you need to forward traffic to a single target for a TLS listener, you - * could choose to use a TCPRoute with a TLS listener. - */ -class TLSRoute extends pulumi.CustomResource { - /** - * Get an existing TLSRoute resource's state with the given name, ID, and optional extra - * properties used to qualify the lookup. - * - * @param name The _unique_ name of the resulting resource. - * @param id The _unique_ provider ID of the resource to lookup. - * @param opts Optional settings to control the behavior of the CustomResource. - */ - static get(name, id, opts) { - return new TLSRoute(name, undefined, { ...opts, id: id }); - } - /** - * Returns true if the given object is an instance of TLSRoute. This is designed to work even - * when multiple copies of the Pulumi SDK have been loaded into the same process. - */ - static isInstance(obj) { - if (obj === undefined || obj === null) { - return false; - } - return obj['__pulumiType'] === TLSRoute.__pulumiType; - } - /** - * Create a TLSRoute resource with the given unique name, arguments, and options. - * - * @param name The _unique_ name of the resource. - * @param args The arguments to use to populate this resource's properties. - * @param opts A bag of options that control this resource's behavior. - */ - constructor(name, args, opts) { - let resourceInputs = {}; - opts = opts || {}; - if (!opts.id) { - resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha3"; - resourceInputs["kind"] = "TLSRoute"; - resourceInputs["metadata"] = args ? args.metadata : undefined; - resourceInputs["spec"] = args ? args.spec : undefined; - resourceInputs["status"] = undefined /*out*/; - } - else { - resourceInputs["apiVersion"] = undefined /*out*/; - resourceInputs["kind"] = undefined /*out*/; - resourceInputs["metadata"] = undefined /*out*/; - resourceInputs["spec"] = undefined /*out*/; - resourceInputs["status"] = undefined /*out*/; - } - opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); - const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha2:TLSRoute" }] }; - opts = pulumi.mergeOptions(opts, aliasOpts); - super(TLSRoute.__pulumiType, name, resourceInputs, opts); - } -} -exports.TLSRoute = TLSRoute; -/** @internal */ -TLSRoute.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRoute'; diff --git a/generated/crds/gateway/v1beta1/referenceGrant.js b/generated/crds/gateway/v1beta1/referenceGrant.js index e951a81..75c5bff 100644 --- a/generated/crds/gateway/v1beta1/referenceGrant.js +++ b/generated/crds/gateway/v1beta1/referenceGrant.js @@ -68,6 +68,8 @@ class ReferenceGrant extends pulumi.CustomResource { resourceInputs["spec"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); + const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha2:ReferenceGrant" }] }; + opts = pulumi.mergeOptions(opts, aliasOpts); super(ReferenceGrant.__pulumiType, name, resourceInputs, opts); } } diff --git a/generated/crds/gateway/v1beta1/referenceGrant.ts b/generated/crds/gateway/v1beta1/referenceGrant.ts index 99c6e64..0efb69e 100644 --- a/generated/crds/gateway/v1beta1/referenceGrant.ts +++ b/generated/crds/gateway/v1beta1/referenceGrant.ts @@ -87,6 +87,8 @@ export class ReferenceGrant extends pulumi.CustomResource { resourceInputs["spec"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); + const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha2:ReferenceGrant" }] }; + opts = pulumi.mergeOptions(opts, aliasOpts); super(ReferenceGrant.__pulumiType, name, resourceInputs, opts); } } diff --git a/generated/crds/gateway/v1beta1/referenceGrantPatch.js b/generated/crds/gateway/v1beta1/referenceGrantPatch.js index 4c1e69c..2c5244a 100644 --- a/generated/crds/gateway/v1beta1/referenceGrantPatch.js +++ b/generated/crds/gateway/v1beta1/referenceGrantPatch.js @@ -74,6 +74,8 @@ class ReferenceGrantPatch extends pulumi.CustomResource { resourceInputs["spec"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); + const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha2:ReferenceGrantPatch" }] }; + opts = pulumi.mergeOptions(opts, aliasOpts); super(ReferenceGrantPatch.__pulumiType, name, resourceInputs, opts); } } diff --git a/generated/crds/gateway/v1beta1/referenceGrantPatch.ts b/generated/crds/gateway/v1beta1/referenceGrantPatch.ts index 7ed5db4..f51f695 100644 --- a/generated/crds/gateway/v1beta1/referenceGrantPatch.ts +++ b/generated/crds/gateway/v1beta1/referenceGrantPatch.ts @@ -93,6 +93,8 @@ export class ReferenceGrantPatch extends pulumi.CustomResource { resourceInputs["spec"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); + const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha2:ReferenceGrantPatch" }] }; + opts = pulumi.mergeOptions(opts, aliasOpts); super(ReferenceGrantPatch.__pulumiType, name, resourceInputs, opts); } } diff --git a/generated/crds/types/input.d.ts b/generated/crds/types/input.d.ts index e5cd2e5..723325e 100644 --- a/generated/crds/types/input.d.ts +++ b/generated/crds/types/input.d.ts @@ -28,9 +28,9 @@ export declare namespace acme { */ authorizationURL?: pulumi.Input; /** - * dnsName is the identifier that this challenge is for, e.g., example.com. + * dnsName is the identifier that this challenge is for, e.g. example.com. * If the requested DNSName is a 'wildcard', this field MUST be set to the - * non-wildcard domain, e.g., for `*.example.com`, it must be `example.com`. + * non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`. */ dnsName?: pulumi.Input; issuerRef?: pulumi.Input; @@ -75,17 +75,15 @@ export declare namespace acme { */ interface ChallengeSpecIssuerRef { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group?: pulumi.Input; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind?: pulumi.Input; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name?: pulumi.Input; } @@ -98,17 +96,15 @@ export declare namespace acme { */ interface ChallengeSpecIssuerRefPatch { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group?: pulumi.Input; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind?: pulumi.Input; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name?: pulumi.Input; } @@ -119,9 +115,9 @@ export declare namespace acme { */ authorizationURL?: pulumi.Input; /** - * dnsName is the identifier that this challenge is for, e.g., example.com. + * dnsName is the identifier that this challenge is for, e.g. example.com. * If the requested DNSName is a 'wildcard', this field MUST be set to the - * non-wildcard domain, e.g., for `*.example.com`, it must be `example.com`. + * non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`. */ dnsName?: pulumi.Input; issuerRef?: pulumi.Input; @@ -434,18 +430,14 @@ export declare namespace acme { */ interface ChallengeSpecSolverDns01AzureDNSManagedIdentity { /** - * client ID of the managed identity, cannot be used at the same time as resourceID + * client ID of the managed identity, can not be used at the same time as resourceID */ clientID?: pulumi.Input; /** - * resource ID of the managed identity, cannot be used at the same time as clientID + * resource ID of the managed identity, can not be used at the same time as clientID * Cannot be used for Azure Managed Service Identity */ resourceID?: pulumi.Input; - /** - * tenant ID of the managed identity, cannot be used at the same time as resourceID - */ - tenantID?: pulumi.Input; } /** * Auth: Azure Workload Identity or Azure Managed Service Identity: @@ -454,18 +446,14 @@ export declare namespace acme { */ interface ChallengeSpecSolverDns01AzureDNSManagedIdentityPatch { /** - * client ID of the managed identity, cannot be used at the same time as resourceID + * client ID of the managed identity, can not be used at the same time as resourceID */ clientID?: pulumi.Input; /** - * resource ID of the managed identity, cannot be used at the same time as clientID + * resource ID of the managed identity, can not be used at the same time as clientID * Cannot be used for Azure Managed Service Identity */ resourceID?: pulumi.Input; - /** - * tenant ID of the managed identity, cannot be used at the same time as resourceID - */ - tenantID?: pulumi.Input; } /** * Use the Microsoft Azure DNS API to manage DNS01 challenge records. @@ -730,10 +718,6 @@ export declare namespace acme { * This field is required. */ nameserver?: pulumi.Input; - /** - * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default). - */ - protocol?: pulumi.Input; /** * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. @@ -760,10 +744,6 @@ export declare namespace acme { * This field is required. */ nameserver?: pulumi.Input; - /** - * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default). - */ - protocol?: pulumi.Input; /** * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. @@ -827,32 +807,11 @@ export declare namespace acme { accessKeyIDSecretRef?: pulumi.Input; auth?: pulumi.Input; /** - * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. + * If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. */ hostedZoneID?: pulumi.Input; /** - * Override the AWS region. - * - * Route53 is a global service and does not have regional endpoints but the - * region specified here (or via environment variables) is used as a hint to - * help compute the correct AWS credential scope and partition when it - * connects to Route53. See: - * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) - * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) - * - * If you omit this region field, cert-manager will use the region from - * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set - * in the cert-manager controller Pod. - * - * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). - * In this case this `region` field value is ignored. - * - * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), - * In this case this `region` field value is ignored. + * Always set the region when using AccessKeyID and SecretAccessKey */ region?: pulumi.Input; /** @@ -981,32 +940,11 @@ export declare namespace acme { accessKeyIDSecretRef?: pulumi.Input; auth?: pulumi.Input; /** - * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. + * If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. */ hostedZoneID?: pulumi.Input; /** - * Override the AWS region. - * - * Route53 is a global service and does not have regional endpoints but the - * region specified here (or via environment variables) is used as a hint to - * help compute the correct AWS credential scope and partition when it - * connects to Route53. See: - * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) - * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) - * - * If you omit this region field, cert-manager will use the region from - * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set - * in the cert-manager controller Pod. - * - * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). - * In this case this `region` field value is ignored. - * - * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), - * In this case this `region` field value is ignored. + * Always set the region when using AccessKeyID and SecretAccessKey */ region?: pulumi.Input; /** @@ -1064,7 +1002,7 @@ export declare namespace acme { * when challenges are processed. * This can contain arbitrary JSON data. * Secret values should not be specified in this stanza. - * If secret values are needed (e.g., credentials for a DNS service), you + * If secret values are needed (e.g. credentials for a DNS service), you * should use a SecretKeySelector to reference a Secret resource. * For details on the schema of this field, consult the webhook provider * implementation's documentation. @@ -1082,7 +1020,7 @@ export declare namespace acme { /** * The name of the solver to use, as defined in the webhook provider * implementation. - * This will typically be the name of the provider, e.g., 'cloudflare'. + * This will typically be the name of the provider, e.g. 'cloudflare'. */ solverName?: pulumi.Input; } @@ -1096,7 +1034,7 @@ export declare namespace acme { * when challenges are processed. * This can contain arbitrary JSON data. * Secret values should not be specified in this stanza. - * If secret values are needed (e.g., credentials for a DNS service), you + * If secret values are needed (e.g. credentials for a DNS service), you * should use a SecretKeySelector to reference a Secret resource. * For details on the schema of this field, consult the webhook provider * implementation's documentation. @@ -1114,7 +1052,7 @@ export declare namespace acme { /** * The name of the solver to use, as defined in the webhook provider * implementation. - * This will typically be the name of the provider, e.g., 'cloudflare'. + * This will typically be the name of the provider, e.g. 'cloudflare'. */ solverName?: pulumi.Input; } @@ -1122,7 +1060,7 @@ export declare namespace acme { * Configures cert-manager to attempt to complete authorizations by * performing the HTTP01 challenge flow. * It is not possible to obtain certificates for wildcard domain names - * (e.g., `*.example.com`) using the HTTP01 challenge mechanism. + * (e.g. `*.example.com`) using the HTTP01 challenge mechanism. */ interface ChallengeSpecSolverHttp01 { gatewayHTTPRoute?: pulumi.Input; @@ -1149,7 +1087,6 @@ export declare namespace acme { * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways */ parentRefs?: pulumi.Input[]>; - podTemplate?: pulumi.Input; /** * Optional service type for Kubernetes solver service. Supported values * are NodePort or ClusterIP. If unset, defaults to NodePort. @@ -1161,12 +1098,15 @@ export declare namespace acme { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -1177,23 +1117,28 @@ export declare namespace acme { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -1201,17 +1146,20 @@ export declare namespace acme { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: * Gateway has the AllowedRoutes field, and ReferenceGrant provides a * generic way to enable any other kind of cross-namespace reference. * + * * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -1219,6 +1167,7 @@ export declare namespace acme { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -1226,6 +1175,7 @@ export declare namespace acme { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -1234,16 +1184,19 @@ export declare namespace acme { * and SectionName are specified, the name and port of the selected listener * must match both specified values. * + * * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -1252,6 +1205,7 @@ export declare namespace acme { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -1259,6 +1213,7 @@ export declare namespace acme { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -1266,10 +1221,12 @@ export declare namespace acme { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -1279,6 +1236,7 @@ export declare namespace acme { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -1288,12 +1246,15 @@ export declare namespace acme { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -1304,23 +1265,28 @@ export declare namespace acme { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -1328,17 +1294,20 @@ export declare namespace acme { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: * Gateway has the AllowedRoutes field, and ReferenceGrant provides a * generic way to enable any other kind of cross-namespace reference. * + * * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -1346,6 +1315,7 @@ export declare namespace acme { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -1353,6 +1323,7 @@ export declare namespace acme { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -1361,16 +1332,19 @@ export declare namespace acme { * and SectionName are specified, the name and port of the selected listener * must match both specified values. * + * * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -1379,6 +1353,7 @@ export declare namespace acme { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -1386,6 +1361,7 @@ export declare namespace acme { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -1393,10 +1369,12 @@ export declare namespace acme { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -1406,6 +1384,7 @@ export declare namespace acme { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -1431,2083 +1410,12 @@ export declare namespace acme { * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways */ parentRefs?: pulumi.Input[]>; - podTemplate?: pulumi.Input; /** * Optional service type for Kubernetes solver service. Supported values * are NodePort or ClusterIP. If unset, defaults to NodePort. */ serviceType?: pulumi.Input; } - /** - * Optional pod template used to configure the ACME challenge solver pods - * used for HTTP01 challenges. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplate { - metadata?: pulumi.Input; - spec?: pulumi.Input; - } - /** - * ObjectMeta overrides for the pod used to solve HTTP01 challenges. - * Only the 'labels' and 'annotations' fields may be set. - * If labels or annotations overlap with in-built values, the values here - * will override the in-built values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateMetadata { - /** - * Annotations that should be added to the created ACME HTTP01 solver pods. - */ - annotations?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - /** - * Labels that should be added to the created ACME HTTP01 solver pods. - */ - labels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * ObjectMeta overrides for the pod used to solve HTTP01 challenges. - * Only the 'labels' and 'annotations' fields may be set. - * If labels or annotations overlap with in-built values, the values here - * will override the in-built values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateMetadataPatch { - /** - * Annotations that should be added to the created ACME HTTP01 solver pods. - */ - annotations?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - /** - * Labels that should be added to the created ACME HTTP01 solver pods. - */ - labels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * Optional pod template used to configure the ACME challenge solver pods - * used for HTTP01 challenges. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplatePatch { - metadata?: pulumi.Input; - spec?: pulumi.Input; - } - /** - * PodSpec defines overrides for the HTTP01 challenge solver pod. - * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - * All other fields will be ignored. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpec { - affinity?: pulumi.Input; - /** - * If specified, the pod's imagePullSecrets - */ - imagePullSecrets?: pulumi.Input[]>; - /** - * NodeSelector is a selector which must be true for the pod to fit on a node. - * Selector which must match a node's labels for the pod to be scheduled on that node. - * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - */ - nodeSelector?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - /** - * If specified, the pod's priorityClassName. - */ - priorityClassName?: pulumi.Input; - resources?: pulumi.Input; - securityContext?: pulumi.Input; - /** - * If specified, the pod's service account - */ - serviceAccountName?: pulumi.Input; - /** - * If specified, the pod's tolerations. - */ - tolerations?: pulumi.Input[]>; - } - /** - * If specified, the pod's scheduling constraints - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinity { - nodeAffinity?: pulumi.Input; - podAffinity?: pulumi.Input; - podAntiAffinity?: pulumi.Input; - } - /** - * Describes node affinity scheduling rules for the pod. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node matches the corresponding matchExpressions; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input; - } - /** - * Describes node affinity scheduling rules for the pod. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node matches the corresponding matchExpressions; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input; - } - /** - * An empty preferred scheduling term matches all objects with implicit weight 0 - * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution { - preference?: pulumi.Input; - /** - * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - */ - weight?: pulumi.Input; - } - /** - * An empty preferred scheduling term matches all objects with implicit weight 0 - * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - preference?: pulumi.Input; - /** - * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - */ - weight?: pulumi.Input; - } - /** - * A node selector term, associated with the corresponding weight. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions?: pulumi.Input[]>; - /** - * A list of node selector requirements by node's fields. - */ - matchFields?: pulumi.Input[]>; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A node selector term, associated with the corresponding weight. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions?: pulumi.Input[]>; - /** - * A list of node selector requirements by node's fields. - */ - matchFields?: pulumi.Input[]>; - } - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to an update), the system - * may or may not try to eventually evict the pod from its node. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution { - /** - * Required. A list of node selector terms. The terms are ORed. - */ - nodeSelectorTerms?: pulumi.Input[]>; - } - /** - * A null or empty node selector term matches no objects. The requirements of - * them are ANDed. - * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions?: pulumi.Input[]>; - /** - * A list of node selector requirements by node's fields. - */ - matchFields?: pulumi.Input[]>; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A null or empty node selector term matches no objects. The requirements of - * them are ANDed. - * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions?: pulumi.Input[]>; - /** - * A list of node selector requirements by node's fields. - */ - matchFields?: pulumi.Input[]>; - } - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to an update), the system - * may or may not try to eventually evict the pod from its node. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - /** - * Required. A list of node selector terms. The terms are ORed. - */ - nodeSelectorTerms?: pulumi.Input[]>; - } - /** - * If specified, the pod's scheduling constraints - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch { - nodeAffinity?: pulumi.Input; - podAffinity?: pulumi.Input; - podAntiAffinity?: pulumi.Input; - } - /** - * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - } - /** - * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - } - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution { - podAffinityTerm?: pulumi.Input; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight?: pulumi.Input; - } - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - podAffinityTerm?: pulumi.Input; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight?: pulumi.Input; - } - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - /** - * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the anti-affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - /** - * If the anti-affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the anti-affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - } - /** - * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the anti-affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - /** - * If the anti-affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the anti-affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - } - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution { - podAffinityTerm?: pulumi.Input; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight?: pulumi.Input; - } - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - podAffinityTerm?: pulumi.Input; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight?: pulumi.Input; - } - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - /** - * LocalObjectReference contains enough information to let you locate the - * referenced object inside the same namespace. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets { - /** - * Name of the referent. - * This field is effectively required, but due to backwards compatibility is - * allowed to be empty. Instances of this type with an empty value here are - * almost certainly wrong. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name?: pulumi.Input; - } - /** - * LocalObjectReference contains enough information to let you locate the - * referenced object inside the same namespace. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch { - /** - * Name of the referent. - * This field is effectively required, but due to backwards compatibility is - * allowed to be empty. Instances of this type with an empty value here are - * almost certainly wrong. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name?: pulumi.Input; - } - /** - * PodSpec defines overrides for the HTTP01 challenge solver pod. - * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - * All other fields will be ignored. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecPatch { - affinity?: pulumi.Input; - /** - * If specified, the pod's imagePullSecrets - */ - imagePullSecrets?: pulumi.Input[]>; - /** - * NodeSelector is a selector which must be true for the pod to fit on a node. - * Selector which must match a node's labels for the pod to be scheduled on that node. - * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - */ - nodeSelector?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - /** - * If specified, the pod's priorityClassName. - */ - priorityClassName?: pulumi.Input; - resources?: pulumi.Input; - securityContext?: pulumi.Input; - /** - * If specified, the pod's service account - */ - serviceAccountName?: pulumi.Input; - /** - * If specified, the pod's tolerations. - */ - tolerations?: pulumi.Input[]>; - } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecResources { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * If specified, the pod's security context - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup?: pulumi.Input; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy?: pulumi.Input; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup?: pulumi.Input; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot?: pulumi.Input; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser?: pulumi.Input; - seLinuxOptions?: pulumi.Input; - seccompProfile?: pulumi.Input; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups?: pulumi.Input[]>; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls?: pulumi.Input[]>; - } - /** - * If specified, the pod's security context - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup?: pulumi.Input; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy?: pulumi.Input; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup?: pulumi.Input; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot?: pulumi.Input; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser?: pulumi.Input; - seLinuxOptions?: pulumi.Input; - seccompProfile?: pulumi.Input; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups?: pulumi.Input[]>; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls?: pulumi.Input[]>; - } - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions { - /** - * Level is SELinux level label that applies to the container. - */ - level?: pulumi.Input; - /** - * Role is a SELinux role label that applies to the container. - */ - role?: pulumi.Input; - /** - * Type is a SELinux type label that applies to the container. - */ - type?: pulumi.Input; - /** - * User is a SELinux user label that applies to the container. - */ - user?: pulumi.Input; - } - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch { - /** - * Level is SELinux level label that applies to the container. - */ - level?: pulumi.Input; - /** - * Role is a SELinux role label that applies to the container. - */ - role?: pulumi.Input; - /** - * Type is a SELinux type label that applies to the container. - */ - type?: pulumi.Input; - /** - * User is a SELinux user label that applies to the container. - */ - user?: pulumi.Input; - } - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile?: pulumi.Input; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type?: pulumi.Input; - } - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile?: pulumi.Input; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type?: pulumi.Input; - } - /** - * Sysctl defines a kernel parameter to be set - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls { - /** - * Name of a property to set - */ - name?: pulumi.Input; - /** - * Value of a property to set - */ - value?: pulumi.Input; - } - /** - * Sysctl defines a kernel parameter to be set - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch { - /** - * Name of a property to set - */ - name?: pulumi.Input; - /** - * Value of a property to set - */ - value?: pulumi.Input; - } - /** - * The pod this Toleration is attached to tolerates any taint that matches - * the triple using the matching operator . - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecTolerations { - /** - * Effect indicates the taint effect to match. Empty means match all taint effects. - * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - */ - effect?: pulumi.Input; - /** - * Key is the taint key that the toleration applies to. Empty means match all taint keys. - * If the key is empty, operator must be Exists; this combination means to match all values and all keys. - */ - key?: pulumi.Input; - /** - * Operator represents a key's relationship to the value. - * Valid operators are Exists and Equal. Defaults to Equal. - * Exists is equivalent to wildcard for value, so that a pod can - * tolerate all taints of a particular category. - */ - operator?: pulumi.Input; - /** - * TolerationSeconds represents the period of time the toleration (which must be - * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - * it is not set, which means tolerate the taint forever (do not evict). Zero and - * negative values will be treated as 0 (evict immediately) by the system. - */ - tolerationSeconds?: pulumi.Input; - /** - * Value is the taint value the toleration matches to. - * If the operator is Exists, the value should be empty, otherwise just a regular string. - */ - value?: pulumi.Input; - } - /** - * The pod this Toleration is attached to tolerates any taint that matches - * the triple using the matching operator . - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch { - /** - * Effect indicates the taint effect to match. Empty means match all taint effects. - * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - */ - effect?: pulumi.Input; - /** - * Key is the taint key that the toleration applies to. Empty means match all taint keys. - * If the key is empty, operator must be Exists; this combination means to match all values and all keys. - */ - key?: pulumi.Input; - /** - * Operator represents a key's relationship to the value. - * Valid operators are Exists and Equal. Defaults to Equal. - * Exists is equivalent to wildcard for value, so that a pod can - * tolerate all taints of a particular category. - */ - operator?: pulumi.Input; - /** - * TolerationSeconds represents the period of time the toleration (which must be - * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - * it is not set, which means tolerate the taint forever (do not evict). Zero and - * negative values will be treated as 0 (evict immediately) by the system. - */ - tolerationSeconds?: pulumi.Input; - /** - * Value is the taint value the toleration matches to. - * If the operator is Exists, the value should be empty, otherwise just a regular string. - */ - value?: pulumi.Input; - } /** * The ingress based HTTP01 challenge solver will solve challenges by * creating or modifying Ingress resources in order to route requests for @@ -3654,7 +1562,7 @@ export declare namespace acme { */ interface ChallengeSpecSolverHttp01IngressPodTemplateMetadata { /** - * Annotations that should be added to the created ACME HTTP01 solver pods. + * Annotations that should be added to the create ACME HTTP01 solver pods. */ annotations?: pulumi.Input<{ [key: string]: pulumi.Input; @@ -3674,7 +1582,7 @@ export declare namespace acme { */ interface ChallengeSpecSolverHttp01IngressPodTemplateMetadataPatch { /** - * Annotations that should be added to the created ACME HTTP01 solver pods. + * Annotations that should be added to the create ACME HTTP01 solver pods. */ annotations?: pulumi.Input<{ [key: string]: pulumi.Input; @@ -3717,8 +1625,6 @@ export declare namespace acme { * If specified, the pod's priorityClassName. */ priorityClassName?: pulumi.Input; - resources?: pulumi.Input; - securityContext?: pulumi.Input; /** * If specified, the pod's service account */ @@ -4158,6 +2064,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -4169,6 +2076,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -4368,6 +2276,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -4379,6 +2288,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -4417,6 +2327,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -4428,6 +2339,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -4632,6 +2544,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -4643,6 +2556,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -4673,8 +2587,8 @@ export declare namespace acme { * most preferred is the one with the greatest sum of weights, i.e. * for each node that meets all of the scheduling requirements (resource * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + * compute a sum by iterating through the elements of this field and adding + * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the * node(s) with the highest sum are the most preferred. */ preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; @@ -4700,8 +2614,8 @@ export declare namespace acme { * most preferred is the one with the greatest sum of weights, i.e. * for each node that meets all of the scheduling requirements (resource * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + * compute a sum by iterating through the elements of this field and adding + * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the * node(s) with the highest sum are the most preferred. */ preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; @@ -4752,6 +2666,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -4763,6 +2678,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -4962,6 +2878,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -4973,6 +2890,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -5011,6 +2929,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -5022,6 +2941,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -5226,6 +3146,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -5237,6 +3158,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -5266,7 +3188,9 @@ export declare namespace acme { * This field is effectively required, but due to backwards compatibility is * allowed to be empty. Instances of this type with an empty value here are * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name?: pulumi.Input; } @@ -5280,7 +3204,9 @@ export declare namespace acme { * This field is effectively required, but due to backwards compatibility is * allowed to be empty. Instances of this type with an empty value here are * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name?: pulumi.Input; } @@ -5307,8 +3233,6 @@ export declare namespace acme { * If specified, the pod's priorityClassName. */ priorityClassName?: pulumi.Input; - resources?: pulumi.Input; - securityContext?: pulumi.Input; /** * If specified, the pod's service account */ @@ -5318,326 +3242,6 @@ export declare namespace acme { */ tolerations?: pulumi.Input[]>; } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - interface ChallengeSpecSolverHttp01IngressPodTemplateSpecResources { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - interface ChallengeSpecSolverHttp01IngressPodTemplateSpecResourcesPatch { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * If specified, the pod's security context - */ - interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContext { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup?: pulumi.Input; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy?: pulumi.Input; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup?: pulumi.Input; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot?: pulumi.Input; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser?: pulumi.Input; - seLinuxOptions?: pulumi.Input; - seccompProfile?: pulumi.Input; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups?: pulumi.Input[]>; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls?: pulumi.Input[]>; - } - /** - * If specified, the pod's security context - */ - interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextPatch { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup?: pulumi.Input; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy?: pulumi.Input; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup?: pulumi.Input; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot?: pulumi.Input; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser?: pulumi.Input; - seLinuxOptions?: pulumi.Input; - seccompProfile?: pulumi.Input; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups?: pulumi.Input[]>; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls?: pulumi.Input[]>; - } - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions { - /** - * Level is SELinux level label that applies to the container. - */ - level?: pulumi.Input; - /** - * Role is a SELinux role label that applies to the container. - */ - role?: pulumi.Input; - /** - * Type is a SELinux type label that applies to the container. - */ - type?: pulumi.Input; - /** - * User is a SELinux user label that applies to the container. - */ - user?: pulumi.Input; - } - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch { - /** - * Level is SELinux level label that applies to the container. - */ - level?: pulumi.Input; - /** - * Role is a SELinux role label that applies to the container. - */ - role?: pulumi.Input; - /** - * Type is a SELinux type label that applies to the container. - */ - type?: pulumi.Input; - /** - * User is a SELinux user label that applies to the container. - */ - user?: pulumi.Input; - } - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeccompProfile { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile?: pulumi.Input; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type?: pulumi.Input; - } - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile?: pulumi.Input; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type?: pulumi.Input; - } - /** - * Sysctl defines a kernel parameter to be set - */ - interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSysctls { - /** - * Name of a property to set - */ - name?: pulumi.Input; - /** - * Value of a property to set - */ - value?: pulumi.Input; - } - /** - * Sysctl defines a kernel parameter to be set - */ - interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch { - /** - * Name of a property to set - */ - name?: pulumi.Input; - /** - * Value of a property to set - */ - value?: pulumi.Input; - } /** * The pod this Toleration is attached to tolerates any taint that matches * the triple using the matching operator . @@ -5712,7 +3316,7 @@ export declare namespace acme { * Configures cert-manager to attempt to complete authorizations by * performing the HTTP01 challenge flow. * It is not possible to obtain certificates for wildcard domain names - * (e.g., `*.example.com`) using the HTTP01 challenge mechanism. + * (e.g. `*.example.com`) using the HTTP01 challenge mechanism. */ interface ChallengeSpecSolverHttp01Patch { gatewayHTTPRoute?: pulumi.Input; @@ -5877,11 +3481,6 @@ export declare namespace acme { */ ipAddresses?: pulumi.Input[]>; issuerRef?: pulumi.Input; - /** - * Profile allows requesting a certificate profile from the ACME server. - * Supported profiles are listed by the server's ACME directory URL. - */ - profile?: pulumi.Input; /** * Certificate signing request bytes in DER encoding. * This will be used when finalizing the order. @@ -5898,17 +3497,15 @@ export declare namespace acme { */ interface OrderSpecIssuerRef { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group?: pulumi.Input; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind?: pulumi.Input; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name?: pulumi.Input; } @@ -5921,17 +3518,15 @@ export declare namespace acme { */ interface OrderSpecIssuerRefPatch { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group?: pulumi.Input; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind?: pulumi.Input; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name?: pulumi.Input; } @@ -5960,11 +3555,6 @@ export declare namespace acme { */ ipAddresses?: pulumi.Input[]>; issuerRef?: pulumi.Input; - /** - * Profile allows requesting a certificate profile from the ACME server. - * Supported profiles are listed by the server's ACME directory URL. - */ - profile?: pulumi.Input; /** * Certificate signing request bytes in DER encoding. * This will be used when finalizing the order. @@ -6067,7 +3657,7 @@ export declare namespace acme { */ token?: pulumi.Input; /** - * Type is the type of challenge being offered, e.g., 'http-01', 'dns-01', + * Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', * 'tls-sni-01', etc. * This is the raw value retrieved from the ACME server. * Only 'http-01' and 'dns-01' are supported by cert-manager, other values @@ -6088,6 +3678,7 @@ export declare namespace cert_manager { * A Certificate resource should be created to ensure an up to date and signed * X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. * + * * The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`). */ interface Certificate { @@ -6110,10 +3701,12 @@ export declare namespace cert_manager { * A CertificateRequest is used to request a signed certificate from one of the * configured issuers. * + * * All fields within the CertificateRequest's `spec` are immutable after creation. * A CertificateRequest will either succeed or fail, as denoted by its `Ready` status * condition and its `status.failureTime` field. * + * * A CertificateRequest is a one-shot resource, meaning it represents a single * point in time request for a certificate and cannot be re-used. */ @@ -6160,9 +3753,11 @@ export declare namespace cert_manager { * Requested basic constraints isCA value. Note that the issuer may choose * to ignore the requested isCA value, just like any other requested attribute. * + * * NOTE: If the CSR in the `Request` field has a BasicConstraints extension, * it must have the same isCA value as specified here. * + * * If true, this will automatically add the `cert sign` usage to the list * of requested `usages`. */ @@ -6172,6 +3767,7 @@ export declare namespace cert_manager { * The PEM-encoded X.509 certificate signing request to be submitted to the * issuer for signing. * + * * If the CSR has a BasicConstraints extension, its isCA attribute must * match the `isCA` value of this CertificateRequest. * If the CSR has a KeyUsage extension, its key usages must match the @@ -6189,10 +3785,12 @@ export declare namespace cert_manager { /** * Requested key usages and extended key usages. * + * * NOTE: If the CSR in the `Request` field has uses the KeyUsage or * ExtKeyUsage extension, these extensions must have the same values * as specified here without any additional values. * + * * If unset, defaults to `digital signature` and `key encipherment`. */ usages?: pulumi.Input[]>; @@ -6208,21 +3806,20 @@ export declare namespace cert_manager { * as the Certificate. If the issuer is cluster-scoped, it can be used * from any namespace. * + * * The `name` field of the reference must always be specified. */ interface CertificateRequestSpecIssuerRef { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group?: pulumi.Input; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind?: pulumi.Input; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name?: pulumi.Input; } @@ -6232,21 +3829,20 @@ export declare namespace cert_manager { * as the Certificate. If the issuer is cluster-scoped, it can be used * from any namespace. * + * * The `name` field of the reference must always be specified. */ interface CertificateRequestSpecIssuerRefPatch { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group?: pulumi.Input; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind?: pulumi.Input; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name?: pulumi.Input; } @@ -6277,9 +3873,11 @@ export declare namespace cert_manager { * Requested basic constraints isCA value. Note that the issuer may choose * to ignore the requested isCA value, just like any other requested attribute. * + * * NOTE: If the CSR in the `Request` field has a BasicConstraints extension, * it must have the same isCA value as specified here. * + * * If true, this will automatically add the `cert sign` usage to the list * of requested `usages`. */ @@ -6289,6 +3887,7 @@ export declare namespace cert_manager { * The PEM-encoded X.509 certificate signing request to be submitted to the * issuer for signing. * + * * If the CSR has a BasicConstraints extension, its isCA attribute must * match the `isCA` value of this CertificateRequest. * If the CSR has a KeyUsage extension, its key usages must match the @@ -6306,10 +3905,12 @@ export declare namespace cert_manager { /** * Requested key usages and extended key usages. * + * * NOTE: If the CSR in the `Request` field has uses the KeyUsage or * ExtKeyUsage extension, these extensions must have the same values * as specified here without any additional values. * + * * If unset, defaults to `digital signature` and `key encipherment`. */ usages?: pulumi.Input[]>; @@ -6389,6 +3990,11 @@ export declare namespace cert_manager { /** * Defines extra output formats of the private key and signed certificate chain * to be written to this Certificate's target Secret. + * + * + * This is a Beta Feature enabled by default. It can be disabled with the + * `--feature-gates=AdditionalCertificateOutputFormats=false` option set on both + * the controller and webhook components. */ additionalOutputFormats?: pulumi.Input[]>; /** @@ -6397,6 +4003,7 @@ export declare namespace cert_manager { * NOTE: TLS clients will ignore this value when any subject alternative name is * set (see https://tools.ietf.org/html/rfc6125#section-6.4.4). * + * * Should have a length of 64 characters or fewer to avoid generating invalid CSRs. * Cannot be set if the `literalSubject` field is set. */ @@ -6410,6 +4017,7 @@ export declare namespace cert_manager { * issuer may choose to ignore the requested duration, just like any other * requested attribute. * + * * If unset, this defaults to 90 days. * Minimum accepted duration is 1 hour. * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration. @@ -6422,6 +4030,7 @@ export declare namespace cert_manager { /** * Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR. * + * * This option defaults to true, and should only be disabled if the target * issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions. */ @@ -6436,6 +4045,7 @@ export declare namespace cert_manager { * resources. Note that the issuer may choose to ignore the requested isCA value, just * like any other requested attribute. * + * * If true, this will automatically add the `cert sign` usage to the list * of requested `usages`. */ @@ -6452,6 +4062,7 @@ export declare namespace cert_manager { * More info: https://github.com/cert-manager/cert-manager/issues/3203 * More info: https://github.com/cert-manager/cert-manager/issues/4424 * + * * Cannot be set if the `subject` or `commonName` field is set. */ literalSubject?: pulumi.Input; @@ -6471,33 +4082,17 @@ export declare namespace cert_manager { * 50 minutes after it was issued (i.e. when there are 10 minutes remaining until * the certificate is no longer valid). * + * * NOTE: The actual lifetime of the issued certificate is used to determine the * renewal time. If an issuer returns a certificate with a different lifetime than * the one requested, cert-manager will use the lifetime of the issued certificate. * + * * If unset, this defaults to 1/3 of the issued certificate's lifetime. * Minimum accepted value is 5 minutes. * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration. - * Cannot be set if the `renewBeforePercentage` field is set. */ renewBefore?: pulumi.Input; - /** - * `renewBeforePercentage` is like `renewBefore`, except it is a relative percentage - * rather than an absolute duration. For example, if a certificate is valid for 60 - * minutes, and `renewBeforePercentage=25`, cert-manager will begin to attempt to - * renew the certificate 45 minutes after it was issued (i.e. when there are 15 - * minutes (25%) remaining until the certificate is no longer valid). - * - * NOTE: The actual lifetime of the issued certificate is used to determine the - * renewal time. If an issuer returns a certificate with a different lifetime than - * the one requested, cert-manager will use the lifetime of the issued certificate. - * - * Value must be an integer in the range (0,100). The minimum effective - * `renewBefore` derived from the `renewBeforePercentage` and `duration` fields is 5 - * minutes. - * Cannot be set if the `renewBefore` field is set. - */ - renewBeforePercentage?: pulumi.Input; /** * The maximum number of CertificateRequest revisions that are maintained in * the Certificate's history. Each revision represents a single `CertificateRequest` @@ -6505,8 +4100,10 @@ export declare namespace cert_manager { * was changed. Revisions will be removed by oldest first if the number of * revisions exceeds this number. * + * * If set, revisionHistoryLimit must be a value of `1` or greater. - * Default value is `1`. + * If unset (`nil`), revisions will not be garbage collected. + * Default value is `nil`. */ revisionHistoryLimit?: pulumi.Input; /** @@ -6517,13 +4114,6 @@ export declare namespace cert_manager { */ secretName?: pulumi.Input; secretTemplate?: pulumi.Input; - /** - * Signature algorithm to use. - * Allowed values for RSA keys: SHA256WithRSA, SHA384WithRSA, SHA512WithRSA. - * Allowed values for ECDSA keys: ECDSAWithSHA256, ECDSAWithSHA384, ECDSAWithSHA512. - * Allowed values for Ed25519 keys: PureEd25519. - */ - signatureAlgorithm?: pulumi.Input; subject?: pulumi.Input; /** * Requested URI subject alternative names. @@ -6535,6 +4125,7 @@ export declare namespace cert_manager { * resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages * will additionally be encoded in the `request` field which contains the CSR blob. * + * * If unset, defaults to `digital signature` and `key encipherment`. */ usages?: pulumi.Input[]>; @@ -6569,21 +4160,20 @@ export declare namespace cert_manager { * as the Certificate. If the issuer is cluster-scoped, it can be used * from any namespace. * + * * The `name` field of the reference must always be specified. */ interface CertificateSpecIssuerRef { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group?: pulumi.Input; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind?: pulumi.Input; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name?: pulumi.Input; } @@ -6593,21 +4183,20 @@ export declare namespace cert_manager { * as the Certificate. If the issuer is cluster-scoped, it can be used * from any namespace. * + * * The `name` field of the reference must always be specified. */ interface CertificateSpecIssuerRefPatch { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group?: pulumi.Input; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind?: pulumi.Input; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name?: pulumi.Input; } @@ -6632,7 +4221,7 @@ export declare namespace cert_manager { * Create enables JKS keystore creation for the Certificate. * If true, a file named `keystore.jks` will be created in the target * Secret resource, encrypted using the password stored in - * `passwordSecretRef` or `password`. + * `passwordSecretRef`. * The keystore file will be updated immediately. * If the issuer provided a CA certificate, a file named `truststore.jks` * will also be created in the target Secret resource, encrypted using the @@ -6640,19 +4229,11 @@ export declare namespace cert_manager { * containing the issuing Certificate Authority */ create?: pulumi.Input; - /** - * Password provides a literal password used to encrypt the JKS keystore. - * Mutually exclusive with passwordSecretRef. - * One of password or passwordSecretRef must provide a password with a non-zero length. - */ - password?: pulumi.Input; passwordSecretRef?: pulumi.Input; } /** - * PasswordSecretRef is a reference to a non-empty key in a Secret resource + * PasswordSecretRef is a reference to a key in a Secret resource * containing the password used to encrypt the JKS keystore. - * Mutually exclusive with password. - * One of password or passwordSecretRef must provide a password with a non-zero length. */ interface CertificateSpecKeystoresJksPasswordSecretRef { /** @@ -6668,10 +4249,8 @@ export declare namespace cert_manager { name?: pulumi.Input; } /** - * PasswordSecretRef is a reference to a non-empty key in a Secret resource + * PasswordSecretRef is a reference to a key in a Secret resource * containing the password used to encrypt the JKS keystore. - * Mutually exclusive with password. - * One of password or passwordSecretRef must provide a password with a non-zero length. */ interface CertificateSpecKeystoresJksPasswordSecretRefPatch { /** @@ -6700,7 +4279,7 @@ export declare namespace cert_manager { * Create enables JKS keystore creation for the Certificate. * If true, a file named `keystore.jks` will be created in the target * Secret resource, encrypted using the password stored in - * `passwordSecretRef` or `password`. + * `passwordSecretRef`. * The keystore file will be updated immediately. * If the issuer provided a CA certificate, a file named `truststore.jks` * will also be created in the target Secret resource, encrypted using the @@ -6708,12 +4287,6 @@ export declare namespace cert_manager { * containing the issuing Certificate Authority */ create?: pulumi.Input; - /** - * Password provides a literal password used to encrypt the JKS keystore. - * Mutually exclusive with passwordSecretRef. - * One of password or passwordSecretRef must provide a password with a non-zero length. - */ - password?: pulumi.Input; passwordSecretRef?: pulumi.Input; } /** @@ -6732,7 +4305,7 @@ export declare namespace cert_manager { * Create enables PKCS12 keystore creation for the Certificate. * If true, a file named `keystore.p12` will be created in the target * Secret resource, encrypted using the password stored in - * `passwordSecretRef` or in `password`. + * `passwordSecretRef`. * The keystore file will be updated immediately. * If the issuer provided a CA certificate, a file named `truststore.p12` will * also be created in the target Secret resource, encrypted using the @@ -6740,31 +4313,24 @@ export declare namespace cert_manager { * Authority */ create?: pulumi.Input; - /** - * Password provides a literal password used to encrypt the PKCS#12 keystore. - * Mutually exclusive with passwordSecretRef. - * One of password or passwordSecretRef must provide a password with a non-zero length. - */ - password?: pulumi.Input; passwordSecretRef?: pulumi.Input; /** * Profile specifies the key and certificate encryption algorithms and the HMAC algorithm * used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. * + * * If provided, allowed values are: * `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. * `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility. * `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms - * (e.g., because of company policy). Please note that the security of the algorithm is not that important + * (eg. because of company policy). Please note that the security of the algorithm is not that important * in reality, because the unencrypted certificate and private key are also stored in the Secret. */ profile?: pulumi.Input; } /** - * PasswordSecretRef is a reference to a non-empty key in a Secret resource - * containing the password used to encrypt the PKCS#12 keystore. - * Mutually exclusive with password. - * One of password or passwordSecretRef must provide a password with a non-zero length. + * PasswordSecretRef is a reference to a key in a Secret resource + * containing the password used to encrypt the PKCS12 keystore. */ interface CertificateSpecKeystoresPkcs12PasswordSecretRef { /** @@ -6780,10 +4346,8 @@ export declare namespace cert_manager { name?: pulumi.Input; } /** - * PasswordSecretRef is a reference to a non-empty key in a Secret resource - * containing the password used to encrypt the PKCS#12 keystore. - * Mutually exclusive with password. - * One of password or passwordSecretRef must provide a password with a non-zero length. + * PasswordSecretRef is a reference to a key in a Secret resource + * containing the password used to encrypt the PKCS12 keystore. */ interface CertificateSpecKeystoresPkcs12PasswordSecretRefPatch { /** @@ -6807,7 +4371,7 @@ export declare namespace cert_manager { * Create enables PKCS12 keystore creation for the Certificate. * If true, a file named `keystore.p12` will be created in the target * Secret resource, encrypted using the password stored in - * `passwordSecretRef` or in `password`. + * `passwordSecretRef`. * The keystore file will be updated immediately. * If the issuer provided a CA certificate, a file named `truststore.p12` will * also be created in the target Secret resource, encrypted using the @@ -6815,22 +4379,17 @@ export declare namespace cert_manager { * Authority */ create?: pulumi.Input; - /** - * Password provides a literal password used to encrypt the PKCS#12 keystore. - * Mutually exclusive with passwordSecretRef. - * One of password or passwordSecretRef must provide a password with a non-zero length. - */ - password?: pulumi.Input; passwordSecretRef?: pulumi.Input; /** * Profile specifies the key and certificate encryption algorithms and the HMAC algorithm * used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. * + * * If provided, allowed values are: * `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. * `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility. * `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms - * (e.g., because of company policy). Please note that the security of the algorithm is not that important + * (eg. because of company policy). Please note that the security of the algorithm is not that important * in reality, because the unencrypted certificate and private key are also stored in the Secret. */ profile?: pulumi.Input; @@ -6839,6 +4398,7 @@ export declare namespace cert_manager { * x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. * More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 * + * * This is an Alpha Feature and is only enabled with the * `--feature-gates=NameConstraints=true` option set on both * the controller and webhook components. @@ -6903,6 +4463,7 @@ export declare namespace cert_manager { * x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. * More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 * + * * This is an Alpha Feature and is only enabled with the * `--feature-gates=NameConstraints=true` option set on both * the controller and webhook components. @@ -6993,6 +4554,11 @@ export declare namespace cert_manager { /** * Defines extra output formats of the private key and signed certificate chain * to be written to this Certificate's target Secret. + * + * + * This is a Beta Feature enabled by default. It can be disabled with the + * `--feature-gates=AdditionalCertificateOutputFormats=false` option set on both + * the controller and webhook components. */ additionalOutputFormats?: pulumi.Input[]>; /** @@ -7001,6 +4567,7 @@ export declare namespace cert_manager { * NOTE: TLS clients will ignore this value when any subject alternative name is * set (see https://tools.ietf.org/html/rfc6125#section-6.4.4). * + * * Should have a length of 64 characters or fewer to avoid generating invalid CSRs. * Cannot be set if the `literalSubject` field is set. */ @@ -7014,6 +4581,7 @@ export declare namespace cert_manager { * issuer may choose to ignore the requested duration, just like any other * requested attribute. * + * * If unset, this defaults to 90 days. * Minimum accepted duration is 1 hour. * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration. @@ -7026,6 +4594,7 @@ export declare namespace cert_manager { /** * Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR. * + * * This option defaults to true, and should only be disabled if the target * issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions. */ @@ -7040,6 +4609,7 @@ export declare namespace cert_manager { * resources. Note that the issuer may choose to ignore the requested isCA value, just * like any other requested attribute. * + * * If true, this will automatically add the `cert sign` usage to the list * of requested `usages`. */ @@ -7056,6 +4626,7 @@ export declare namespace cert_manager { * More info: https://github.com/cert-manager/cert-manager/issues/3203 * More info: https://github.com/cert-manager/cert-manager/issues/4424 * + * * Cannot be set if the `subject` or `commonName` field is set. */ literalSubject?: pulumi.Input; @@ -7075,33 +4646,17 @@ export declare namespace cert_manager { * 50 minutes after it was issued (i.e. when there are 10 minutes remaining until * the certificate is no longer valid). * + * * NOTE: The actual lifetime of the issued certificate is used to determine the * renewal time. If an issuer returns a certificate with a different lifetime than * the one requested, cert-manager will use the lifetime of the issued certificate. * + * * If unset, this defaults to 1/3 of the issued certificate's lifetime. * Minimum accepted value is 5 minutes. * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration. - * Cannot be set if the `renewBeforePercentage` field is set. */ renewBefore?: pulumi.Input; - /** - * `renewBeforePercentage` is like `renewBefore`, except it is a relative percentage - * rather than an absolute duration. For example, if a certificate is valid for 60 - * minutes, and `renewBeforePercentage=25`, cert-manager will begin to attempt to - * renew the certificate 45 minutes after it was issued (i.e. when there are 15 - * minutes (25%) remaining until the certificate is no longer valid). - * - * NOTE: The actual lifetime of the issued certificate is used to determine the - * renewal time. If an issuer returns a certificate with a different lifetime than - * the one requested, cert-manager will use the lifetime of the issued certificate. - * - * Value must be an integer in the range (0,100). The minimum effective - * `renewBefore` derived from the `renewBeforePercentage` and `duration` fields is 5 - * minutes. - * Cannot be set if the `renewBefore` field is set. - */ - renewBeforePercentage?: pulumi.Input; /** * The maximum number of CertificateRequest revisions that are maintained in * the Certificate's history. Each revision represents a single `CertificateRequest` @@ -7109,8 +4664,10 @@ export declare namespace cert_manager { * was changed. Revisions will be removed by oldest first if the number of * revisions exceeds this number. * + * * If set, revisionHistoryLimit must be a value of `1` or greater. - * Default value is `1`. + * If unset (`nil`), revisions will not be garbage collected. + * Default value is `nil`. */ revisionHistoryLimit?: pulumi.Input; /** @@ -7121,13 +4678,6 @@ export declare namespace cert_manager { */ secretName?: pulumi.Input; secretTemplate?: pulumi.Input; - /** - * Signature algorithm to use. - * Allowed values for RSA keys: SHA256WithRSA, SHA384WithRSA, SHA512WithRSA. - * Allowed values for ECDSA keys: ECDSAWithSHA256, ECDSAWithSHA384, ECDSAWithSHA512. - * Allowed values for Ed25519 keys: PureEd25519. - */ - signatureAlgorithm?: pulumi.Input; subject?: pulumi.Input; /** * Requested URI subject alternative names. @@ -7139,6 +4689,7 @@ export declare namespace cert_manager { * resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages * will additionally be encoded in the `request` field which contains the CSR blob. * + * * If unset, defaults to `digital signature` and `key encipherment`. */ usages?: pulumi.Input[]>; @@ -7152,6 +4703,7 @@ export declare namespace cert_manager { * Algorithm is the private key algorithm of the corresponding private key * for this certificate. * + * * If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`. * If `algorithm` is specified and `size` is not provided, * key size of 2048 will be used for `RSA` key algorithm and @@ -7163,6 +4715,7 @@ export declare namespace cert_manager { * The private key cryptography standards (PKCS) encoding for this * certificate's private key to be encoded in. * + * * If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 * and PKCS#8, respectively. * Defaults to `PKCS1` if not specified. @@ -7172,22 +4725,20 @@ export declare namespace cert_manager { * RotationPolicy controls how private keys should be regenerated when a * re-issuance is being processed. * + * * If set to `Never`, a private key will only be generated if one does not - * already exist in the target `spec.secretName`. If one does exist but it + * already exist in the target `spec.secretName`. If one does exists but it * does not have the correct algorithm or size, a warning will be raised * to await user intervention. * If set to `Always`, a private key matching the specified requirements * will be generated whenever a re-issuance occurs. - * Default is `Always`. - * The default was changed from `Never` to `Always` in cert-manager >=v1.18.0. - * The new default can be disabled by setting the - * `--feature-gates=DefaultPrivateKeyRotationPolicyAlways=false` option on - * the controller component. + * Default is `Never` for backward compatibility. */ rotationPolicy?: pulumi.Input; /** * Size is the key bit size of the corresponding private key for this certificate. * + * * If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, * and will default to `2048` if not specified. * If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, @@ -7206,6 +4757,7 @@ export declare namespace cert_manager { * Algorithm is the private key algorithm of the corresponding private key * for this certificate. * + * * If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`. * If `algorithm` is specified and `size` is not provided, * key size of 2048 will be used for `RSA` key algorithm and @@ -7217,6 +4769,7 @@ export declare namespace cert_manager { * The private key cryptography standards (PKCS) encoding for this * certificate's private key to be encoded in. * + * * If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 * and PKCS#8, respectively. * Defaults to `PKCS1` if not specified. @@ -7226,22 +4779,20 @@ export declare namespace cert_manager { * RotationPolicy controls how private keys should be regenerated when a * re-issuance is being processed. * + * * If set to `Never`, a private key will only be generated if one does not - * already exist in the target `spec.secretName`. If one does exist but it + * already exist in the target `spec.secretName`. If one does exists but it * does not have the correct algorithm or size, a warning will be raised * to await user intervention. * If set to `Always`, a private key matching the specified requirements * will be generated whenever a re-issuance occurs. - * Default is `Always`. - * The default was changed from `Never` to `Always` in cert-manager >=v1.18.0. - * The new default can be disabled by setting the - * `--feature-gates=DefaultPrivateKeyRotationPolicyAlways=false` option on - * the controller component. + * Default is `Never` for backward compatibility. */ rotationPolicy?: pulumi.Input; /** * Size is the key bit size of the corresponding private key for this certificate. * + * * If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, * and will default to `2048` if not specified. * If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, @@ -7297,6 +4848,7 @@ export declare namespace cert_manager { * Requested set of X509 certificate subject attributes. * More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 * + * * The common name attribute is specified separately in the `commonName` field. * Cannot be set if the `literalSubject` field is set. */ @@ -7338,6 +4890,7 @@ export declare namespace cert_manager { * Requested set of X509 certificate subject attributes. * More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 * + * * The common name attribute is specified separately in the `commonName` field. * Cannot be set if the `literalSubject` field is set. */ @@ -7396,7 +4949,7 @@ export declare namespace cert_manager { */ failedIssuanceAttempts?: pulumi.Input; /** - * LastFailureTime is set only if the latest issuance for this + * LastFailureTime is set only if the lastest issuance for this * Certificate failed and contains the time of the failure. If an * issuance has failed, the delay till the next issuance will be * calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - @@ -7431,13 +4984,16 @@ export declare namespace cert_manager { /** * The current 'revision' of the certificate as issued. * + * * When a CertificateRequest resource is created, it will have the * `cert-manager.io/certificate-revision` set to one greater than the * current value of this field. * + * * Upon issuance, this field will be set to the value of the annotation * on the CertificateRequest resource used to issue the certificate. * + * * Persisting the value on the CertificateRequest resource allows the * certificates controller to know whether a request is part of an old * issuance or if it is part of the ongoing revision's issuance by @@ -7447,7 +5003,7 @@ export declare namespace cert_manager { revision?: pulumi.Input; } /** - * CertificateCondition contains condition information for a Certificate. + * CertificateCondition contains condition information for an Certificate. */ interface CertificateStatusConditions { /** @@ -7559,7 +5115,7 @@ export declare namespace cert_manager { * PreferredChain is the chain to use if the ACME server outputs multiple. * PreferredChain is no guarantee that this one gets delivered by the ACME * endpoint. - * For example, for Let's Encrypt's DST cross-sign you would use: + * For example, for Let's Encrypt's DST crosssign you would use: * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA. * This value picks the first certificate bundle in the combined set of * ACME default and alternative chains that has a root-most certificate with @@ -7567,11 +5123,6 @@ export declare namespace cert_manager { */ preferredChain?: pulumi.Input; privateKeySecretRef?: pulumi.Input; - /** - * Profile allows requesting a certificate profile from the ACME server. - * Supported profiles are listed by the server's ACME directory URL. - */ - profile?: pulumi.Input; /** * Server is the URL used to access the ACME server's 'directory' endpoint. * For example, for Let's Encrypt's staging endpoint, you would use: @@ -7726,7 +5277,7 @@ export declare namespace cert_manager { * PreferredChain is the chain to use if the ACME server outputs multiple. * PreferredChain is no guarantee that this one gets delivered by the ACME * endpoint. - * For example, for Let's Encrypt's DST cross-sign you would use: + * For example, for Let's Encrypt's DST crosssign you would use: * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA. * This value picks the first certificate bundle in the combined set of * ACME default and alternative chains that has a root-most certificate with @@ -7734,11 +5285,6 @@ export declare namespace cert_manager { */ preferredChain?: pulumi.Input; privateKeySecretRef?: pulumi.Input; - /** - * Profile allows requesting a certificate profile from the ACME server. - * Supported profiles are listed by the server's ACME directory URL. - */ - profile?: pulumi.Input; /** * Server is the URL used to access the ACME server's 'directory' endpoint. * For example, for Let's Encrypt's staging endpoint, you would use: @@ -8085,18 +5631,14 @@ export declare namespace cert_manager { */ interface ClusterIssuerSpecAcmeSolversDns01AzureDNSManagedIdentity { /** - * client ID of the managed identity, cannot be used at the same time as resourceID + * client ID of the managed identity, can not be used at the same time as resourceID */ clientID?: pulumi.Input; /** - * resource ID of the managed identity, cannot be used at the same time as clientID + * resource ID of the managed identity, can not be used at the same time as clientID * Cannot be used for Azure Managed Service Identity */ resourceID?: pulumi.Input; - /** - * tenant ID of the managed identity, cannot be used at the same time as resourceID - */ - tenantID?: pulumi.Input; } /** * Auth: Azure Workload Identity or Azure Managed Service Identity: @@ -8105,18 +5647,14 @@ export declare namespace cert_manager { */ interface ClusterIssuerSpecAcmeSolversDns01AzureDNSManagedIdentityPatch { /** - * client ID of the managed identity, cannot be used at the same time as resourceID + * client ID of the managed identity, can not be used at the same time as resourceID */ clientID?: pulumi.Input; /** - * resource ID of the managed identity, cannot be used at the same time as clientID + * resource ID of the managed identity, can not be used at the same time as clientID * Cannot be used for Azure Managed Service Identity */ resourceID?: pulumi.Input; - /** - * tenant ID of the managed identity, cannot be used at the same time as resourceID - */ - tenantID?: pulumi.Input; } /** * Use the Microsoft Azure DNS API to manage DNS01 challenge records. @@ -8381,10 +5919,6 @@ export declare namespace cert_manager { * This field is required. */ nameserver?: pulumi.Input; - /** - * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default). - */ - protocol?: pulumi.Input; /** * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. @@ -8411,10 +5945,6 @@ export declare namespace cert_manager { * This field is required. */ nameserver?: pulumi.Input; - /** - * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default). - */ - protocol?: pulumi.Input; /** * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. @@ -8478,32 +6008,11 @@ export declare namespace cert_manager { accessKeyIDSecretRef?: pulumi.Input; auth?: pulumi.Input; /** - * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. + * If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. */ hostedZoneID?: pulumi.Input; /** - * Override the AWS region. - * - * Route53 is a global service and does not have regional endpoints but the - * region specified here (or via environment variables) is used as a hint to - * help compute the correct AWS credential scope and partition when it - * connects to Route53. See: - * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) - * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) - * - * If you omit this region field, cert-manager will use the region from - * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set - * in the cert-manager controller Pod. - * - * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). - * In this case this `region` field value is ignored. - * - * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), - * In this case this `region` field value is ignored. + * Always set the region when using AccessKeyID and SecretAccessKey */ region?: pulumi.Input; /** @@ -8632,32 +6141,11 @@ export declare namespace cert_manager { accessKeyIDSecretRef?: pulumi.Input; auth?: pulumi.Input; /** - * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. + * If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. */ hostedZoneID?: pulumi.Input; /** - * Override the AWS region. - * - * Route53 is a global service and does not have regional endpoints but the - * region specified here (or via environment variables) is used as a hint to - * help compute the correct AWS credential scope and partition when it - * connects to Route53. See: - * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) - * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) - * - * If you omit this region field, cert-manager will use the region from - * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set - * in the cert-manager controller Pod. - * - * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). - * In this case this `region` field value is ignored. - * - * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), - * In this case this `region` field value is ignored. + * Always set the region when using AccessKeyID and SecretAccessKey */ region?: pulumi.Input; /** @@ -8715,7 +6203,7 @@ export declare namespace cert_manager { * when challenges are processed. * This can contain arbitrary JSON data. * Secret values should not be specified in this stanza. - * If secret values are needed (e.g., credentials for a DNS service), you + * If secret values are needed (e.g. credentials for a DNS service), you * should use a SecretKeySelector to reference a Secret resource. * For details on the schema of this field, consult the webhook provider * implementation's documentation. @@ -8733,7 +6221,7 @@ export declare namespace cert_manager { /** * The name of the solver to use, as defined in the webhook provider * implementation. - * This will typically be the name of the provider, e.g., 'cloudflare'. + * This will typically be the name of the provider, e.g. 'cloudflare'. */ solverName?: pulumi.Input; } @@ -8747,7 +6235,7 @@ export declare namespace cert_manager { * when challenges are processed. * This can contain arbitrary JSON data. * Secret values should not be specified in this stanza. - * If secret values are needed (e.g., credentials for a DNS service), you + * If secret values are needed (e.g. credentials for a DNS service), you * should use a SecretKeySelector to reference a Secret resource. * For details on the schema of this field, consult the webhook provider * implementation's documentation. @@ -8765,7 +6253,7 @@ export declare namespace cert_manager { /** * The name of the solver to use, as defined in the webhook provider * implementation. - * This will typically be the name of the provider, e.g., 'cloudflare'. + * This will typically be the name of the provider, e.g. 'cloudflare'. */ solverName?: pulumi.Input; } @@ -8773,7 +6261,7 @@ export declare namespace cert_manager { * Configures cert-manager to attempt to complete authorizations by * performing the HTTP01 challenge flow. * It is not possible to obtain certificates for wildcard domain names - * (e.g., `*.example.com`) using the HTTP01 challenge mechanism. + * (e.g. `*.example.com`) using the HTTP01 challenge mechanism. */ interface ClusterIssuerSpecAcmeSolversHttp01 { gatewayHTTPRoute?: pulumi.Input; @@ -8800,7 +6288,6 @@ export declare namespace cert_manager { * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways */ parentRefs?: pulumi.Input[]>; - podTemplate?: pulumi.Input; /** * Optional service type for Kubernetes solver service. Supported values * are NodePort or ClusterIP. If unset, defaults to NodePort. @@ -8812,12 +6299,15 @@ export declare namespace cert_manager { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -8828,23 +6318,28 @@ export declare namespace cert_manager { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -8852,17 +6347,20 @@ export declare namespace cert_manager { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: * Gateway has the AllowedRoutes field, and ReferenceGrant provides a * generic way to enable any other kind of cross-namespace reference. * + * * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -8870,6 +6368,7 @@ export declare namespace cert_manager { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -8877,6 +6376,7 @@ export declare namespace cert_manager { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -8885,16 +6385,19 @@ export declare namespace cert_manager { * and SectionName are specified, the name and port of the selected listener * must match both specified values. * + * * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -8903,6 +6406,7 @@ export declare namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -8910,6 +6414,7 @@ export declare namespace cert_manager { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -8917,10 +6422,12 @@ export declare namespace cert_manager { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -8930,6 +6437,7 @@ export declare namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -8939,12 +6447,15 @@ export declare namespace cert_manager { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -8955,23 +6466,28 @@ export declare namespace cert_manager { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -8979,17 +6495,20 @@ export declare namespace cert_manager { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: * Gateway has the AllowedRoutes field, and ReferenceGrant provides a * generic way to enable any other kind of cross-namespace reference. * + * * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -8997,6 +6516,7 @@ export declare namespace cert_manager { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -9004,6 +6524,7 @@ export declare namespace cert_manager { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -9012,16 +6533,19 @@ export declare namespace cert_manager { * and SectionName are specified, the name and port of the selected listener * must match both specified values. * + * * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -9030,6 +6554,7 @@ export declare namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -9037,6 +6562,7 @@ export declare namespace cert_manager { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -9044,10 +6570,12 @@ export declare namespace cert_manager { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -9057,6 +6585,7 @@ export declare namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -9082,2083 +6611,12 @@ export declare namespace cert_manager { * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways */ parentRefs?: pulumi.Input[]>; - podTemplate?: pulumi.Input; /** * Optional service type for Kubernetes solver service. Supported values * are NodePort or ClusterIP. If unset, defaults to NodePort. */ serviceType?: pulumi.Input; } - /** - * Optional pod template used to configure the ACME challenge solver pods - * used for HTTP01 challenges. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplate { - metadata?: pulumi.Input; - spec?: pulumi.Input; - } - /** - * ObjectMeta overrides for the pod used to solve HTTP01 challenges. - * Only the 'labels' and 'annotations' fields may be set. - * If labels or annotations overlap with in-built values, the values here - * will override the in-built values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadata { - /** - * Annotations that should be added to the created ACME HTTP01 solver pods. - */ - annotations?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - /** - * Labels that should be added to the created ACME HTTP01 solver pods. - */ - labels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * ObjectMeta overrides for the pod used to solve HTTP01 challenges. - * Only the 'labels' and 'annotations' fields may be set. - * If labels or annotations overlap with in-built values, the values here - * will override the in-built values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadataPatch { - /** - * Annotations that should be added to the created ACME HTTP01 solver pods. - */ - annotations?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - /** - * Labels that should be added to the created ACME HTTP01 solver pods. - */ - labels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * Optional pod template used to configure the ACME challenge solver pods - * used for HTTP01 challenges. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplatePatch { - metadata?: pulumi.Input; - spec?: pulumi.Input; - } - /** - * PodSpec defines overrides for the HTTP01 challenge solver pod. - * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - * All other fields will be ignored. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpec { - affinity?: pulumi.Input; - /** - * If specified, the pod's imagePullSecrets - */ - imagePullSecrets?: pulumi.Input[]>; - /** - * NodeSelector is a selector which must be true for the pod to fit on a node. - * Selector which must match a node's labels for the pod to be scheduled on that node. - * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - */ - nodeSelector?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - /** - * If specified, the pod's priorityClassName. - */ - priorityClassName?: pulumi.Input; - resources?: pulumi.Input; - securityContext?: pulumi.Input; - /** - * If specified, the pod's service account - */ - serviceAccountName?: pulumi.Input; - /** - * If specified, the pod's tolerations. - */ - tolerations?: pulumi.Input[]>; - } - /** - * If specified, the pod's scheduling constraints - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinity { - nodeAffinity?: pulumi.Input; - podAffinity?: pulumi.Input; - podAntiAffinity?: pulumi.Input; - } - /** - * Describes node affinity scheduling rules for the pod. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node matches the corresponding matchExpressions; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input; - } - /** - * Describes node affinity scheduling rules for the pod. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node matches the corresponding matchExpressions; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input; - } - /** - * An empty preferred scheduling term matches all objects with implicit weight 0 - * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution { - preference?: pulumi.Input; - /** - * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - */ - weight?: pulumi.Input; - } - /** - * An empty preferred scheduling term matches all objects with implicit weight 0 - * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - preference?: pulumi.Input; - /** - * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - */ - weight?: pulumi.Input; - } - /** - * A node selector term, associated with the corresponding weight. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions?: pulumi.Input[]>; - /** - * A list of node selector requirements by node's fields. - */ - matchFields?: pulumi.Input[]>; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A node selector term, associated with the corresponding weight. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions?: pulumi.Input[]>; - /** - * A list of node selector requirements by node's fields. - */ - matchFields?: pulumi.Input[]>; - } - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to an update), the system - * may or may not try to eventually evict the pod from its node. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution { - /** - * Required. A list of node selector terms. The terms are ORed. - */ - nodeSelectorTerms?: pulumi.Input[]>; - } - /** - * A null or empty node selector term matches no objects. The requirements of - * them are ANDed. - * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions?: pulumi.Input[]>; - /** - * A list of node selector requirements by node's fields. - */ - matchFields?: pulumi.Input[]>; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A null or empty node selector term matches no objects. The requirements of - * them are ANDed. - * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions?: pulumi.Input[]>; - /** - * A list of node selector requirements by node's fields. - */ - matchFields?: pulumi.Input[]>; - } - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to an update), the system - * may or may not try to eventually evict the pod from its node. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - /** - * Required. A list of node selector terms. The terms are ORed. - */ - nodeSelectorTerms?: pulumi.Input[]>; - } - /** - * If specified, the pod's scheduling constraints - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch { - nodeAffinity?: pulumi.Input; - podAffinity?: pulumi.Input; - podAntiAffinity?: pulumi.Input; - } - /** - * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - } - /** - * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - } - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution { - podAffinityTerm?: pulumi.Input; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight?: pulumi.Input; - } - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - podAffinityTerm?: pulumi.Input; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight?: pulumi.Input; - } - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - /** - * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the anti-affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - /** - * If the anti-affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the anti-affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - } - /** - * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the anti-affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - /** - * If the anti-affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the anti-affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - } - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution { - podAffinityTerm?: pulumi.Input; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight?: pulumi.Input; - } - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - podAffinityTerm?: pulumi.Input; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight?: pulumi.Input; - } - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - /** - * LocalObjectReference contains enough information to let you locate the - * referenced object inside the same namespace. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets { - /** - * Name of the referent. - * This field is effectively required, but due to backwards compatibility is - * allowed to be empty. Instances of this type with an empty value here are - * almost certainly wrong. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name?: pulumi.Input; - } - /** - * LocalObjectReference contains enough information to let you locate the - * referenced object inside the same namespace. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch { - /** - * Name of the referent. - * This field is effectively required, but due to backwards compatibility is - * allowed to be empty. Instances of this type with an empty value here are - * almost certainly wrong. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name?: pulumi.Input; - } - /** - * PodSpec defines overrides for the HTTP01 challenge solver pod. - * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - * All other fields will be ignored. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecPatch { - affinity?: pulumi.Input; - /** - * If specified, the pod's imagePullSecrets - */ - imagePullSecrets?: pulumi.Input[]>; - /** - * NodeSelector is a selector which must be true for the pod to fit on a node. - * Selector which must match a node's labels for the pod to be scheduled on that node. - * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - */ - nodeSelector?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - /** - * If specified, the pod's priorityClassName. - */ - priorityClassName?: pulumi.Input; - resources?: pulumi.Input; - securityContext?: pulumi.Input; - /** - * If specified, the pod's service account - */ - serviceAccountName?: pulumi.Input; - /** - * If specified, the pod's tolerations. - */ - tolerations?: pulumi.Input[]>; - } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResources { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * If specified, the pod's security context - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup?: pulumi.Input; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy?: pulumi.Input; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup?: pulumi.Input; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot?: pulumi.Input; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser?: pulumi.Input; - seLinuxOptions?: pulumi.Input; - seccompProfile?: pulumi.Input; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups?: pulumi.Input[]>; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls?: pulumi.Input[]>; - } - /** - * If specified, the pod's security context - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup?: pulumi.Input; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy?: pulumi.Input; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup?: pulumi.Input; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot?: pulumi.Input; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser?: pulumi.Input; - seLinuxOptions?: pulumi.Input; - seccompProfile?: pulumi.Input; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups?: pulumi.Input[]>; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls?: pulumi.Input[]>; - } - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions { - /** - * Level is SELinux level label that applies to the container. - */ - level?: pulumi.Input; - /** - * Role is a SELinux role label that applies to the container. - */ - role?: pulumi.Input; - /** - * Type is a SELinux type label that applies to the container. - */ - type?: pulumi.Input; - /** - * User is a SELinux user label that applies to the container. - */ - user?: pulumi.Input; - } - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch { - /** - * Level is SELinux level label that applies to the container. - */ - level?: pulumi.Input; - /** - * Role is a SELinux role label that applies to the container. - */ - role?: pulumi.Input; - /** - * Type is a SELinux type label that applies to the container. - */ - type?: pulumi.Input; - /** - * User is a SELinux user label that applies to the container. - */ - user?: pulumi.Input; - } - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile?: pulumi.Input; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type?: pulumi.Input; - } - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile?: pulumi.Input; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type?: pulumi.Input; - } - /** - * Sysctl defines a kernel parameter to be set - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls { - /** - * Name of a property to set - */ - name?: pulumi.Input; - /** - * Value of a property to set - */ - value?: pulumi.Input; - } - /** - * Sysctl defines a kernel parameter to be set - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch { - /** - * Name of a property to set - */ - name?: pulumi.Input; - /** - * Value of a property to set - */ - value?: pulumi.Input; - } - /** - * The pod this Toleration is attached to tolerates any taint that matches - * the triple using the matching operator . - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerations { - /** - * Effect indicates the taint effect to match. Empty means match all taint effects. - * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - */ - effect?: pulumi.Input; - /** - * Key is the taint key that the toleration applies to. Empty means match all taint keys. - * If the key is empty, operator must be Exists; this combination means to match all values and all keys. - */ - key?: pulumi.Input; - /** - * Operator represents a key's relationship to the value. - * Valid operators are Exists and Equal. Defaults to Equal. - * Exists is equivalent to wildcard for value, so that a pod can - * tolerate all taints of a particular category. - */ - operator?: pulumi.Input; - /** - * TolerationSeconds represents the period of time the toleration (which must be - * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - * it is not set, which means tolerate the taint forever (do not evict). Zero and - * negative values will be treated as 0 (evict immediately) by the system. - */ - tolerationSeconds?: pulumi.Input; - /** - * Value is the taint value the toleration matches to. - * If the operator is Exists, the value should be empty, otherwise just a regular string. - */ - value?: pulumi.Input; - } - /** - * The pod this Toleration is attached to tolerates any taint that matches - * the triple using the matching operator . - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch { - /** - * Effect indicates the taint effect to match. Empty means match all taint effects. - * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - */ - effect?: pulumi.Input; - /** - * Key is the taint key that the toleration applies to. Empty means match all taint keys. - * If the key is empty, operator must be Exists; this combination means to match all values and all keys. - */ - key?: pulumi.Input; - /** - * Operator represents a key's relationship to the value. - * Valid operators are Exists and Equal. Defaults to Equal. - * Exists is equivalent to wildcard for value, so that a pod can - * tolerate all taints of a particular category. - */ - operator?: pulumi.Input; - /** - * TolerationSeconds represents the period of time the toleration (which must be - * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - * it is not set, which means tolerate the taint forever (do not evict). Zero and - * negative values will be treated as 0 (evict immediately) by the system. - */ - tolerationSeconds?: pulumi.Input; - /** - * Value is the taint value the toleration matches to. - * If the operator is Exists, the value should be empty, otherwise just a regular string. - */ - value?: pulumi.Input; - } /** * The ingress based HTTP01 challenge solver will solve challenges by * creating or modifying Ingress resources in order to route requests for @@ -11305,7 +6763,7 @@ export declare namespace cert_manager { */ interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateMetadata { /** - * Annotations that should be added to the created ACME HTTP01 solver pods. + * Annotations that should be added to the create ACME HTTP01 solver pods. */ annotations?: pulumi.Input<{ [key: string]: pulumi.Input; @@ -11325,7 +6783,7 @@ export declare namespace cert_manager { */ interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateMetadataPatch { /** - * Annotations that should be added to the created ACME HTTP01 solver pods. + * Annotations that should be added to the create ACME HTTP01 solver pods. */ annotations?: pulumi.Input<{ [key: string]: pulumi.Input; @@ -11368,8 +6826,6 @@ export declare namespace cert_manager { * If specified, the pod's priorityClassName. */ priorityClassName?: pulumi.Input; - resources?: pulumi.Input; - securityContext?: pulumi.Input; /** * If specified, the pod's service account */ @@ -11809,6 +7265,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -11820,6 +7277,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -12019,6 +7477,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -12030,6 +7489,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -12068,6 +7528,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -12079,6 +7540,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -12283,6 +7745,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -12294,6 +7757,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -12324,8 +7788,8 @@ export declare namespace cert_manager { * most preferred is the one with the greatest sum of weights, i.e. * for each node that meets all of the scheduling requirements (resource * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + * compute a sum by iterating through the elements of this field and adding + * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the * node(s) with the highest sum are the most preferred. */ preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; @@ -12351,8 +7815,8 @@ export declare namespace cert_manager { * most preferred is the one with the greatest sum of weights, i.e. * for each node that meets all of the scheduling requirements (resource * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + * compute a sum by iterating through the elements of this field and adding + * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the * node(s) with the highest sum are the most preferred. */ preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; @@ -12403,6 +7867,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -12414,6 +7879,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -12613,6 +8079,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -12624,6 +8091,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -12662,6 +8130,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -12673,6 +8142,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -12877,6 +8347,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -12888,6 +8359,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -12917,7 +8389,9 @@ export declare namespace cert_manager { * This field is effectively required, but due to backwards compatibility is * allowed to be empty. Instances of this type with an empty value here are * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name?: pulumi.Input; } @@ -12931,7 +8405,9 @@ export declare namespace cert_manager { * This field is effectively required, but due to backwards compatibility is * allowed to be empty. Instances of this type with an empty value here are * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name?: pulumi.Input; } @@ -12958,8 +8434,6 @@ export declare namespace cert_manager { * If specified, the pod's priorityClassName. */ priorityClassName?: pulumi.Input; - resources?: pulumi.Input; - securityContext?: pulumi.Input; /** * If specified, the pod's service account */ @@ -12969,326 +8443,6 @@ export declare namespace cert_manager { */ tolerations?: pulumi.Input[]>; } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResources { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResourcesPatch { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * If specified, the pod's security context - */ - interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContext { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup?: pulumi.Input; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy?: pulumi.Input; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup?: pulumi.Input; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot?: pulumi.Input; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser?: pulumi.Input; - seLinuxOptions?: pulumi.Input; - seccompProfile?: pulumi.Input; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups?: pulumi.Input[]>; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls?: pulumi.Input[]>; - } - /** - * If specified, the pod's security context - */ - interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextPatch { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup?: pulumi.Input; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy?: pulumi.Input; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup?: pulumi.Input; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot?: pulumi.Input; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser?: pulumi.Input; - seLinuxOptions?: pulumi.Input; - seccompProfile?: pulumi.Input; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups?: pulumi.Input[]>; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls?: pulumi.Input[]>; - } - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions { - /** - * Level is SELinux level label that applies to the container. - */ - level?: pulumi.Input; - /** - * Role is a SELinux role label that applies to the container. - */ - role?: pulumi.Input; - /** - * Type is a SELinux type label that applies to the container. - */ - type?: pulumi.Input; - /** - * User is a SELinux user label that applies to the container. - */ - user?: pulumi.Input; - } - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch { - /** - * Level is SELinux level label that applies to the container. - */ - level?: pulumi.Input; - /** - * Role is a SELinux role label that applies to the container. - */ - role?: pulumi.Input; - /** - * Type is a SELinux type label that applies to the container. - */ - type?: pulumi.Input; - /** - * User is a SELinux user label that applies to the container. - */ - user?: pulumi.Input; - } - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile?: pulumi.Input; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type?: pulumi.Input; - } - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile?: pulumi.Input; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type?: pulumi.Input; - } - /** - * Sysctl defines a kernel parameter to be set - */ - interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls { - /** - * Name of a property to set - */ - name?: pulumi.Input; - /** - * Value of a property to set - */ - value?: pulumi.Input; - } - /** - * Sysctl defines a kernel parameter to be set - */ - interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch { - /** - * Name of a property to set - */ - name?: pulumi.Input; - /** - * Value of a property to set - */ - value?: pulumi.Input; - } /** * The pod this Toleration is attached to tolerates any taint that matches * the triple using the matching operator . @@ -13363,7 +8517,7 @@ export declare namespace cert_manager { * Configures cert-manager to attempt to complete authorizations by * performing the HTTP01 challenge flow. * It is not possible to obtain certificates for wildcard domain names - * (e.g., `*.example.com`) using the HTTP01 challenge mechanism. + * (e.g. `*.example.com`) using the HTTP01 challenge mechanism. */ interface ClusterIssuerSpecAcmeSolversHttp01Patch { gatewayHTTPRoute?: pulumi.Input; @@ -13585,18 +8739,12 @@ export declare namespace cert_manager { * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200". */ server?: pulumi.Input; - /** - * ServerName is used to verify the hostname on the returned certificates - * by the Vault server. - */ - serverName?: pulumi.Input; } /** * Auth configures how cert-manager authenticates with the Vault server. */ interface ClusterIssuerSpecVaultAuth { appRole?: pulumi.Input; - clientCertificate?: pulumi.Input; kubernetes?: pulumi.Input; tokenSecretRef?: pulumi.Input; } @@ -13672,56 +8820,6 @@ export declare namespace cert_manager { */ name?: pulumi.Input; } - /** - * ClientCertificate authenticates with Vault by presenting a client - * certificate during the request's TLS handshake. - * Works only when using HTTPS protocol. - */ - interface ClusterIssuerSpecVaultAuthClientCertificate { - /** - * The Vault mountPath here is the mount path to use when authenticating with - * Vault. For example, setting a value to `/v1/auth/foo`, will use the path - * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the - * default value "/v1/auth/cert" will be used. - */ - mountPath?: pulumi.Input; - /** - * Name of the certificate role to authenticate against. - * If not set, matching any certificate role, if available. - */ - name?: pulumi.Input; - /** - * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing - * tls.crt and tls.key) used to authenticate to Vault using TLS client - * authentication. - */ - secretName?: pulumi.Input; - } - /** - * ClientCertificate authenticates with Vault by presenting a client - * certificate during the request's TLS handshake. - * Works only when using HTTPS protocol. - */ - interface ClusterIssuerSpecVaultAuthClientCertificatePatch { - /** - * The Vault mountPath here is the mount path to use when authenticating with - * Vault. For example, setting a value to `/v1/auth/foo`, will use the path - * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the - * default value "/v1/auth/cert" will be used. - */ - mountPath?: pulumi.Input; - /** - * Name of the certificate role to authenticate against. - * If not set, matching any certificate role, if available. - */ - name?: pulumi.Input; - /** - * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing - * tls.crt and tls.key) used to authenticate to Vault using TLS client - * authentication. - */ - secretName?: pulumi.Input; - } /** * Kubernetes authenticates with Vault by passing the ServiceAccount * token stored in the named Secret resource to the Vault server. @@ -13839,7 +8937,6 @@ export declare namespace cert_manager { */ interface ClusterIssuerSpecVaultAuthPatch { appRole?: pulumi.Input; - clientCertificate?: pulumi.Input; kubernetes?: pulumi.Input; tokenSecretRef?: pulumi.Input; } @@ -14017,11 +9114,6 @@ export declare namespace cert_manager { * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200". */ server?: pulumi.Input; - /** - * ServerName is used to verify the hostname on the returned certificates - * by the Vault server. - */ - serverName?: pulumi.Input; } /** * Venafi configures this issuer to sign certificates using a Venafi TPP @@ -14046,7 +9138,7 @@ export declare namespace cert_manager { apiTokenSecretRef?: pulumi.Input; /** * URL is the base URL for Venafi Cloud. - * Defaults to "https://api.venafi.cloud/". + * Defaults to "https://api.venafi.cloud/v1". */ url?: pulumi.Input; } @@ -14090,7 +9182,7 @@ export declare namespace cert_manager { apiTokenSecretRef?: pulumi.Input; /** * URL is the base URL for Venafi Cloud. - * Defaults to "https://api.venafi.cloud/". + * Defaults to "https://api.venafi.cloud/v1". */ url?: pulumi.Input; } @@ -14121,7 +9213,6 @@ export declare namespace cert_manager { * is used to validate the chain. */ caBundle?: pulumi.Input; - caBundleSecretRef?: pulumi.Input; credentialsRef?: pulumi.Input; /** * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, @@ -14130,49 +9221,9 @@ export declare namespace cert_manager { url?: pulumi.Input; } /** - * Reference to a Secret containing a base64-encoded bundle of PEM CAs - * which will be used to validate the certificate chain presented by the TPP server. - * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle. - * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in - * the cert-manager controller container is used to validate the TLS connection. - */ - interface ClusterIssuerSpecVenafiTppCaBundleSecretRef { - /** - * The key of the entry in the Secret resource's `data` field to be used. - * Some instances of this field may be defaulted, in others it may be - * required. - */ - key?: pulumi.Input; - /** - * Name of the resource being referred to. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name?: pulumi.Input; - } - /** - * Reference to a Secret containing a base64-encoded bundle of PEM CAs - * which will be used to validate the certificate chain presented by the TPP server. - * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle. - * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in - * the cert-manager controller container is used to validate the TLS connection. - */ - interface ClusterIssuerSpecVenafiTppCaBundleSecretRefPatch { - /** - * The key of the entry in the Secret resource's `data` field to be used. - * Some instances of this field may be defaulted, in others it may be - * required. - */ - key?: pulumi.Input; - /** - * Name of the resource being referred to. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name?: pulumi.Input; - } - /** - * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials. - * The secret must contain the key 'access-token' for the Access Token Authentication, - * or two keys, 'username' and 'password' for the API Keys Authentication. + * CredentialsRef is a reference to a Secret containing the username and + * password for the TPP server. + * The secret must contain two keys, 'username' and 'password'. */ interface ClusterIssuerSpecVenafiTppCredentialsRef { /** @@ -14182,9 +9233,9 @@ export declare namespace cert_manager { name?: pulumi.Input; } /** - * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials. - * The secret must contain the key 'access-token' for the Access Token Authentication, - * or two keys, 'username' and 'password' for the API Keys Authentication. + * CredentialsRef is a reference to a Secret containing the username and + * password for the TPP server. + * The secret must contain two keys, 'username' and 'password'. */ interface ClusterIssuerSpecVenafiTppCredentialsRefPatch { /** @@ -14205,7 +9256,6 @@ export declare namespace cert_manager { * is used to validate the chain. */ caBundle?: pulumi.Input; - caBundleSecretRef?: pulumi.Input; credentialsRef?: pulumi.Input; /** * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, @@ -14360,7 +9410,7 @@ export declare namespace cert_manager { * PreferredChain is the chain to use if the ACME server outputs multiple. * PreferredChain is no guarantee that this one gets delivered by the ACME * endpoint. - * For example, for Let's Encrypt's DST cross-sign you would use: + * For example, for Let's Encrypt's DST crosssign you would use: * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA. * This value picks the first certificate bundle in the combined set of * ACME default and alternative chains that has a root-most certificate with @@ -14368,11 +9418,6 @@ export declare namespace cert_manager { */ preferredChain?: pulumi.Input; privateKeySecretRef?: pulumi.Input; - /** - * Profile allows requesting a certificate profile from the ACME server. - * Supported profiles are listed by the server's ACME directory URL. - */ - profile?: pulumi.Input; /** * Server is the URL used to access the ACME server's 'directory' endpoint. * For example, for Let's Encrypt's staging endpoint, you would use: @@ -14527,7 +9572,7 @@ export declare namespace cert_manager { * PreferredChain is the chain to use if the ACME server outputs multiple. * PreferredChain is no guarantee that this one gets delivered by the ACME * endpoint. - * For example, for Let's Encrypt's DST cross-sign you would use: + * For example, for Let's Encrypt's DST crosssign you would use: * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA. * This value picks the first certificate bundle in the combined set of * ACME default and alternative chains that has a root-most certificate with @@ -14535,11 +9580,6 @@ export declare namespace cert_manager { */ preferredChain?: pulumi.Input; privateKeySecretRef?: pulumi.Input; - /** - * Profile allows requesting a certificate profile from the ACME server. - * Supported profiles are listed by the server's ACME directory URL. - */ - profile?: pulumi.Input; /** * Server is the URL used to access the ACME server's 'directory' endpoint. * For example, for Let's Encrypt's staging endpoint, you would use: @@ -14886,18 +9926,14 @@ export declare namespace cert_manager { */ interface IssuerSpecAcmeSolversDns01AzureDNSManagedIdentity { /** - * client ID of the managed identity, cannot be used at the same time as resourceID + * client ID of the managed identity, can not be used at the same time as resourceID */ clientID?: pulumi.Input; /** - * resource ID of the managed identity, cannot be used at the same time as clientID + * resource ID of the managed identity, can not be used at the same time as clientID * Cannot be used for Azure Managed Service Identity */ resourceID?: pulumi.Input; - /** - * tenant ID of the managed identity, cannot be used at the same time as resourceID - */ - tenantID?: pulumi.Input; } /** * Auth: Azure Workload Identity or Azure Managed Service Identity: @@ -14906,18 +9942,14 @@ export declare namespace cert_manager { */ interface IssuerSpecAcmeSolversDns01AzureDNSManagedIdentityPatch { /** - * client ID of the managed identity, cannot be used at the same time as resourceID + * client ID of the managed identity, can not be used at the same time as resourceID */ clientID?: pulumi.Input; /** - * resource ID of the managed identity, cannot be used at the same time as clientID + * resource ID of the managed identity, can not be used at the same time as clientID * Cannot be used for Azure Managed Service Identity */ resourceID?: pulumi.Input; - /** - * tenant ID of the managed identity, cannot be used at the same time as resourceID - */ - tenantID?: pulumi.Input; } /** * Use the Microsoft Azure DNS API to manage DNS01 challenge records. @@ -15182,10 +10214,6 @@ export declare namespace cert_manager { * This field is required. */ nameserver?: pulumi.Input; - /** - * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default). - */ - protocol?: pulumi.Input; /** * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. @@ -15212,10 +10240,6 @@ export declare namespace cert_manager { * This field is required. */ nameserver?: pulumi.Input; - /** - * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default). - */ - protocol?: pulumi.Input; /** * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. @@ -15279,32 +10303,11 @@ export declare namespace cert_manager { accessKeyIDSecretRef?: pulumi.Input; auth?: pulumi.Input; /** - * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. + * If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. */ hostedZoneID?: pulumi.Input; /** - * Override the AWS region. - * - * Route53 is a global service and does not have regional endpoints but the - * region specified here (or via environment variables) is used as a hint to - * help compute the correct AWS credential scope and partition when it - * connects to Route53. See: - * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) - * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) - * - * If you omit this region field, cert-manager will use the region from - * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set - * in the cert-manager controller Pod. - * - * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). - * In this case this `region` field value is ignored. - * - * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), - * In this case this `region` field value is ignored. + * Always set the region when using AccessKeyID and SecretAccessKey */ region?: pulumi.Input; /** @@ -15433,32 +10436,11 @@ export declare namespace cert_manager { accessKeyIDSecretRef?: pulumi.Input; auth?: pulumi.Input; /** - * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. + * If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. */ hostedZoneID?: pulumi.Input; /** - * Override the AWS region. - * - * Route53 is a global service and does not have regional endpoints but the - * region specified here (or via environment variables) is used as a hint to - * help compute the correct AWS credential scope and partition when it - * connects to Route53. See: - * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) - * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) - * - * If you omit this region field, cert-manager will use the region from - * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set - * in the cert-manager controller Pod. - * - * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). - * In this case this `region` field value is ignored. - * - * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), - * In this case this `region` field value is ignored. + * Always set the region when using AccessKeyID and SecretAccessKey */ region?: pulumi.Input; /** @@ -15516,7 +10498,7 @@ export declare namespace cert_manager { * when challenges are processed. * This can contain arbitrary JSON data. * Secret values should not be specified in this stanza. - * If secret values are needed (e.g., credentials for a DNS service), you + * If secret values are needed (e.g. credentials for a DNS service), you * should use a SecretKeySelector to reference a Secret resource. * For details on the schema of this field, consult the webhook provider * implementation's documentation. @@ -15534,7 +10516,7 @@ export declare namespace cert_manager { /** * The name of the solver to use, as defined in the webhook provider * implementation. - * This will typically be the name of the provider, e.g., 'cloudflare'. + * This will typically be the name of the provider, e.g. 'cloudflare'. */ solverName?: pulumi.Input; } @@ -15548,7 +10530,7 @@ export declare namespace cert_manager { * when challenges are processed. * This can contain arbitrary JSON data. * Secret values should not be specified in this stanza. - * If secret values are needed (e.g., credentials for a DNS service), you + * If secret values are needed (e.g. credentials for a DNS service), you * should use a SecretKeySelector to reference a Secret resource. * For details on the schema of this field, consult the webhook provider * implementation's documentation. @@ -15566,7 +10548,7 @@ export declare namespace cert_manager { /** * The name of the solver to use, as defined in the webhook provider * implementation. - * This will typically be the name of the provider, e.g., 'cloudflare'. + * This will typically be the name of the provider, e.g. 'cloudflare'. */ solverName?: pulumi.Input; } @@ -15574,7 +10556,7 @@ export declare namespace cert_manager { * Configures cert-manager to attempt to complete authorizations by * performing the HTTP01 challenge flow. * It is not possible to obtain certificates for wildcard domain names - * (e.g., `*.example.com`) using the HTTP01 challenge mechanism. + * (e.g. `*.example.com`) using the HTTP01 challenge mechanism. */ interface IssuerSpecAcmeSolversHttp01 { gatewayHTTPRoute?: pulumi.Input; @@ -15601,7 +10583,6 @@ export declare namespace cert_manager { * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways */ parentRefs?: pulumi.Input[]>; - podTemplate?: pulumi.Input; /** * Optional service type for Kubernetes solver service. Supported values * are NodePort or ClusterIP. If unset, defaults to NodePort. @@ -15613,12 +10594,15 @@ export declare namespace cert_manager { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -15629,23 +10613,28 @@ export declare namespace cert_manager { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -15653,17 +10642,20 @@ export declare namespace cert_manager { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: * Gateway has the AllowedRoutes field, and ReferenceGrant provides a * generic way to enable any other kind of cross-namespace reference. * + * * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -15671,6 +10663,7 @@ export declare namespace cert_manager { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -15678,6 +10671,7 @@ export declare namespace cert_manager { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -15686,16 +10680,19 @@ export declare namespace cert_manager { * and SectionName are specified, the name and port of the selected listener * must match both specified values. * + * * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -15704,6 +10701,7 @@ export declare namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -15711,6 +10709,7 @@ export declare namespace cert_manager { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -15718,10 +10717,12 @@ export declare namespace cert_manager { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -15731,6 +10732,7 @@ export declare namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -15740,12 +10742,15 @@ export declare namespace cert_manager { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -15756,23 +10761,28 @@ export declare namespace cert_manager { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -15780,17 +10790,20 @@ export declare namespace cert_manager { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: * Gateway has the AllowedRoutes field, and ReferenceGrant provides a * generic way to enable any other kind of cross-namespace reference. * + * * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -15798,6 +10811,7 @@ export declare namespace cert_manager { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -15805,6 +10819,7 @@ export declare namespace cert_manager { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -15813,16 +10828,19 @@ export declare namespace cert_manager { * and SectionName are specified, the name and port of the selected listener * must match both specified values. * + * * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -15831,6 +10849,7 @@ export declare namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -15838,6 +10857,7 @@ export declare namespace cert_manager { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -15845,10 +10865,12 @@ export declare namespace cert_manager { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -15858,6 +10880,7 @@ export declare namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -15883,2083 +10906,12 @@ export declare namespace cert_manager { * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways */ parentRefs?: pulumi.Input[]>; - podTemplate?: pulumi.Input; /** * Optional service type for Kubernetes solver service. Supported values * are NodePort or ClusterIP. If unset, defaults to NodePort. */ serviceType?: pulumi.Input; } - /** - * Optional pod template used to configure the ACME challenge solver pods - * used for HTTP01 challenges. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplate { - metadata?: pulumi.Input; - spec?: pulumi.Input; - } - /** - * ObjectMeta overrides for the pod used to solve HTTP01 challenges. - * Only the 'labels' and 'annotations' fields may be set. - * If labels or annotations overlap with in-built values, the values here - * will override the in-built values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadata { - /** - * Annotations that should be added to the created ACME HTTP01 solver pods. - */ - annotations?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - /** - * Labels that should be added to the created ACME HTTP01 solver pods. - */ - labels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * ObjectMeta overrides for the pod used to solve HTTP01 challenges. - * Only the 'labels' and 'annotations' fields may be set. - * If labels or annotations overlap with in-built values, the values here - * will override the in-built values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadataPatch { - /** - * Annotations that should be added to the created ACME HTTP01 solver pods. - */ - annotations?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - /** - * Labels that should be added to the created ACME HTTP01 solver pods. - */ - labels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * Optional pod template used to configure the ACME challenge solver pods - * used for HTTP01 challenges. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplatePatch { - metadata?: pulumi.Input; - spec?: pulumi.Input; - } - /** - * PodSpec defines overrides for the HTTP01 challenge solver pod. - * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - * All other fields will be ignored. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpec { - affinity?: pulumi.Input; - /** - * If specified, the pod's imagePullSecrets - */ - imagePullSecrets?: pulumi.Input[]>; - /** - * NodeSelector is a selector which must be true for the pod to fit on a node. - * Selector which must match a node's labels for the pod to be scheduled on that node. - * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - */ - nodeSelector?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - /** - * If specified, the pod's priorityClassName. - */ - priorityClassName?: pulumi.Input; - resources?: pulumi.Input; - securityContext?: pulumi.Input; - /** - * If specified, the pod's service account - */ - serviceAccountName?: pulumi.Input; - /** - * If specified, the pod's tolerations. - */ - tolerations?: pulumi.Input[]>; - } - /** - * If specified, the pod's scheduling constraints - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinity { - nodeAffinity?: pulumi.Input; - podAffinity?: pulumi.Input; - podAntiAffinity?: pulumi.Input; - } - /** - * Describes node affinity scheduling rules for the pod. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node matches the corresponding matchExpressions; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input; - } - /** - * Describes node affinity scheduling rules for the pod. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node matches the corresponding matchExpressions; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input; - } - /** - * An empty preferred scheduling term matches all objects with implicit weight 0 - * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution { - preference?: pulumi.Input; - /** - * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - */ - weight?: pulumi.Input; - } - /** - * An empty preferred scheduling term matches all objects with implicit weight 0 - * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - preference?: pulumi.Input; - /** - * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - */ - weight?: pulumi.Input; - } - /** - * A node selector term, associated with the corresponding weight. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions?: pulumi.Input[]>; - /** - * A list of node selector requirements by node's fields. - */ - matchFields?: pulumi.Input[]>; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A node selector term, associated with the corresponding weight. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions?: pulumi.Input[]>; - /** - * A list of node selector requirements by node's fields. - */ - matchFields?: pulumi.Input[]>; - } - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to an update), the system - * may or may not try to eventually evict the pod from its node. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution { - /** - * Required. A list of node selector terms. The terms are ORed. - */ - nodeSelectorTerms?: pulumi.Input[]>; - } - /** - * A null or empty node selector term matches no objects. The requirements of - * them are ANDed. - * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions?: pulumi.Input[]>; - /** - * A list of node selector requirements by node's fields. - */ - matchFields?: pulumi.Input[]>; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A null or empty node selector term matches no objects. The requirements of - * them are ANDed. - * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions?: pulumi.Input[]>; - /** - * A list of node selector requirements by node's fields. - */ - matchFields?: pulumi.Input[]>; - } - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to an update), the system - * may or may not try to eventually evict the pod from its node. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - /** - * Required. A list of node selector terms. The terms are ORed. - */ - nodeSelectorTerms?: pulumi.Input[]>; - } - /** - * If specified, the pod's scheduling constraints - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch { - nodeAffinity?: pulumi.Input; - podAffinity?: pulumi.Input; - podAntiAffinity?: pulumi.Input; - } - /** - * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - } - /** - * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - } - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution { - podAffinityTerm?: pulumi.Input; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight?: pulumi.Input; - } - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - podAffinityTerm?: pulumi.Input; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight?: pulumi.Input; - } - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - /** - * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the anti-affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - /** - * If the anti-affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the anti-affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - } - /** - * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the anti-affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - /** - * If the anti-affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the anti-affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - } - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution { - podAffinityTerm?: pulumi.Input; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight?: pulumi.Input; - } - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - podAffinityTerm?: pulumi.Input; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight?: pulumi.Input; - } - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - /** - * LocalObjectReference contains enough information to let you locate the - * referenced object inside the same namespace. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets { - /** - * Name of the referent. - * This field is effectively required, but due to backwards compatibility is - * allowed to be empty. Instances of this type with an empty value here are - * almost certainly wrong. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name?: pulumi.Input; - } - /** - * LocalObjectReference contains enough information to let you locate the - * referenced object inside the same namespace. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch { - /** - * Name of the referent. - * This field is effectively required, but due to backwards compatibility is - * allowed to be empty. Instances of this type with an empty value here are - * almost certainly wrong. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name?: pulumi.Input; - } - /** - * PodSpec defines overrides for the HTTP01 challenge solver pod. - * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - * All other fields will be ignored. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecPatch { - affinity?: pulumi.Input; - /** - * If specified, the pod's imagePullSecrets - */ - imagePullSecrets?: pulumi.Input[]>; - /** - * NodeSelector is a selector which must be true for the pod to fit on a node. - * Selector which must match a node's labels for the pod to be scheduled on that node. - * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - */ - nodeSelector?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - /** - * If specified, the pod's priorityClassName. - */ - priorityClassName?: pulumi.Input; - resources?: pulumi.Input; - securityContext?: pulumi.Input; - /** - * If specified, the pod's service account - */ - serviceAccountName?: pulumi.Input; - /** - * If specified, the pod's tolerations. - */ - tolerations?: pulumi.Input[]>; - } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResources { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * If specified, the pod's security context - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup?: pulumi.Input; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy?: pulumi.Input; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup?: pulumi.Input; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot?: pulumi.Input; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser?: pulumi.Input; - seLinuxOptions?: pulumi.Input; - seccompProfile?: pulumi.Input; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups?: pulumi.Input[]>; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls?: pulumi.Input[]>; - } - /** - * If specified, the pod's security context - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup?: pulumi.Input; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy?: pulumi.Input; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup?: pulumi.Input; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot?: pulumi.Input; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser?: pulumi.Input; - seLinuxOptions?: pulumi.Input; - seccompProfile?: pulumi.Input; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups?: pulumi.Input[]>; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls?: pulumi.Input[]>; - } - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions { - /** - * Level is SELinux level label that applies to the container. - */ - level?: pulumi.Input; - /** - * Role is a SELinux role label that applies to the container. - */ - role?: pulumi.Input; - /** - * Type is a SELinux type label that applies to the container. - */ - type?: pulumi.Input; - /** - * User is a SELinux user label that applies to the container. - */ - user?: pulumi.Input; - } - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch { - /** - * Level is SELinux level label that applies to the container. - */ - level?: pulumi.Input; - /** - * Role is a SELinux role label that applies to the container. - */ - role?: pulumi.Input; - /** - * Type is a SELinux type label that applies to the container. - */ - type?: pulumi.Input; - /** - * User is a SELinux user label that applies to the container. - */ - user?: pulumi.Input; - } - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile?: pulumi.Input; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type?: pulumi.Input; - } - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile?: pulumi.Input; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type?: pulumi.Input; - } - /** - * Sysctl defines a kernel parameter to be set - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls { - /** - * Name of a property to set - */ - name?: pulumi.Input; - /** - * Value of a property to set - */ - value?: pulumi.Input; - } - /** - * Sysctl defines a kernel parameter to be set - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch { - /** - * Name of a property to set - */ - name?: pulumi.Input; - /** - * Value of a property to set - */ - value?: pulumi.Input; - } - /** - * The pod this Toleration is attached to tolerates any taint that matches - * the triple using the matching operator . - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerations { - /** - * Effect indicates the taint effect to match. Empty means match all taint effects. - * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - */ - effect?: pulumi.Input; - /** - * Key is the taint key that the toleration applies to. Empty means match all taint keys. - * If the key is empty, operator must be Exists; this combination means to match all values and all keys. - */ - key?: pulumi.Input; - /** - * Operator represents a key's relationship to the value. - * Valid operators are Exists and Equal. Defaults to Equal. - * Exists is equivalent to wildcard for value, so that a pod can - * tolerate all taints of a particular category. - */ - operator?: pulumi.Input; - /** - * TolerationSeconds represents the period of time the toleration (which must be - * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - * it is not set, which means tolerate the taint forever (do not evict). Zero and - * negative values will be treated as 0 (evict immediately) by the system. - */ - tolerationSeconds?: pulumi.Input; - /** - * Value is the taint value the toleration matches to. - * If the operator is Exists, the value should be empty, otherwise just a regular string. - */ - value?: pulumi.Input; - } - /** - * The pod this Toleration is attached to tolerates any taint that matches - * the triple using the matching operator . - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch { - /** - * Effect indicates the taint effect to match. Empty means match all taint effects. - * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - */ - effect?: pulumi.Input; - /** - * Key is the taint key that the toleration applies to. Empty means match all taint keys. - * If the key is empty, operator must be Exists; this combination means to match all values and all keys. - */ - key?: pulumi.Input; - /** - * Operator represents a key's relationship to the value. - * Valid operators are Exists and Equal. Defaults to Equal. - * Exists is equivalent to wildcard for value, so that a pod can - * tolerate all taints of a particular category. - */ - operator?: pulumi.Input; - /** - * TolerationSeconds represents the period of time the toleration (which must be - * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - * it is not set, which means tolerate the taint forever (do not evict). Zero and - * negative values will be treated as 0 (evict immediately) by the system. - */ - tolerationSeconds?: pulumi.Input; - /** - * Value is the taint value the toleration matches to. - * If the operator is Exists, the value should be empty, otherwise just a regular string. - */ - value?: pulumi.Input; - } /** * The ingress based HTTP01 challenge solver will solve challenges by * creating or modifying Ingress resources in order to route requests for @@ -18106,7 +11058,7 @@ export declare namespace cert_manager { */ interface IssuerSpecAcmeSolversHttp01IngressPodTemplateMetadata { /** - * Annotations that should be added to the created ACME HTTP01 solver pods. + * Annotations that should be added to the create ACME HTTP01 solver pods. */ annotations?: pulumi.Input<{ [key: string]: pulumi.Input; @@ -18126,7 +11078,7 @@ export declare namespace cert_manager { */ interface IssuerSpecAcmeSolversHttp01IngressPodTemplateMetadataPatch { /** - * Annotations that should be added to the created ACME HTTP01 solver pods. + * Annotations that should be added to the create ACME HTTP01 solver pods. */ annotations?: pulumi.Input<{ [key: string]: pulumi.Input; @@ -18169,8 +11121,6 @@ export declare namespace cert_manager { * If specified, the pod's priorityClassName. */ priorityClassName?: pulumi.Input; - resources?: pulumi.Input; - securityContext?: pulumi.Input; /** * If specified, the pod's service account */ @@ -18610,6 +11560,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -18621,6 +11572,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -18820,6 +11772,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -18831,6 +11784,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -18869,6 +11823,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -18880,6 +11835,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -19084,6 +12040,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -19095,6 +12052,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -19125,8 +12083,8 @@ export declare namespace cert_manager { * most preferred is the one with the greatest sum of weights, i.e. * for each node that meets all of the scheduling requirements (resource * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + * compute a sum by iterating through the elements of this field and adding + * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the * node(s) with the highest sum are the most preferred. */ preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; @@ -19152,8 +12110,8 @@ export declare namespace cert_manager { * most preferred is the one with the greatest sum of weights, i.e. * for each node that meets all of the scheduling requirements (resource * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + * compute a sum by iterating through the elements of this field and adding + * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the * node(s) with the highest sum are the most preferred. */ preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; @@ -19204,6 +12162,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -19215,6 +12174,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -19414,6 +12374,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -19425,6 +12386,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -19463,6 +12425,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -19474,6 +12437,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -19678,6 +12642,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -19689,6 +12654,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -19718,7 +12684,9 @@ export declare namespace cert_manager { * This field is effectively required, but due to backwards compatibility is * allowed to be empty. Instances of this type with an empty value here are * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name?: pulumi.Input; } @@ -19732,7 +12700,9 @@ export declare namespace cert_manager { * This field is effectively required, but due to backwards compatibility is * allowed to be empty. Instances of this type with an empty value here are * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name?: pulumi.Input; } @@ -19759,8 +12729,6 @@ export declare namespace cert_manager { * If specified, the pod's priorityClassName. */ priorityClassName?: pulumi.Input; - resources?: pulumi.Input; - securityContext?: pulumi.Input; /** * If specified, the pod's service account */ @@ -19770,326 +12738,6 @@ export declare namespace cert_manager { */ tolerations?: pulumi.Input[]>; } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResources { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResourcesPatch { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * If specified, the pod's security context - */ - interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContext { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup?: pulumi.Input; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy?: pulumi.Input; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup?: pulumi.Input; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot?: pulumi.Input; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser?: pulumi.Input; - seLinuxOptions?: pulumi.Input; - seccompProfile?: pulumi.Input; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups?: pulumi.Input[]>; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls?: pulumi.Input[]>; - } - /** - * If specified, the pod's security context - */ - interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextPatch { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup?: pulumi.Input; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy?: pulumi.Input; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup?: pulumi.Input; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot?: pulumi.Input; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser?: pulumi.Input; - seLinuxOptions?: pulumi.Input; - seccompProfile?: pulumi.Input; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups?: pulumi.Input[]>; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls?: pulumi.Input[]>; - } - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions { - /** - * Level is SELinux level label that applies to the container. - */ - level?: pulumi.Input; - /** - * Role is a SELinux role label that applies to the container. - */ - role?: pulumi.Input; - /** - * Type is a SELinux type label that applies to the container. - */ - type?: pulumi.Input; - /** - * User is a SELinux user label that applies to the container. - */ - user?: pulumi.Input; - } - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch { - /** - * Level is SELinux level label that applies to the container. - */ - level?: pulumi.Input; - /** - * Role is a SELinux role label that applies to the container. - */ - role?: pulumi.Input; - /** - * Type is a SELinux type label that applies to the container. - */ - type?: pulumi.Input; - /** - * User is a SELinux user label that applies to the container. - */ - user?: pulumi.Input; - } - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile?: pulumi.Input; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type?: pulumi.Input; - } - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile?: pulumi.Input; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type?: pulumi.Input; - } - /** - * Sysctl defines a kernel parameter to be set - */ - interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls { - /** - * Name of a property to set - */ - name?: pulumi.Input; - /** - * Value of a property to set - */ - value?: pulumi.Input; - } - /** - * Sysctl defines a kernel parameter to be set - */ - interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch { - /** - * Name of a property to set - */ - name?: pulumi.Input; - /** - * Value of a property to set - */ - value?: pulumi.Input; - } /** * The pod this Toleration is attached to tolerates any taint that matches * the triple using the matching operator . @@ -20164,7 +12812,7 @@ export declare namespace cert_manager { * Configures cert-manager to attempt to complete authorizations by * performing the HTTP01 challenge flow. * It is not possible to obtain certificates for wildcard domain names - * (e.g., `*.example.com`) using the HTTP01 challenge mechanism. + * (e.g. `*.example.com`) using the HTTP01 challenge mechanism. */ interface IssuerSpecAcmeSolversHttp01Patch { gatewayHTTPRoute?: pulumi.Input; @@ -20386,18 +13034,12 @@ export declare namespace cert_manager { * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200". */ server?: pulumi.Input; - /** - * ServerName is used to verify the hostname on the returned certificates - * by the Vault server. - */ - serverName?: pulumi.Input; } /** * Auth configures how cert-manager authenticates with the Vault server. */ interface IssuerSpecVaultAuth { appRole?: pulumi.Input; - clientCertificate?: pulumi.Input; kubernetes?: pulumi.Input; tokenSecretRef?: pulumi.Input; } @@ -20473,56 +13115,6 @@ export declare namespace cert_manager { */ name?: pulumi.Input; } - /** - * ClientCertificate authenticates with Vault by presenting a client - * certificate during the request's TLS handshake. - * Works only when using HTTPS protocol. - */ - interface IssuerSpecVaultAuthClientCertificate { - /** - * The Vault mountPath here is the mount path to use when authenticating with - * Vault. For example, setting a value to `/v1/auth/foo`, will use the path - * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the - * default value "/v1/auth/cert" will be used. - */ - mountPath?: pulumi.Input; - /** - * Name of the certificate role to authenticate against. - * If not set, matching any certificate role, if available. - */ - name?: pulumi.Input; - /** - * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing - * tls.crt and tls.key) used to authenticate to Vault using TLS client - * authentication. - */ - secretName?: pulumi.Input; - } - /** - * ClientCertificate authenticates with Vault by presenting a client - * certificate during the request's TLS handshake. - * Works only when using HTTPS protocol. - */ - interface IssuerSpecVaultAuthClientCertificatePatch { - /** - * The Vault mountPath here is the mount path to use when authenticating with - * Vault. For example, setting a value to `/v1/auth/foo`, will use the path - * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the - * default value "/v1/auth/cert" will be used. - */ - mountPath?: pulumi.Input; - /** - * Name of the certificate role to authenticate against. - * If not set, matching any certificate role, if available. - */ - name?: pulumi.Input; - /** - * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing - * tls.crt and tls.key) used to authenticate to Vault using TLS client - * authentication. - */ - secretName?: pulumi.Input; - } /** * Kubernetes authenticates with Vault by passing the ServiceAccount * token stored in the named Secret resource to the Vault server. @@ -20640,7 +13232,6 @@ export declare namespace cert_manager { */ interface IssuerSpecVaultAuthPatch { appRole?: pulumi.Input; - clientCertificate?: pulumi.Input; kubernetes?: pulumi.Input; tokenSecretRef?: pulumi.Input; } @@ -20818,11 +13409,6 @@ export declare namespace cert_manager { * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200". */ server?: pulumi.Input; - /** - * ServerName is used to verify the hostname on the returned certificates - * by the Vault server. - */ - serverName?: pulumi.Input; } /** * Venafi configures this issuer to sign certificates using a Venafi TPP @@ -20847,7 +13433,7 @@ export declare namespace cert_manager { apiTokenSecretRef?: pulumi.Input; /** * URL is the base URL for Venafi Cloud. - * Defaults to "https://api.venafi.cloud/". + * Defaults to "https://api.venafi.cloud/v1". */ url?: pulumi.Input; } @@ -20891,7 +13477,7 @@ export declare namespace cert_manager { apiTokenSecretRef?: pulumi.Input; /** * URL is the base URL for Venafi Cloud. - * Defaults to "https://api.venafi.cloud/". + * Defaults to "https://api.venafi.cloud/v1". */ url?: pulumi.Input; } @@ -20922,7 +13508,6 @@ export declare namespace cert_manager { * is used to validate the chain. */ caBundle?: pulumi.Input; - caBundleSecretRef?: pulumi.Input; credentialsRef?: pulumi.Input; /** * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, @@ -20931,49 +13516,9 @@ export declare namespace cert_manager { url?: pulumi.Input; } /** - * Reference to a Secret containing a base64-encoded bundle of PEM CAs - * which will be used to validate the certificate chain presented by the TPP server. - * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle. - * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in - * the cert-manager controller container is used to validate the TLS connection. - */ - interface IssuerSpecVenafiTppCaBundleSecretRef { - /** - * The key of the entry in the Secret resource's `data` field to be used. - * Some instances of this field may be defaulted, in others it may be - * required. - */ - key?: pulumi.Input; - /** - * Name of the resource being referred to. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name?: pulumi.Input; - } - /** - * Reference to a Secret containing a base64-encoded bundle of PEM CAs - * which will be used to validate the certificate chain presented by the TPP server. - * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle. - * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in - * the cert-manager controller container is used to validate the TLS connection. - */ - interface IssuerSpecVenafiTppCaBundleSecretRefPatch { - /** - * The key of the entry in the Secret resource's `data` field to be used. - * Some instances of this field may be defaulted, in others it may be - * required. - */ - key?: pulumi.Input; - /** - * Name of the resource being referred to. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name?: pulumi.Input; - } - /** - * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials. - * The secret must contain the key 'access-token' for the Access Token Authentication, - * or two keys, 'username' and 'password' for the API Keys Authentication. + * CredentialsRef is a reference to a Secret containing the username and + * password for the TPP server. + * The secret must contain two keys, 'username' and 'password'. */ interface IssuerSpecVenafiTppCredentialsRef { /** @@ -20983,9 +13528,9 @@ export declare namespace cert_manager { name?: pulumi.Input; } /** - * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials. - * The secret must contain the key 'access-token' for the Access Token Authentication, - * or two keys, 'username' and 'password' for the API Keys Authentication. + * CredentialsRef is a reference to a Secret containing the username and + * password for the TPP server. + * The secret must contain two keys, 'username' and 'password'. */ interface IssuerSpecVenafiTppCredentialsRefPatch { /** @@ -21006,7 +13551,6 @@ export declare namespace cert_manager { * is used to validate the chain. */ caBundle?: pulumi.Input; - caBundleSecretRef?: pulumi.Input; credentialsRef?: pulumi.Input; /** * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, @@ -21089,760 +13633,20 @@ export declare namespace cert_manager { } export declare namespace gateway { namespace v1 { - /** - * BackendTLSPolicy provides a way to configure how a Gateway - * connects to a Backend via TLS. - */ - interface BackendTLSPolicy { - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - kind?: pulumi.Input<"BackendTLSPolicy">; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - metadata?: pulumi.Input; - spec?: pulumi.Input; - status?: pulumi.Input; - } - /** - * Spec defines the desired state of BackendTLSPolicy. - */ - interface BackendTLSPolicySpec { - /** - * Options are a list of key/value pairs to enable extended TLS - * configuration for each implementation. For example, configuring the - * minimum TLS version or supported cipher suites. - * - * A set of common keys MAY be defined by the API in the future. To avoid - * any ambiguity, implementation-specific definitions MUST use - * domain-prefixed names, such as `example.com/my-custom-option`. - * Un-prefixed names are reserved for key names defined by Gateway API. - * - * Support: Implementation-specific - */ - options?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - /** - * TargetRefs identifies an API object to apply the policy to. - * Only Services have Extended support. Implementations MAY support - * additional objects, with Implementation Specific support. - * Note that this config applies to the entire referenced resource - * by default, but this default may change in the future to provide - * a more granular application of the policy. - * - * TargetRefs must be _distinct_. This means either that: - * - * * They select different targets. If this is the case, then targetRef - * entries are distinct. In terms of fields, this means that the - * multi-part key defined by `group`, `kind`, and `name` must - * be unique across all targetRef entries in the BackendTLSPolicy. - * * They select different sectionNames in the same target. - * - * When more than one BackendTLSPolicy selects the same target and - * sectionName, implementations MUST determine precedence using the - * following criteria, continuing on ties: - * - * * The older policy by creation timestamp takes precedence. For - * example, a policy with a creation timestamp of "2021-07-15 - * 01:02:03" MUST be given precedence over a policy with a - * creation timestamp of "2021-07-15 01:02:04". - * * The policy appearing first in alphabetical order by {name}. - * For example, a policy named `bar` is given precedence over a - * policy named `baz`. - * - * For any BackendTLSPolicy that does not take precedence, the - * implementation MUST ensure the `Accepted` Condition is set to - * `status: False`, with Reason `Conflicted`. - * - * Support: Extended for Kubernetes Service - * - * Support: Implementation-specific for any other resource - */ - targetRefs?: pulumi.Input[]>; - validation?: pulumi.Input; - } - /** - * Spec defines the desired state of BackendTLSPolicy. - */ - interface BackendTLSPolicySpecPatch { - /** - * Options are a list of key/value pairs to enable extended TLS - * configuration for each implementation. For example, configuring the - * minimum TLS version or supported cipher suites. - * - * A set of common keys MAY be defined by the API in the future. To avoid - * any ambiguity, implementation-specific definitions MUST use - * domain-prefixed names, such as `example.com/my-custom-option`. - * Un-prefixed names are reserved for key names defined by Gateway API. - * - * Support: Implementation-specific - */ - options?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - /** - * TargetRefs identifies an API object to apply the policy to. - * Only Services have Extended support. Implementations MAY support - * additional objects, with Implementation Specific support. - * Note that this config applies to the entire referenced resource - * by default, but this default may change in the future to provide - * a more granular application of the policy. - * - * TargetRefs must be _distinct_. This means either that: - * - * * They select different targets. If this is the case, then targetRef - * entries are distinct. In terms of fields, this means that the - * multi-part key defined by `group`, `kind`, and `name` must - * be unique across all targetRef entries in the BackendTLSPolicy. - * * They select different sectionNames in the same target. - * - * When more than one BackendTLSPolicy selects the same target and - * sectionName, implementations MUST determine precedence using the - * following criteria, continuing on ties: - * - * * The older policy by creation timestamp takes precedence. For - * example, a policy with a creation timestamp of "2021-07-15 - * 01:02:03" MUST be given precedence over a policy with a - * creation timestamp of "2021-07-15 01:02:04". - * * The policy appearing first in alphabetical order by {name}. - * For example, a policy named `bar` is given precedence over a - * policy named `baz`. - * - * For any BackendTLSPolicy that does not take precedence, the - * implementation MUST ensure the `Accepted` Condition is set to - * `status: False`, with Reason `Conflicted`. - * - * Support: Extended for Kubernetes Service - * - * Support: Implementation-specific for any other resource - */ - targetRefs?: pulumi.Input[]>; - validation?: pulumi.Input; - } - /** - * LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a - * direct policy to. This should be used as part of Policy resources that can - * target single resources. For more information on how this policy attachment - * mode works, and a sample Policy resource, refer to the policy attachment - * documentation for Gateway API. - * - * Note: This should only be used for direct policy attachment when references - * to SectionName are actually needed. In all other cases, - * LocalPolicyTargetReference should be used. - */ - interface BackendTLSPolicySpecTargetRefs { - /** - * Group is the group of the target resource. - */ - group?: pulumi.Input; - /** - * Kind is kind of the target resource. - */ - kind?: pulumi.Input; - /** - * Name is the name of the target resource. - */ - name?: pulumi.Input; - /** - * SectionName is the name of a section within the target resource. When - * unspecified, this targetRef targets the entire resource. In the following - * resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name - * * HTTPRoute: HTTPRouteRule name - * * Service: Port name - * - * If a SectionName is specified, but does not exist on the targeted object, - * the Policy must fail to attach, and the policy implementation should record - * a `ResolvedRefs` or similar Condition in the Policy's status. - */ - sectionName?: pulumi.Input; - } - /** - * LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a - * direct policy to. This should be used as part of Policy resources that can - * target single resources. For more information on how this policy attachment - * mode works, and a sample Policy resource, refer to the policy attachment - * documentation for Gateway API. - * - * Note: This should only be used for direct policy attachment when references - * to SectionName are actually needed. In all other cases, - * LocalPolicyTargetReference should be used. - */ - interface BackendTLSPolicySpecTargetRefsPatch { - /** - * Group is the group of the target resource. - */ - group?: pulumi.Input; - /** - * Kind is kind of the target resource. - */ - kind?: pulumi.Input; - /** - * Name is the name of the target resource. - */ - name?: pulumi.Input; - /** - * SectionName is the name of a section within the target resource. When - * unspecified, this targetRef targets the entire resource. In the following - * resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name - * * HTTPRoute: HTTPRouteRule name - * * Service: Port name - * - * If a SectionName is specified, but does not exist on the targeted object, - * the Policy must fail to attach, and the policy implementation should record - * a `ResolvedRefs` or similar Condition in the Policy's status. - */ - sectionName?: pulumi.Input; - } - /** - * Validation contains backend TLS validation configuration. - */ - interface BackendTLSPolicySpecValidation { - /** - * CACertificateRefs contains one or more references to Kubernetes objects that - * contain a PEM-encoded TLS CA certificate bundle, which is used to - * validate a TLS handshake between the Gateway and backend Pod. - * - * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be - * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, - * not both. If CACertificateRefs is empty or unspecified, the configuration for - * WellKnownCACertificates MUST be honored instead if supported by the implementation. - * - * A CACertificateRef is invalid if: - * - * * It refers to a resource that cannot be resolved (e.g., the referenced resource - * does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key - * named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef` - * and the Message of the Condition must indicate which reference is invalid and why. - * - * * It refers to an unknown or unsupported kind of resource. In this case, the Reason - * must be set to `InvalidKind` and the Message of the Condition must explain which - * kind of resource is unknown or unsupported. - * - * * It refers to a resource in another namespace. This may change in future - * spec updates. - * - * Implementations MAY choose to perform further validation of the certificate - * content (e.g., checking expiry or enforcing specific formats). In such cases, - * an implementation-specific Reason and Message must be set for the invalid reference. - * - * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on - * the BackendTLSPolicy is set to `status: False`, with a Reason and Message - * that indicate the cause of the error. Connections using an invalid - * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error - * response. If ALL CACertificateRefs are invalid, the implementation MUST also - * ensure the `Accepted` Condition on the BackendTLSPolicy is set to - * `status: False`, with a Reason `NoValidCACertificate`. - * - * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support. - * Implementations MAY choose to support attaching multiple certificates to - * a backend, but this behavior is implementation-specific. - * - * Support: Core - An optional single reference to a Kubernetes ConfigMap, - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific - More than one reference, other kinds - * of resources, or a single reference that includes multiple certificates. - */ - caCertificateRefs?: pulumi.Input[]>; - /** - * Hostname is used for two purposes in the connection between Gateways and - * backends: - * - * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). - * 2. Hostname MUST be used for authentication and MUST match the certificate - * served by the matching backend, unless SubjectAltNames is specified. - * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection - * but MUST NOT be used for authentication. If you want to use the value - * of the Hostname field for authentication, you MUST add it to the SubjectAltNames list. - * - * Support: Core - */ - hostname?: pulumi.Input; - /** - * SubjectAltNames contains one or more Subject Alternative Names. - * When specified the certificate served from the backend MUST - * have at least one Subject Alternate Name matching one of the specified SubjectAltNames. - * - * Support: Extended - */ - subjectAltNames?: pulumi.Input[]>; - /** - * WellKnownCACertificates specifies whether system CA certificates may be used in - * the TLS handshake between the gateway and backend pod. - * - * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs - * must be specified with at least one entry for a valid configuration. Only one of - * CACertificateRefs or WellKnownCACertificates may be specified, not both. - * If an implementation does not support the WellKnownCACertificates field, or - * the supplied value is not recognized, the implementation MUST ensure the - * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with - * a Reason `Invalid`. - * - * Support: Implementation-specific - */ - wellKnownCACertificates?: pulumi.Input; - } - /** - * LocalObjectReference identifies an API object within the namespace of the - * referrer. - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - interface BackendTLSPolicySpecValidationCaCertificateRefs { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. For example "HTTPRoute" or "Service". - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - } - /** - * LocalObjectReference identifies an API object within the namespace of the - * referrer. - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - interface BackendTLSPolicySpecValidationCaCertificateRefsPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. For example "HTTPRoute" or "Service". - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - } - /** - * Validation contains backend TLS validation configuration. - */ - interface BackendTLSPolicySpecValidationPatch { - /** - * CACertificateRefs contains one or more references to Kubernetes objects that - * contain a PEM-encoded TLS CA certificate bundle, which is used to - * validate a TLS handshake between the Gateway and backend Pod. - * - * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be - * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, - * not both. If CACertificateRefs is empty or unspecified, the configuration for - * WellKnownCACertificates MUST be honored instead if supported by the implementation. - * - * A CACertificateRef is invalid if: - * - * * It refers to a resource that cannot be resolved (e.g., the referenced resource - * does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key - * named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef` - * and the Message of the Condition must indicate which reference is invalid and why. - * - * * It refers to an unknown or unsupported kind of resource. In this case, the Reason - * must be set to `InvalidKind` and the Message of the Condition must explain which - * kind of resource is unknown or unsupported. - * - * * It refers to a resource in another namespace. This may change in future - * spec updates. - * - * Implementations MAY choose to perform further validation of the certificate - * content (e.g., checking expiry or enforcing specific formats). In such cases, - * an implementation-specific Reason and Message must be set for the invalid reference. - * - * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on - * the BackendTLSPolicy is set to `status: False`, with a Reason and Message - * that indicate the cause of the error. Connections using an invalid - * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error - * response. If ALL CACertificateRefs are invalid, the implementation MUST also - * ensure the `Accepted` Condition on the BackendTLSPolicy is set to - * `status: False`, with a Reason `NoValidCACertificate`. - * - * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support. - * Implementations MAY choose to support attaching multiple certificates to - * a backend, but this behavior is implementation-specific. - * - * Support: Core - An optional single reference to a Kubernetes ConfigMap, - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific - More than one reference, other kinds - * of resources, or a single reference that includes multiple certificates. - */ - caCertificateRefs?: pulumi.Input[]>; - /** - * Hostname is used for two purposes in the connection between Gateways and - * backends: - * - * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). - * 2. Hostname MUST be used for authentication and MUST match the certificate - * served by the matching backend, unless SubjectAltNames is specified. - * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection - * but MUST NOT be used for authentication. If you want to use the value - * of the Hostname field for authentication, you MUST add it to the SubjectAltNames list. - * - * Support: Core - */ - hostname?: pulumi.Input; - /** - * SubjectAltNames contains one or more Subject Alternative Names. - * When specified the certificate served from the backend MUST - * have at least one Subject Alternate Name matching one of the specified SubjectAltNames. - * - * Support: Extended - */ - subjectAltNames?: pulumi.Input[]>; - /** - * WellKnownCACertificates specifies whether system CA certificates may be used in - * the TLS handshake between the gateway and backend pod. - * - * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs - * must be specified with at least one entry for a valid configuration. Only one of - * CACertificateRefs or WellKnownCACertificates may be specified, not both. - * If an implementation does not support the WellKnownCACertificates field, or - * the supplied value is not recognized, the implementation MUST ensure the - * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with - * a Reason `Invalid`. - * - * Support: Implementation-specific - */ - wellKnownCACertificates?: pulumi.Input; - } - /** - * SubjectAltName represents Subject Alternative Name. - */ - interface BackendTLSPolicySpecValidationSubjectAltNames { - /** - * Hostname contains Subject Alternative Name specified in DNS name format. - * Required when Type is set to Hostname, ignored otherwise. - * - * Support: Core - */ - hostname?: pulumi.Input; - /** - * Type determines the format of the Subject Alternative Name. Always required. - * - * Support: Core - */ - type?: pulumi.Input; - /** - * URI contains Subject Alternative Name specified in a full URI format. - * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. - * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa". - * Required when Type is set to URI, ignored otherwise. - * - * Support: Core - */ - uri?: pulumi.Input; - } - /** - * SubjectAltName represents Subject Alternative Name. - */ - interface BackendTLSPolicySpecValidationSubjectAltNamesPatch { - /** - * Hostname contains Subject Alternative Name specified in DNS name format. - * Required when Type is set to Hostname, ignored otherwise. - * - * Support: Core - */ - hostname?: pulumi.Input; - /** - * Type determines the format of the Subject Alternative Name. Always required. - * - * Support: Core - */ - type?: pulumi.Input; - /** - * URI contains Subject Alternative Name specified in a full URI format. - * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. - * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa". - * Required when Type is set to URI, ignored otherwise. - * - * Support: Core - */ - uri?: pulumi.Input; - } - /** - * Status defines the current state of BackendTLSPolicy. - */ - interface BackendTLSPolicyStatus { - /** - * Ancestors is a list of ancestor resources (usually Gateways) that are - * associated with the policy, and the status of the policy with respect to - * each ancestor. When this policy attaches to a parent, the controller that - * manages the parent and the ancestors MUST add an entry to this list when - * the controller first sees the policy and SHOULD update the entry as - * appropriate when the relevant ancestor is modified. - * - * Note that choosing the relevant ancestor is left to the Policy designers; - * an important part of Policy design is designing the right object level at - * which to namespace this status. - * - * Note also that implementations MUST ONLY populate ancestor status for - * the Ancestor resources they are responsible for. Implementations MUST - * use the ControllerName field to uniquely identify the entries in this list - * that they are responsible for. - * - * Note that to achieve this, the list of PolicyAncestorStatus structs - * MUST be treated as a map with a composite key, made up of the AncestorRef - * and ControllerName fields combined. - * - * A maximum of 16 ancestors will be represented in this list. An empty list - * means the Policy is not relevant for any ancestors. - * - * If this slice is full, implementations MUST NOT add further entries. - * Instead they MUST consider the policy unimplementable and signal that - * on any related resources such as the ancestor that would be referenced - * here. For example, if this list was full on BackendTLSPolicy, no - * additional Gateways would be able to reference the Service targeted by - * the BackendTLSPolicy. - */ - ancestors?: pulumi.Input[]>; - } - /** - * PolicyAncestorStatus describes the status of a route with respect to an - * associated Ancestor. - * - * Ancestors refer to objects that are either the Target of a policy or above it - * in terms of object hierarchy. For example, if a policy targets a Service, the - * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and - * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most - * useful object to place Policy status on, so we recommend that implementations - * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers - * have a _very_ good reason otherwise. - * - * In the context of policy attachment, the Ancestor is used to distinguish which - * resource results in a distinct application of this policy. For example, if a policy - * targets a Service, it may have a distinct result per attached Gateway. - * - * Policies targeting the same resource may have different effects depending on the - * ancestors of those resources. For example, different Gateways targeting the same - * Service may have different capabilities, especially if they have different underlying - * implementations. - * - * For example, in BackendTLSPolicy, the Policy attaches to a Service that is - * used as a backend in a HTTPRoute that is itself attached to a Gateway. - * In this case, the relevant object for status is the Gateway, and that is the - * ancestor object referred to in this status. - * - * Note that a parent is also an ancestor, so for objects where the parent is the - * relevant object for status, this struct SHOULD still be used. - * - * This struct is intended to be used in a slice that's effectively a map, - * with a composite key made up of the AncestorRef and the ControllerName. - */ - interface BackendTLSPolicyStatusAncestors { - ancestorRef?: pulumi.Input; - /** - * Conditions describes the status of the Policy with respect to the given Ancestor. - */ - conditions?: pulumi.Input[]>; - /** - * ControllerName is a domain/path string that indicates the name of the - * controller that wrote this status. This corresponds with the - * controllerName field on GatewayClass. - * - * Example: "example.net/gateway-controller". - * - * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - * valid Kubernetes names - * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - * - * Controllers MUST populate this field when writing status. Controllers should ensure that - * entries to status populated with their ControllerName are cleaned up when they are no - * longer necessary. - */ - controllerName?: pulumi.Input; - } - /** - * AncestorRef corresponds with a ParentRef in the spec that this - * PolicyAncestorStatus struct describes the status of. - */ - interface BackendTLSPolicyStatusAncestorsAncestorRef { - /** - * Group is the group of the referent. - * When unspecified, "gateway.networking.k8s.io" is inferred. - * To set the core API group (such as for a "Service" kind referent), - * Group must be explicitly set to "" (empty string). - * - * Support: Core - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * Support for other resources is Implementation-Specific. - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - * - * Support: Core - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referent. When unspecified, this refers - * to the local namespace of the Route. - * - * Note that there are specific rules for ParentRefs which cross namespace - * boundaries. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example: - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable any other kind of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - * - * - * Support: Core - */ - namespace?: pulumi.Input; - /** - * Port is the network port this Route targets. It can be interpreted - * differently based on the type of parent resource. - * - * When the parent resource is a Gateway, this targets all listeners - * listening on the specified port that also support this kind of Route(and - * select this Route). It's not recommended to set `Port` unless the - * networking behaviors specified in a Route must apply to a specific port - * as opposed to a listener(s) whose port(s) may be changed. When both Port - * and SectionName are specified, the name and port of the selected listener - * must match both specified values. - * - * - * When the parent resource is a Service, this targets a specific port in the - * Service spec. When both Port (experimental) and SectionName are specified, - * the name and port of the selected port must match both specified values. - * - * - * Implementations MAY choose to support other parent resources. - * Implementations supporting other types of parent resources MUST clearly - * document how/if Port is interpreted. - * - * For the purpose of status, an attachment is considered successful as - * long as the parent resource accepts it partially. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - * from the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, - * the Route MUST be considered detached from the Gateway. - * - * Support: Extended - */ - port?: pulumi.Input; - /** - * SectionName is the name of a section within the target resource. In the - * following resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * * Service: Port name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * - * Implementations MAY choose to support attaching Routes to other resources. - * If that is the case, they MUST clearly document how SectionName is - * interpreted. - * - * When unspecified (empty string), this will reference the entire resource. - * For the purpose of status, an attachment is considered successful if at - * least one section in the parent resource accepts it. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - * the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, the - * Route MUST be considered detached from the Gateway. - * - * Support: Core - */ - sectionName?: pulumi.Input; - } - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - interface BackendTLSPolicyStatusAncestorsConditions { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime?: pulumi.Input; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message?: pulumi.Input; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration?: pulumi.Input; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason?: pulumi.Input; - /** - * status of the condition, one of True, False, Unknown. - */ - status?: pulumi.Input; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type?: pulumi.Input; - } /** * GRPCRoute provides a way to route gRPC requests. This includes the capability * to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. * Filters can be used to specify additional processing steps. Backends specify * where matching requests will be routed. * + * * GRPCRoute falls under extended support within the Gateway API. Within the * following specification, the word "MUST" indicates that an implementation * supporting GRPCRoute must conform to the indicated requirement, but an * implementation not supporting this route type need not follow the requirement * unless explicitly indicated. * + * * Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST * accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via * ALPN. If the implementation does not support this, then it MUST set the @@ -21850,6 +13654,7 @@ export declare namespace gateway { * "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections * with an upgrade from HTTP/1. * + * * Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST * support HTTP/2 over cleartext TCP (h2c, * https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial @@ -21885,14 +13690,17 @@ export declare namespace gateway { * Host header to select a GRPCRoute to process the request. This matches * the RFC 1123 definition of a hostname with 2 notable exceptions: * + * * 1. IPs are not allowed. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label MUST appear by itself as the first label. * + * * If a hostname is specified by both the Listener and GRPCRoute, there * MUST be at least one intersecting hostname for the GRPCRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches GRPCRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -21902,34 +13710,41 @@ export declare namespace gateway { * `test.example.com` and `*.example.com` would both match. On the other * hand, `example.com` and `test.example.net` would not match. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * If both the Listener and GRPCRoute have specified hostnames, any * GRPCRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * GRPCRoute specified `test.example.com` and `test.example.net`, * `test.example.net` MUST NOT be considered for a match. * + * * If both the Listener and GRPCRoute have specified hostnames, and none * match with the criteria above, then the GRPCRoute MUST NOT be accepted by * the implementation. The implementation MUST raise an 'Accepted' Condition * with a status of `False` in the corresponding RouteParentStatus. * + * * If a Route (A) of type HTTPRoute or GRPCRoute is attached to a * Listener and that listener already has another Route (B) of the other * type attached and the intersection of the hostnames of A and B is * non-empty, then the implementation MUST accept exactly one of these two * routes, determined by the following criteria, in order: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * The rejected Route MUST raise an 'Accepted' condition with a status of * 'False' in the corresponding RouteParentStatus. * + * * Support: Core */ hostnames?: pulumi.Input[]>; @@ -21945,16 +13760,21 @@ export declare namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -21964,8 +13784,10 @@ export declare namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -21973,12 +13795,14 @@ export declare namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -21986,10 +13810,12 @@ export declare namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -22001,33 +13827,21 @@ export declare namespace gateway { * Rules are a list of GRPC matchers, filters and actions. */ rules?: pulumi.Input[]>; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways?: pulumi.Input; } /** * ParentReference identifies an API object (usually a Gateway) that can be considered * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -22038,23 +13852,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -22062,6 +13881,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -22069,10 +13889,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -22080,6 +13902,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -22087,6 +13910,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -22096,15 +13920,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -22113,6 +13940,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -22120,6 +13948,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -22127,10 +13956,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -22140,6 +13971,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -22149,12 +13981,15 @@ export declare namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -22165,23 +14000,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -22189,6 +14029,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -22196,10 +14037,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -22207,6 +14050,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -22214,6 +14058,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -22223,15 +14068,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -22240,6 +14088,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -22247,6 +14096,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -22254,10 +14104,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -22267,6 +14119,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -22280,14 +14133,17 @@ export declare namespace gateway { * Host header to select a GRPCRoute to process the request. This matches * the RFC 1123 definition of a hostname with 2 notable exceptions: * + * * 1. IPs are not allowed. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label MUST appear by itself as the first label. * + * * If a hostname is specified by both the Listener and GRPCRoute, there * MUST be at least one intersecting hostname for the GRPCRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches GRPCRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -22297,34 +14153,41 @@ export declare namespace gateway { * `test.example.com` and `*.example.com` would both match. On the other * hand, `example.com` and `test.example.net` would not match. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * If both the Listener and GRPCRoute have specified hostnames, any * GRPCRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * GRPCRoute specified `test.example.com` and `test.example.net`, * `test.example.net` MUST NOT be considered for a match. * + * * If both the Listener and GRPCRoute have specified hostnames, and none * match with the criteria above, then the GRPCRoute MUST NOT be accepted by * the implementation. The implementation MUST raise an 'Accepted' Condition * with a status of `False` in the corresponding RouteParentStatus. * + * * If a Route (A) of type HTTPRoute or GRPCRoute is attached to a * Listener and that listener already has another Route (B) of the other * type attached and the intersection of the hostnames of A and B is * non-empty, then the implementation MUST accept exactly one of these two * routes, determined by the following criteria, in order: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * The rejected Route MUST raise an 'Accepted' condition with a status of * 'False' in the corresponding RouteParentStatus. * + * * Support: Core */ hostnames?: pulumi.Input[]>; @@ -22340,16 +14203,21 @@ export declare namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -22359,8 +14227,10 @@ export declare namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -22368,12 +14238,14 @@ export declare namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -22381,10 +14253,12 @@ export declare namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -22396,21 +14270,6 @@ export declare namespace gateway { * Rules are a list of GRPC matchers, filters and actions. */ rules?: pulumi.Input[]>; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways?: pulumi.Input; } /** * GRPCRouteRule defines the semantics for matching a gRPC request based on @@ -22422,30 +14281,38 @@ export declare namespace gateway { * BackendRefs defines the backend(s) where matching requests should be * sent. * + * * Failure behavior here depends on how many BackendRefs are specified and * how many are invalid. * + * * If *all* entries in BackendRefs are invalid, and there are also no filters * specified in this route rule, *all* traffic which matches this rule MUST * receive an `UNAVAILABLE` status. * + * * See the GRPCBackendRef definition for the rules about what makes a single * GRPCBackendRef invalid. * + * * When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for * requests that would have otherwise been routed to an invalid backend. If * multiple backends are specified, and some are invalid, the proportion of * requests that would otherwise have been routed to an invalid backend * MUST receive an `UNAVAILABLE` status. * + * * For example, if two backends are specified with equal weights, and one is * invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. * Implementations may choose how that 50 percent is determined. * + * * Support: Core for Kubernetes Service * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Core */ backendRefs?: pulumi.Input[]>; @@ -22453,26 +14320,32 @@ export declare namespace gateway { * Filters define the filters that are applied to requests that match * this rule. * + * * The effects of ordering of multiple behaviors are currently unspecified. * This can change in the future based on feedback during the alpha stage. * + * * Conformance-levels at this level are defined based on the type of filter: * + * * - ALL core filters MUST be supported by all implementations that support * GRPCRoute. * - Implementers are encouraged to support extended filters. * - Implementation-specific custom filters have no API guarantees across * implementations. * + * * Specifying the same filter multiple times is not supported unless explicitly * indicated in the filter. * - * If an implementation cannot support a combination of filters, it must clearly + * + * If an implementation can not support a combination of filters, it must clearly * document that limitation. In cases where incompatible or unsupported * filters are specified and cause the `Accepted` condition to be set to status * `False`, implementations may use the `IncompatibleFilters` reason to specify * this configuration error. * + * * Support: Core */ filters?: pulumi.Input[]>; @@ -22481,8 +14354,10 @@ export declare namespace gateway { * gRPC requests. Each match is independent, i.e. this rule will be matched * if **any** one of the matches is satisfied. * + * * For example, take the following matches configuration: * + * * ``` * matches: * - method: @@ -22494,76 +14369,90 @@ export declare namespace gateway { * service: foo.bar.v2 * ``` * + * * For a request to match against this rule, it MUST satisfy * EITHER of the two conditions: * + * * - service of foo.bar AND contains the header `version: 2` * - service of foo.bar.v2 * + * * See the documentation for GRPCRouteMatch on how to specify multiple * match conditions to be ANDed together. * + * * If no matches are specified, the implementation MUST match every gRPC request. * + * * Proxy or Load Balancer routing configuration generated from GRPCRoutes * MUST prioritize rules based on the following criteria, continuing on * ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. * Precedence MUST be given to the rule with the largest number of: * + * * * Characters in a matching non-wildcard hostname. * * Characters in a matching hostname. * * Characters in a matching service. * * Characters in a matching method. * * Header matches. * + * * If ties still exist across multiple Routes, matching precedence MUST be * determined in order of the following criteria, continuing on ties: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * If ties still exist within the Route that has been given precedence, * matching precedence MUST be granted to the first matching rule meeting * the above criteria. */ matches?: pulumi.Input[]>; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name?: pulumi.Input; sessionPersistence?: pulumi.Input; } /** * GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * */ interface GRPCRouteSpecRulesBackendRefs { /** * Filters defined at this level MUST be executed if and only if the * request is being forwarded to the backend defined here. * + * * Support: Implementation-specific (For broader support of filters, use the * Filters field in GRPCRouteRule.) */ @@ -22577,16 +14466,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -22598,11 +14491,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -22622,11 +14517,13 @@ export declare namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight?: pulumi.Input; @@ -22648,14 +14545,17 @@ export declare namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations supporting GRPCRoute MUST support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by specific vendors. * In the future, filters showing convergence in behavior across multiple * implementations will be considered for inclusion in extended or core @@ -22663,9 +14563,11 @@ export declare namespace gateway { * is specified using the ExtensionRef field. `Type` MUST be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. @@ -22678,8 +14580,10 @@ export declare namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * Support: Implementation-specific * + * * This filter can be used multiple times within the same rule. */ interface GRPCRouteSpecRulesBackendRefsFiltersExtensionRef { @@ -22703,8 +14607,10 @@ export declare namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * Support: Implementation-specific * + * * This filter can be used multiple times within the same rule. */ interface GRPCRouteSpecRulesBackendRefsFiltersExtensionRefPatch { @@ -22739,14 +14645,17 @@ export declare namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations supporting GRPCRoute MUST support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by specific vendors. * In the future, filters showing convergence in behavior across multiple * implementations will be considered for inclusion in extended or core @@ -22754,9 +14663,11 @@ export declare namespace gateway { * is specified using the ExtensionRef field. `Type` MUST be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. @@ -22767,6 +14678,7 @@ export declare namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifier { @@ -22775,15 +14687,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -22795,15 +14710,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -22813,15 +14731,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -22834,7 +14755,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -22854,7 +14776,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -22872,6 +14795,7 @@ export declare namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch { @@ -22880,15 +14804,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -22900,15 +14827,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -22918,15 +14848,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -22939,7 +14872,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -22959,7 +14893,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -22978,48 +14913,46 @@ export declare namespace gateway { * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirror { backendRef?: pulumi.Input; - fraction?: pulumi.Input; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent?: pulumi.Input; } /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef { @@ -23032,16 +14965,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -23053,11 +14990,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -23073,26 +15012,32 @@ export declare namespace gateway { /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch { @@ -23105,16 +15050,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -23126,11 +15075,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -23143,56 +15094,27 @@ export declare namespace gateway { */ port?: pulumi.Input; } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorFraction { - denominator?: pulumi.Input; - numerator?: pulumi.Input; - } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch { - denominator?: pulumi.Input; - numerator?: pulumi.Input; - } /** * RequestMirror defines a schema for a filter that mirrors requests. * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorPatch { backendRef?: pulumi.Input; - fraction?: pulumi.Input; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent?: pulumi.Input; } /** * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifier { @@ -23201,15 +15123,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -23221,15 +15146,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -23239,15 +15167,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -23260,7 +15191,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -23280,7 +15212,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -23298,6 +15231,7 @@ export declare namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch { @@ -23306,15 +15240,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -23326,15 +15263,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -23344,15 +15284,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -23365,7 +15308,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -23385,7 +15329,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -23402,31 +15347,42 @@ export declare namespace gateway { /** * GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * */ interface GRPCRouteSpecRulesBackendRefsPatch { /** * Filters defined at this level MUST be executed if and only if the * request is being forwarded to the backend defined here. * + * * Support: Implementation-specific (For broader support of filters, use the * Filters field in GRPCRouteRule.) */ @@ -23440,16 +15396,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -23461,11 +15421,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -23485,11 +15447,13 @@ export declare namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight?: pulumi.Input; @@ -23511,14 +15475,17 @@ export declare namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations supporting GRPCRoute MUST support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by specific vendors. * In the future, filters showing convergence in behavior across multiple * implementations will be considered for inclusion in extended or core @@ -23526,9 +15493,11 @@ export declare namespace gateway { * is specified using the ExtensionRef field. `Type` MUST be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. @@ -23541,8 +15510,10 @@ export declare namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * Support: Implementation-specific * + * * This filter can be used multiple times within the same rule. */ interface GRPCRouteSpecRulesFiltersExtensionRef { @@ -23566,8 +15537,10 @@ export declare namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * Support: Implementation-specific * + * * This filter can be used multiple times within the same rule. */ interface GRPCRouteSpecRulesFiltersExtensionRefPatch { @@ -23602,14 +15575,17 @@ export declare namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations supporting GRPCRoute MUST support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by specific vendors. * In the future, filters showing convergence in behavior across multiple * implementations will be considered for inclusion in extended or core @@ -23617,9 +15593,11 @@ export declare namespace gateway { * is specified using the ExtensionRef field. `Type` MUST be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. @@ -23630,6 +15608,7 @@ export declare namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ interface GRPCRouteSpecRulesFiltersRequestHeaderModifier { @@ -23638,15 +15617,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -23658,15 +15640,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -23676,15 +15661,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -23697,7 +15685,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesFiltersRequestHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -23717,7 +15706,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesFiltersRequestHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -23735,6 +15725,7 @@ export declare namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ interface GRPCRouteSpecRulesFiltersRequestHeaderModifierPatch { @@ -23743,15 +15734,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -23763,15 +15757,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -23781,15 +15778,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -23802,7 +15802,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesFiltersRequestHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -23822,7 +15823,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesFiltersRequestHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -23841,48 +15843,46 @@ export declare namespace gateway { * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ interface GRPCRouteSpecRulesFiltersRequestMirror { backendRef?: pulumi.Input; - fraction?: pulumi.Input; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent?: pulumi.Input; } /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ interface GRPCRouteSpecRulesFiltersRequestMirrorBackendRef { @@ -23895,16 +15895,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -23916,11 +15920,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -23936,26 +15942,32 @@ export declare namespace gateway { /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ interface GRPCRouteSpecRulesFiltersRequestMirrorBackendRefPatch { @@ -23968,16 +15980,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -23989,11 +16005,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -24006,56 +16024,27 @@ export declare namespace gateway { */ port?: pulumi.Input; } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - interface GRPCRouteSpecRulesFiltersRequestMirrorFraction { - denominator?: pulumi.Input; - numerator?: pulumi.Input; - } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - interface GRPCRouteSpecRulesFiltersRequestMirrorFractionPatch { - denominator?: pulumi.Input; - numerator?: pulumi.Input; - } /** * RequestMirror defines a schema for a filter that mirrors requests. * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ interface GRPCRouteSpecRulesFiltersRequestMirrorPatch { backendRef?: pulumi.Input; - fraction?: pulumi.Input; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent?: pulumi.Input; } /** * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ interface GRPCRouteSpecRulesFiltersResponseHeaderModifier { @@ -24064,15 +16053,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -24084,15 +16076,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -24102,15 +16097,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -24123,7 +16121,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesFiltersResponseHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24143,7 +16142,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesFiltersResponseHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24161,6 +16161,7 @@ export declare namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ interface GRPCRouteSpecRulesFiltersResponseHeaderModifierPatch { @@ -24169,15 +16170,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -24189,15 +16193,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -24207,15 +16214,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -24228,7 +16238,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesFiltersResponseHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24248,7 +16259,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesFiltersResponseHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24267,9 +16279,11 @@ export declare namespace gateway { * action. Multiple match types are ANDed together, i.e. the match will * evaluate to true only if all conditions are satisfied. * + * * For example, the match below will match a gRPC request only if its service * is `foo` AND it contains the `version: v1` header: * + * * ``` * matches: * - method: @@ -24279,6 +16293,7 @@ export declare namespace gateway { * - name: "version" * value "v1" * + * * ``` */ interface GRPCRouteSpecRulesMatches { @@ -24298,6 +16313,7 @@ export declare namespace gateway { /** * Name is the name of the gRPC Header to be matched. * + * * If multiple entries specify equivalent header names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent * entries with an equivalent header name MUST be ignored. Due to the @@ -24322,6 +16338,7 @@ export declare namespace gateway { /** * Name is the name of the gRPC Header to be matched. * + * * If multiple entries specify equivalent header names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent * entries with an equivalent header name MUST be ignored. Due to the @@ -24347,6 +16364,7 @@ export declare namespace gateway { * Value of the method to match against. If left empty or omitted, will * match all services. * + * * At least one of Service and Method MUST be a non-empty string. */ method?: pulumi.Input; @@ -24354,6 +16372,7 @@ export declare namespace gateway { * Value of the service to match against. If left empty or omitted, will * match any service. * + * * At least one of Service and Method MUST be a non-empty string. */ service?: pulumi.Input; @@ -24361,8 +16380,10 @@ export declare namespace gateway { * Type specifies how to match against the service and/or method. * Support: Core (Exact with service and method specified) * + * * Support: Implementation-specific (Exact with method specified but no service specified) * + * * Support: Implementation-specific (RegularExpression) */ type?: pulumi.Input; @@ -24376,6 +16397,7 @@ export declare namespace gateway { * Value of the method to match against. If left empty or omitted, will * match all services. * + * * At least one of Service and Method MUST be a non-empty string. */ method?: pulumi.Input; @@ -24383,6 +16405,7 @@ export declare namespace gateway { * Value of the service to match against. If left empty or omitted, will * match any service. * + * * At least one of Service and Method MUST be a non-empty string. */ service?: pulumi.Input; @@ -24390,8 +16413,10 @@ export declare namespace gateway { * Type specifies how to match against the service and/or method. * Support: Core (Exact with service and method specified) * + * * Support: Implementation-specific (Exact with method specified but no service specified) * + * * Support: Implementation-specific (RegularExpression) */ type?: pulumi.Input; @@ -24401,9 +16426,11 @@ export declare namespace gateway { * action. Multiple match types are ANDed together, i.e. the match will * evaluate to true only if all conditions are satisfied. * + * * For example, the match below will match a gRPC request only if its service * is `foo` AND it contains the `version: v1` header: * + * * ``` * matches: * - method: @@ -24413,6 +16440,7 @@ export declare namespace gateway { * - name: "version" * value "v1" * + * * ``` */ interface GRPCRouteSpecRulesMatchesPatch { @@ -24434,30 +16462,38 @@ export declare namespace gateway { * BackendRefs defines the backend(s) where matching requests should be * sent. * + * * Failure behavior here depends on how many BackendRefs are specified and * how many are invalid. * + * * If *all* entries in BackendRefs are invalid, and there are also no filters * specified in this route rule, *all* traffic which matches this rule MUST * receive an `UNAVAILABLE` status. * + * * See the GRPCBackendRef definition for the rules about what makes a single * GRPCBackendRef invalid. * + * * When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for * requests that would have otherwise been routed to an invalid backend. If * multiple backends are specified, and some are invalid, the proportion of * requests that would otherwise have been routed to an invalid backend * MUST receive an `UNAVAILABLE` status. * + * * For example, if two backends are specified with equal weights, and one is * invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. * Implementations may choose how that 50 percent is determined. * + * * Support: Core for Kubernetes Service * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Core */ backendRefs?: pulumi.Input[]>; @@ -24465,26 +16501,32 @@ export declare namespace gateway { * Filters define the filters that are applied to requests that match * this rule. * + * * The effects of ordering of multiple behaviors are currently unspecified. * This can change in the future based on feedback during the alpha stage. * + * * Conformance-levels at this level are defined based on the type of filter: * + * * - ALL core filters MUST be supported by all implementations that support * GRPCRoute. * - Implementers are encouraged to support extended filters. * - Implementation-specific custom filters have no API guarantees across * implementations. * + * * Specifying the same filter multiple times is not supported unless explicitly * indicated in the filter. * - * If an implementation cannot support a combination of filters, it must clearly + * + * If an implementation can not support a combination of filters, it must clearly * document that limitation. In cases where incompatible or unsupported * filters are specified and cause the `Accepted` condition to be set to status * `False`, implementations may use the `IncompatibleFilters` reason to specify * this configuration error. * + * * Support: Core */ filters?: pulumi.Input[]>; @@ -24493,8 +16535,10 @@ export declare namespace gateway { * gRPC requests. Each match is independent, i.e. this rule will be matched * if **any** one of the matches is satisfied. * + * * For example, take the following matches configuration: * + * * ``` * matches: * - method: @@ -24506,52 +16550,56 @@ export declare namespace gateway { * service: foo.bar.v2 * ``` * + * * For a request to match against this rule, it MUST satisfy * EITHER of the two conditions: * + * * - service of foo.bar AND contains the header `version: 2` * - service of foo.bar.v2 * + * * See the documentation for GRPCRouteMatch on how to specify multiple * match conditions to be ANDed together. * + * * If no matches are specified, the implementation MUST match every gRPC request. * + * * Proxy or Load Balancer routing configuration generated from GRPCRoutes * MUST prioritize rules based on the following criteria, continuing on * ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. * Precedence MUST be given to the rule with the largest number of: * + * * * Characters in a matching non-wildcard hostname. * * Characters in a matching hostname. * * Characters in a matching service. * * Characters in a matching method. * * Header matches. * + * * If ties still exist across multiple Routes, matching precedence MUST be * determined in order of the following criteria, continuing on ties: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * If ties still exist within the Route that has been given precedence, * matching precedence MUST be granted to the first matching rule meeting * the above criteria. */ matches?: pulumi.Input[]>; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name?: pulumi.Input; sessionPersistence?: pulumi.Input; } /** * SessionPersistence defines and configures session persistence * for the route rule. * + * * Support: Extended */ interface GRPCRouteSpecRulesSessionPersistence { @@ -24560,6 +16608,7 @@ export declare namespace gateway { * session. Once the AbsoluteTimeout duration has elapsed, the * session becomes invalid. * + * * Support: Extended */ absoluteTimeout?: pulumi.Input; @@ -24569,6 +16618,7 @@ export declare namespace gateway { * Once the session has been idle for more than the specified * IdleTimeout duration, the session becomes invalid. * + * * Support: Extended */ idleTimeout?: pulumi.Input; @@ -24578,6 +16628,7 @@ export declare namespace gateway { * should avoid reusing session names to prevent unintended * consequences, such as rejection or unpredictable behavior. * + * * Support: Implementation-specific */ sessionName?: pulumi.Input; @@ -24586,8 +16637,10 @@ export declare namespace gateway { * the use a header or cookie. Defaults to cookie based session * persistence. * + * * Support: Core for "Cookie" type * + * * Support: Extended for "Header" type */ type?: pulumi.Input; @@ -24596,6 +16649,7 @@ export declare namespace gateway { * CookieConfig provides configuration settings that are specific * to cookie-based session persistence. * + * * Support: Core */ interface GRPCRouteSpecRulesSessionPersistenceCookieConfig { @@ -24606,18 +16660,20 @@ export declare namespace gateway { * attributes, while a session cookie is deleted when the current * session ends. * + * * When set to "Permanent", AbsoluteTimeout indicates the * cookie's lifetime via the Expires or Max-Age cookie attributes * and is required. * + * * When set to "Session", AbsoluteTimeout indicates the * absolute lifetime of the cookie tracked by the gateway and * is optional. * - * Defaults to "Session". * * Support: Core for "Session" type * + * * Support: Extended for "Permanent" type */ lifetimeType?: pulumi.Input; @@ -24626,6 +16682,7 @@ export declare namespace gateway { * CookieConfig provides configuration settings that are specific * to cookie-based session persistence. * + * * Support: Core */ interface GRPCRouteSpecRulesSessionPersistenceCookieConfigPatch { @@ -24636,18 +16693,20 @@ export declare namespace gateway { * attributes, while a session cookie is deleted when the current * session ends. * + * * When set to "Permanent", AbsoluteTimeout indicates the * cookie's lifetime via the Expires or Max-Age cookie attributes * and is required. * + * * When set to "Session", AbsoluteTimeout indicates the * absolute lifetime of the cookie tracked by the gateway and * is optional. * - * Defaults to "Session". * * Support: Core for "Session" type * + * * Support: Extended for "Permanent" type */ lifetimeType?: pulumi.Input; @@ -24656,6 +16715,7 @@ export declare namespace gateway { * SessionPersistence defines and configures session persistence * for the route rule. * + * * Support: Extended */ interface GRPCRouteSpecRulesSessionPersistencePatch { @@ -24664,6 +16724,7 @@ export declare namespace gateway { * session. Once the AbsoluteTimeout duration has elapsed, the * session becomes invalid. * + * * Support: Extended */ absoluteTimeout?: pulumi.Input; @@ -24673,6 +16734,7 @@ export declare namespace gateway { * Once the session has been idle for more than the specified * IdleTimeout duration, the session becomes invalid. * + * * Support: Extended */ idleTimeout?: pulumi.Input; @@ -24682,6 +16744,7 @@ export declare namespace gateway { * should avoid reusing session names to prevent unintended * consequences, such as rejection or unpredictable behavior. * + * * Support: Implementation-specific */ sessionName?: pulumi.Input; @@ -24690,8 +16753,10 @@ export declare namespace gateway { * the use a header or cookie. Defaults to cookie based session * persistence. * + * * Support: Core for "Cookie" type * + * * Support: Extended for "Header" type */ type?: pulumi.Input; @@ -24708,11 +16773,13 @@ export declare namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -24728,19 +16795,23 @@ export declare namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -24750,12 +16821,15 @@ export declare namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -24765,6 +16839,22 @@ export declare namespace gateway { } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface GRPCRouteStatusParentsConditions { /** @@ -24797,6 +16887,10 @@ export declare namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } @@ -24811,23 +16905,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -24835,6 +16934,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -24842,10 +16942,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -24853,6 +16955,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -24860,6 +16963,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -24869,15 +16973,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -24886,6 +16993,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -24893,6 +17001,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -24900,10 +17009,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -24913,6 +17024,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -24941,6 +17053,7 @@ export declare namespace gateway { * GatewayClass describes a class of Gateways available to the user for creating * Gateway resources. * + * * It is recommended that this resource be used as a template for Gateways. This * means that a Gateway is based on the state of the GatewayClass at the time it * was created and changes to the GatewayClass or associated parameters are not @@ -24949,11 +17062,13 @@ export declare namespace gateway { * If implementations choose to propagate GatewayClass changes to existing * Gateways, that MUST be clearly documented by the implementation. * + * * Whenever one or more Gateways are using a GatewayClass, implementations SHOULD * add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the * associated GatewayClass. This ensures that a GatewayClass associated with a * Gateway is not deleted while in use. * + * * GatewayClass is a Cluster level resource. */ interface GatewayClass { @@ -24980,10 +17095,13 @@ export declare namespace gateway { * ControllerName is the name of the controller that is managing Gateways of * this class. The value of this field MUST be a domain prefixed path. * + * * Example: "example.net/gateway-controller". * + * * This field is not mutable and cannot be empty. * + * * Support: Core */ controllerName?: pulumi.Input; @@ -24998,19 +17116,21 @@ export declare namespace gateway { * parameters corresponding to the GatewayClass. This is optional if the * controller does not require any additional configuration. * + * * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, * or an implementation-specific custom resource. The resource can be * cluster-scoped or namespace-scoped. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the GatewayClass SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. + * + * If the referent cannot be found, the GatewayClass's "InvalidParameters" + * status condition will be true. + * * * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * + * * Support: Implementation-specific */ interface GatewayClassSpecParametersRef { @@ -25038,19 +17158,21 @@ export declare namespace gateway { * parameters corresponding to the GatewayClass. This is optional if the * controller does not require any additional configuration. * + * * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, * or an implementation-specific custom resource. The resource can be * cluster-scoped or namespace-scoped. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the GatewayClass SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. + * + * If the referent cannot be found, the GatewayClass's "InvalidParameters" + * status condition will be true. + * * * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * + * * Support: Implementation-specific */ interface GatewayClassSpecParametersRefPatch { @@ -25081,10 +17203,13 @@ export declare namespace gateway { * ControllerName is the name of the controller that is managing Gateways of * this class. The value of this field MUST be a domain prefixed path. * + * * Example: "example.net/gateway-controller". * + * * This field is not mutable and cannot be empty. * + * * Support: Core */ controllerName?: pulumi.Input; @@ -25097,6 +17222,7 @@ export declare namespace gateway { /** * Status defines the current state of GatewayClass. * + * * Implementations MUST populate status on all GatewayClass resources which * specify their controller name. */ @@ -25105,18 +17231,35 @@ export declare namespace gateway { * Conditions is the current status from the controller for * this GatewayClass. * + * * Controllers should prefer to publish conditions using values * of GatewayClassConditionType for the type of each Condition. */ conditions?: pulumi.Input[]>; /** * SupportedFeatures is the set of features the GatewayClass support. - * It MUST be sorted in ascending alphabetical order by the Name key. + * It MUST be sorted in ascending alphabetical order. */ - supportedFeatures?: pulumi.Input[]>; + supportedFeatures?: pulumi.Input[]>; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface GatewayClassStatusConditions { /** @@ -25149,16 +17292,13 @@ export declare namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } - interface GatewayClassStatusSupportedFeatures { - /** - * FeatureName is used to describe distinct features that are covered by - * conformance tests. - */ - name?: pulumi.Input; - } /** * Spec defines the desired state of Gateway. */ @@ -25167,7 +17307,8 @@ export declare namespace gateway { * Addresses requested for this Gateway. This is optional and behavior can * depend on the implementation. If a value is set in the spec and the * requested address is invalid or unavailable, the implementation MUST - * indicate this in an associated entry in GatewayStatus.Conditions. + * indicate this in the associated entry in GatewayStatus.Addresses. + * * * The Addresses field represents a request for the address(es) on the * "outside of the Gateway", that traffic bound for this Gateway will use. @@ -25175,38 +17316,20 @@ export declare namespace gateway { * other networking infrastructure, or some other address that traffic will * be sent to. * + * * If no Addresses are specified, the implementation MAY schedule the * Gateway in an implementation-specific manner, assigning an appropriate * set of Addresses. * + * * The implementation MUST bind all Listeners to every GatewayAddress that * it assigns to the Gateway and add a corresponding entry in * GatewayStatus.Addresses. * + * * Support: Extended */ addresses?: pulumi.Input[]>; - allowedListeners?: pulumi.Input; - /** - * DefaultScope, when set, configures the Gateway as a default Gateway, - * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute) - * attached to it, according to the scope configured here. - * - * If unset (the default) or set to None, the Gateway will not act as a - * default Gateway; if set, the Gateway will claim any Route with a - * matching scope set in its UseDefaultGateway field, subject to the usual - * rules about which routes the Gateway can attach to. - * - * Think carefully before using this functionality! While the normal rules - * about which Route can apply are still enforced, it is simply easier for - * the wrong Route to be accidentally attached to this Gateway in this - * configuration. If the Gateway operator is not also the operator in - * control of the scope (e.g. namespace) with tight controls and checks on - * what kind of workloads and Routes get added in that scope, we strongly - * recommend not using this just because it seems convenient, and instead - * stick to direct Route attachment. - */ - defaultScope?: pulumi.Input; /** * GatewayClassName used for this Gateway. This is the name of a * GatewayClass resource. @@ -25218,7 +17341,6 @@ export declare namespace gateway { * logical endpoints that are bound on this Gateway's addresses. * At least one Listener MUST be specified. * - * ## Distinct Listeners * * Each Listener in a set of Listeners (for example, in a single Gateway) * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to @@ -25227,107 +17349,97 @@ export declare namespace gateway { * from multiple Gateways onto a single data plane, and these rules _also_ * apply in that case). * + * * Practically, this means that each listener in a set MUST have a unique * combination of Port, Protocol, and, if supported by the protocol, Hostname. * - * Some combinations of port, protocol, and TLS settings are considered - * Core support and MUST be supported by implementations based on the objects - * they support: * - * HTTPRoute + * Some combinations of port, protocol, and TLS settings are considered + * Core support and MUST be supported by implementations based on their + * targeted conformance profile: + * + * + * HTTP Profile + * * * 1. HTTPRoute, Port: 80, Protocol: HTTP * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided * - * TLSRoute + * + * TLS Profile + * * * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough * + * * "Distinct" Listeners have the following property: * - * **The implementation can match inbound requests to a single distinct - * Listener**. * - * When multiple Listeners share values for fields (for + * The implementation can match inbound requests to a single distinct + * Listener. When multiple Listeners share values for fields (for * example, two Listeners with the same Port value), the implementation * can match requests to only one of the Listeners using other * Listener fields. * - * When multiple listeners have the same value for the Protocol field, then - * each of the Listeners with matching Protocol values MUST have different - * values for other fields. * - * The set of fields that MUST be different for a Listener differs per protocol. - * The following rules define the rules for what fields MUST be considered for - * Listeners to be distinct with each protocol currently defined in the - * Gateway API spec. + * For example, the following Listener scenarios are distinct: * - * The set of listeners that all share a protocol value MUST have _different_ - * values for _at least one_ of these fields to be distinct: * - * * **HTTP, HTTPS, TLS**: Port, Hostname - * * **TCP, UDP**: Port + * 1. Multiple Listeners with the same Port that all use the "HTTP" + * Protocol that all have unique Hostname values. + * 2. Multiple Listeners with the same Port that use either the "HTTPS" or + * "TLS" Protocol that all have unique Hostname values. + * 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener + * with the same Protocol has the same Port value. * - * One **very** important rule to call out involves what happens when an - * implementation: * - * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol - * Listeners, and - * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP - * Protocol. + * Some fields in the Listener struct have possible values that affect + * whether the Listener is distinct. Hostname is particularly relevant + * for HTTP or HTTPS protocols. * - * In this case all the Listeners that share a port with the - * TCP Listener are not distinct and so MUST NOT be accepted. * - * If an implementation does not support TCP Protocol Listeners, then the - * previous rule does not apply, and the TCP Listeners SHOULD NOT be - * accepted. + * When using the Hostname value to select between same-Port, same-Protocol + * Listeners, the Hostname value must be different on each Listener for the + * Listener to be distinct. * - * Note that the `tls` field is not used for determining if a listener is distinct, because - * Listeners that _only_ differ on TLS config will still conflict in all cases. * - * ### Listeners that are distinct only by Hostname - * - * When the Listeners are distinct based only on Hostname, inbound request + * When the Listeners are distinct based on Hostname, inbound request * hostnames MUST match from the most specific to least specific Hostname * values to choose the correct Listener and its associated set of Routes. * - * Exact matches MUST be processed before wildcard matches, and wildcard - * matches MUST be processed before fallback (empty Hostname value) + * + * Exact matches must be processed before wildcard matches, and wildcard + * matches must be processed before fallback (empty Hostname value) * matches. For example, `"foo.example.com"` takes precedence over * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. * + * * Additionally, if there are multiple wildcard entries, more specific * wildcard entries must be processed before less specific wildcard entries. * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. - * * The precise definition here is that the higher the number of dots in the * hostname to the right of the wildcard character, the higher the precedence. * + * * The wildcard character will match any number of characters _and dots_ to * the left, however, so `"*.example.com"` will match both * `"foo.bar.example.com"` _and_ `"bar.example.com"`. * - * ## Handling indistinct Listeners * * If a set of Listeners contains Listeners that are not distinct, then those - * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted" + * Listeners are Conflicted, and the implementation MUST set the "Conflicted" * condition in the Listener Status to "True". * - * The words "indistinct" and "conflicted" are considered equivalent for the - * purpose of this documentation. * * Implementations MAY choose to accept a Gateway with some Conflicted * Listeners only if they only accept the partial Listener set that contains - * no Conflicted Listeners. + * no Conflicted Listeners. To put this another way, implementations may + * accept a partial Listener set only if they throw out *all* the conflicting + * Listeners. No picking one of the conflicting listeners as the winner. + * This also means that the Gateway must have at least one non-conflicting + * Listener in this case, otherwise it violates the requirement that at + * least one Listener must be present. * - * Specifically, an implementation MAY accept a partial Listener set subject to - * the following rules: - * - * * The implementation MUST NOT pick one conflicting Listener as the winner. - * ALL indistinct Listeners must not be accepted for processing. - * * At least one distinct Listener MUST be present, or else the Gateway effectively - * contains _no_ Listeners, and must be rejected from processing as a whole. * * The implementation MUST set a "ListenersNotValid" condition on the * Gateway Status when the Gateway contains Conflicted Listeners whether or @@ -25336,51 +17448,44 @@ export declare namespace gateway { * Accepted. Additionally, the Listener status for those listeners SHOULD * indicate which Listeners are conflicted and not Accepted. * - * ## General Listener behavior * - * Note that, for all distinct Listeners, requests SHOULD match at most one Listener. - * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a - * request to "foo.example.com" SHOULD only be routed using routes attached - * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * A Gateway's Listeners are considered "compatible" if: * - * This concept is known as "Listener Isolation", and it is an Extended feature - * of Gateway API. Implementations that do not support Listener Isolation MUST - * clearly document this, and MUST NOT claim support for the - * `GatewayHTTPListenerIsolation` feature. - * - * Implementations that _do_ support Listener Isolation SHOULD claim support - * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated - * conformance tests. - * - * ## Compatible Listeners - * - * A Gateway's Listeners are considered _compatible_ if: * * 1. They are distinct. * 2. The implementation can serve them in compliance with the Addresses * requirement that all Listeners are available on all assigned * addresses. * + * * Compatible combinations in Extended support are expected to vary across * implementations. A combination that is compatible for one implementation * may not be compatible for another. * + * * For example, an implementation that cannot serve both TCP and UDP listeners * on the same address, or cannot mix HTTPS and generic TLS listens on the same port * would not consider those cases compatible, even though they are distinct. * + * + * Note that requests SHOULD match at most one Listener. For example, if + * Listeners are defined for "foo.example.com" and "*.example.com", a + * request to "foo.example.com" SHOULD only be routed using routes attached + * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * This concept is known as "Listener Isolation". Implementations that do + * not support Listener Isolation MUST clearly document this. + * + * * Implementations MAY merge separate Gateways onto a single set of * Addresses if all Listeners across all Gateways are compatible. * - * In a future release the MinItems=1 requirement MAY be dropped. * * Support: Core */ listeners?: pulumi.Input[]>; - tls?: pulumi.Input; } /** - * GatewaySpecAddress describes an address that can be bound to a Gateway. + * GatewayAddress describes an address that can be bound to a Gateway. */ interface GatewaySpecAddresses { /** @@ -25388,18 +17493,16 @@ export declare namespace gateway { */ type?: pulumi.Input; /** - * When a value is unspecified, an implementation SHOULD automatically - * assign an address matching the requested type if possible. + * Value of the address. The validity of the values will depend + * on the type and support by the controller. * - * If an implementation does not support an empty value, they MUST set the - * "Programmed" condition in status to False with a reason of "AddressNotAssigned". * * Examples: `1.2.3.4`, `128::1`, `my-ip-address`. */ value?: pulumi.Input; } /** - * GatewaySpecAddress describes an address that can be bound to a Gateway. + * GatewayAddress describes an address that can be bound to a Gateway. */ interface GatewaySpecAddressesPatch { /** @@ -25407,164 +17510,32 @@ export declare namespace gateway { */ type?: pulumi.Input; /** - * When a value is unspecified, an implementation SHOULD automatically - * assign an address matching the requested type if possible. + * Value of the address. The validity of the values will depend + * on the type and support by the controller. * - * If an implementation does not support an empty value, they MUST set the - * "Programmed" condition in status to False with a reason of "AddressNotAssigned". * * Examples: `1.2.3.4`, `128::1`, `my-ip-address`. */ value?: pulumi.Input; } - /** - * AllowedListeners defines which ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - interface GatewaySpecAllowedListeners { - namespaces?: pulumi.Input; - } - /** - * Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - interface GatewaySpecAllowedListenersNamespaces { - /** - * From indicates where ListenerSets can attach to this Gateway. Possible - * values are: - * - * * Same: Only ListenerSets in the same namespace may be attached to this Gateway. - * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway. - * * All: ListenerSets in all namespaces may be attached to this Gateway. - * * None: Only listeners defined in the Gateway's spec are allowed - * - * While this feature is experimental, the default value None - */ - from?: pulumi.Input; - selector?: pulumi.Input; - } - /** - * Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - interface GatewaySpecAllowedListenersNamespacesPatch { - /** - * From indicates where ListenerSets can attach to this Gateway. Possible - * values are: - * - * * Same: Only ListenerSets in the same namespace may be attached to this Gateway. - * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway. - * * All: ListenerSets in all namespaces may be attached to this Gateway. - * * None: Only listeners defined in the Gateway's spec are allowed - * - * While this feature is experimental, the default value None - */ - from?: pulumi.Input; - selector?: pulumi.Input; - } - /** - * Selector must be specified when From is set to "Selector". In that case, - * only ListenerSets in Namespaces matching this Selector will be selected by this - * Gateway. This field is ignored for other values of "From". - */ - interface GatewaySpecAllowedListenersNamespacesSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * Selector must be specified when From is set to "Selector". In that case, - * only ListenerSets in Namespaces matching this Selector will be selected by this - * Gateway. This field is ignored for other values of "From". - */ - interface GatewaySpecAllowedListenersNamespacesSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * AllowedListeners defines which ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - interface GatewaySpecAllowedListenersPatch { - namespaces?: pulumi.Input; - } /** * Infrastructure defines infrastructure level attributes about this Gateway instance. * - * Support: Extended + * + * Support: Core */ interface GatewaySpecInfrastructure { /** * Annotations that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. * + * * An implementation may chose to add additional implementation-specific annotations as they see fit. * + * * Support: Extended */ annotations?: pulumi.Input<{ @@ -25573,13 +17544,13 @@ export declare namespace gateway { /** * Labels that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. * For other implementations, this refers to any relevant (implementation specific) "labels" concepts. * + * * An implementation may chose to add additional implementation-specific labels as they see fit. * - * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels - * change, it SHOULD clearly warn about this behavior in documentation. * * Support: Extended */ @@ -25593,16 +17564,14 @@ export declare namespace gateway { * parameters corresponding to the Gateway. This is optional if the * controller does not require any additional configuration. * + * * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis * + * * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the Gateway SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. * * Support: Implementation-specific */ @@ -25625,16 +17594,14 @@ export declare namespace gateway { * parameters corresponding to the Gateway. This is optional if the * controller does not require any additional configuration. * + * * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis * + * * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the Gateway SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. * * Support: Implementation-specific */ @@ -25655,17 +17622,21 @@ export declare namespace gateway { /** * Infrastructure defines infrastructure level attributes about this Gateway instance. * - * Support: Extended + * + * Support: Core */ interface GatewaySpecInfrastructurePatch { /** * Annotations that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. * + * * An implementation may chose to add additional implementation-specific annotations as they see fit. * + * * Support: Extended */ annotations?: pulumi.Input<{ @@ -25674,13 +17645,13 @@ export declare namespace gateway { /** * Labels that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. * For other implementations, this refers to any relevant (implementation specific) "labels" concepts. * + * * An implementation may chose to add additional implementation-specific labels as they see fit. * - * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels - * change, it SHOULD clearly warn about this behavior in documentation. * * Support: Extended */ @@ -25701,36 +17672,18 @@ export declare namespace gateway { * field is ignored for protocols that don't require hostname based * matching. * + * * Implementations MUST apply Hostname matching appropriately for each of * the following protocols: * + * * * TLS: The Listener Hostname MUST match the SNI. * * HTTP: The Listener Hostname MUST match the Host header of the request. - * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header. - * Note that this does not require the SNI and Host header to be the same. - * The semantics of this are described in more detail below. + * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + * protocol layers as described above. If an implementation does not + * ensure that both the SNI and Host header match the Listener hostname, + * it MUST clearly document that. * - * To ensure security, Section 11.1 of RFC-6066 emphasizes that server - * implementations that rely on SNI hostname matching MUST also verify - * hostnames within the application protocol. - * - * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the - * reuse of a connection by responding with the HTTP 421 Misdirected Request - * status code. This indicates that the origin server has rejected the - * request because it appears to have been misdirected. - * - * To detect misdirected requests, Gateways SHOULD match the authority of - * the requests with all the SNI hostname(s) configured across all the - * Gateway Listeners on the same port and protocol: - * - * * If another Listener has an exact match or more specific wildcard entry, - * the Gateway SHOULD return a 421. - * * If the current Listener (selected by SNI matching during ClientHello) - * does not match the Host: - * * If another Listener does match the Host the Gateway SHOULD return a - * 421. - * * If no other Listener matches the Host, the Gateway MUST return a - * 404. * * For HTTPRoute and TLSRoute resources, there is an interaction with the * `spec.hostnames` array. When both listener and route specify hostnames, @@ -25738,10 +17691,12 @@ export declare namespace gateway { * accepted. For more information, refer to the Route specific Hostnames * documentation. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * Support: Core */ hostname?: pulumi.Input; @@ -25749,6 +17704,7 @@ export declare namespace gateway { * Name is the name of the Listener. This name MUST be unique within a * Gateway. * + * * Support: Core */ name?: pulumi.Input; @@ -25756,12 +17712,14 @@ export declare namespace gateway { * Port is the network port. Multiple listeners may use the * same port, subject to the Listener compatibility rules. * + * * Support: Core */ port?: pulumi.Input; /** * Protocol specifies the network protocol this listener expects to receive. * + * * Support: Core */ protocol?: pulumi.Input; @@ -25772,10 +17730,12 @@ export declare namespace gateway { * Listener and the trusted namespaces where those Route resources MAY be * present. * + * * Although a client request may match multiple route rules, only one rule * may ultimately receive the request. Matching precedence MUST be * determined in order of the following criteria: * + * * * The most specific match as defined by the Route type. * * The oldest Route based on creation timestamp. For example, a Route with * a creation timestamp of "2020-09-08 01:02:03" is given precedence over @@ -25784,6 +17744,7 @@ export declare namespace gateway { * alphabetical order (namespace/name) should be given precedence. For * example, foo/bar is given precedence over foo/baz. * + * * All valid rules within a Route attached to this Listener should be * implemented. Invalid Route rules can be ignored (sometimes that will mean * the full Route). If a Route rule transitions from valid to invalid, @@ -25791,6 +17752,7 @@ export declare namespace gateway { * example, even if a filter specified by a Route rule is invalid, the rest * of the rules within that Route should still be supported. * + * * Support: Core */ interface GatewaySpecListenersAllowedRoutes { @@ -25799,12 +17761,14 @@ export declare namespace gateway { * to this Gateway Listener. When unspecified or empty, the kinds of Routes * selected are determined using the Listener protocol. * + * * A RouteGroupKind MUST correspond to kinds of Routes that are compatible * with the application protocol specified in the Listener's Protocol field. * If an implementation does not support or recognize this resource type, it * MUST set the "ResolvedRefs" condition to False for this Listener with the * "InvalidRouteKinds" reason. * + * * Support: Core */ kinds?: pulumi.Input[]>; @@ -25840,6 +17804,7 @@ export declare namespace gateway { * Namespaces indicates namespaces from which Routes may be attached to this * Listener. This is restricted to the namespace of this Gateway by default. * + * * Support: Core */ interface GatewaySpecListenersAllowedRoutesNamespaces { @@ -25847,11 +17812,13 @@ export declare namespace gateway { * From indicates where Routes will be selected for this Gateway. Possible * values are: * + * * * All: Routes in all namespaces may be used by this Gateway. * * Selector: Routes in namespaces selected by the selector may be used by * this Gateway. * * Same: Only Routes in the same namespace may be used by this Gateway. * + * * Support: Core */ from?: pulumi.Input; @@ -25861,6 +17828,7 @@ export declare namespace gateway { * Namespaces indicates namespaces from which Routes may be attached to this * Listener. This is restricted to the namespace of this Gateway by default. * + * * Support: Core */ interface GatewaySpecListenersAllowedRoutesNamespacesPatch { @@ -25868,11 +17836,13 @@ export declare namespace gateway { * From indicates where Routes will be selected for this Gateway. Possible * values are: * + * * * All: Routes in all namespaces may be used by this Gateway. * * Selector: Routes in namespaces selected by the selector may be used by * this Gateway. * * Same: Only Routes in the same namespace may be used by this Gateway. * + * * Support: Core */ from?: pulumi.Input; @@ -25883,6 +17853,7 @@ export declare namespace gateway { * only Routes in Namespaces matching this Selector will be selected by this * Gateway. This field is ignored for other values of "From". * + * * Support: Core */ interface GatewaySpecListenersAllowedRoutesNamespacesSelector { @@ -25948,6 +17919,7 @@ export declare namespace gateway { * only Routes in Namespaces matching this Selector will be selected by this * Gateway. This field is ignored for other values of "From". * + * * Support: Core */ interface GatewaySpecListenersAllowedRoutesNamespacesSelectorPatch { @@ -25969,10 +17941,12 @@ export declare namespace gateway { * Listener and the trusted namespaces where those Route resources MAY be * present. * + * * Although a client request may match multiple route rules, only one rule * may ultimately receive the request. Matching precedence MUST be * determined in order of the following criteria: * + * * * The most specific match as defined by the Route type. * * The oldest Route based on creation timestamp. For example, a Route with * a creation timestamp of "2020-09-08 01:02:03" is given precedence over @@ -25981,6 +17955,7 @@ export declare namespace gateway { * alphabetical order (namespace/name) should be given precedence. For * example, foo/bar is given precedence over foo/baz. * + * * All valid rules within a Route attached to this Listener should be * implemented. Invalid Route rules can be ignored (sometimes that will mean * the full Route). If a Route rule transitions from valid to invalid, @@ -25988,6 +17963,7 @@ export declare namespace gateway { * example, even if a filter specified by a Route rule is invalid, the rest * of the rules within that Route should still be supported. * + * * Support: Core */ interface GatewaySpecListenersAllowedRoutesPatch { @@ -25996,12 +17972,14 @@ export declare namespace gateway { * to this Gateway Listener. When unspecified or empty, the kinds of Routes * selected are determined using the Listener protocol. * + * * A RouteGroupKind MUST correspond to kinds of Routes that are compatible * with the application protocol specified in the Listener's Protocol field. * If an implementation does not support or recognize this resource type, it * MUST set the "ResolvedRefs" condition to False for this Listener with the * "InvalidRouteKinds" reason. * + * * Support: Core */ kinds?: pulumi.Input[]>; @@ -26019,36 +17997,18 @@ export declare namespace gateway { * field is ignored for protocols that don't require hostname based * matching. * + * * Implementations MUST apply Hostname matching appropriately for each of * the following protocols: * + * * * TLS: The Listener Hostname MUST match the SNI. * * HTTP: The Listener Hostname MUST match the Host header of the request. - * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header. - * Note that this does not require the SNI and Host header to be the same. - * The semantics of this are described in more detail below. + * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + * protocol layers as described above. If an implementation does not + * ensure that both the SNI and Host header match the Listener hostname, + * it MUST clearly document that. * - * To ensure security, Section 11.1 of RFC-6066 emphasizes that server - * implementations that rely on SNI hostname matching MUST also verify - * hostnames within the application protocol. - * - * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the - * reuse of a connection by responding with the HTTP 421 Misdirected Request - * status code. This indicates that the origin server has rejected the - * request because it appears to have been misdirected. - * - * To detect misdirected requests, Gateways SHOULD match the authority of - * the requests with all the SNI hostname(s) configured across all the - * Gateway Listeners on the same port and protocol: - * - * * If another Listener has an exact match or more specific wildcard entry, - * the Gateway SHOULD return a 421. - * * If the current Listener (selected by SNI matching during ClientHello) - * does not match the Host: - * * If another Listener does match the Host the Gateway SHOULD return a - * 421. - * * If no other Listener matches the Host, the Gateway MUST return a - * 404. * * For HTTPRoute and TLSRoute resources, there is an interaction with the * `spec.hostnames` array. When both listener and route specify hostnames, @@ -26056,10 +18016,12 @@ export declare namespace gateway { * accepted. For more information, refer to the Route specific Hostnames * documentation. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * Support: Core */ hostname?: pulumi.Input; @@ -26067,6 +18029,7 @@ export declare namespace gateway { * Name is the name of the Listener. This name MUST be unique within a * Gateway. * + * * Support: Core */ name?: pulumi.Input; @@ -26074,12 +18037,14 @@ export declare namespace gateway { * Port is the network port. Multiple listeners may use the * same port, subject to the Listener compatibility rules. * + * * Support: Core */ port?: pulumi.Input; /** * Protocol specifies the network protocol this listener expects to receive. * + * * Support: Core */ protocol?: pulumi.Input; @@ -26090,12 +18055,15 @@ export declare namespace gateway { * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field * if the Protocol field is "HTTP", "TCP", or "UDP". * - * The association of SNIs to Certificate defined in ListenerTLSConfig is + * + * The association of SNIs to Certificate defined in GatewayTLSConfig is * defined based on the Hostname field for this listener. * + * * The GatewayClass MUST use the longest matching SNI out of all * available certificates for any TLS handshake. * + * * Support: Core */ interface GatewaySpecListenersTls { @@ -26105,31 +18073,39 @@ export declare namespace gateway { * establish a TLS handshake for requests that match the hostname of the * associated listener. * + * * A single CertificateRef to a Kubernetes Secret has "Core" support. * Implementations MAY choose to support attaching multiple certificates to * a Listener, but this behavior is implementation-specific. * + * * References to a resource in different namespace are invalid UNLESS there * is a ReferenceGrant in the target namespace that allows the certificate * to be attached. If a ReferenceGrant does not allow this reference, the * "ResolvedRefs" condition MUST be set to False for this listener with the * "RefNotPermitted" reason. * + * * This field is required to have at least one element when the mode is set * to "Terminate" (default) and is optional otherwise. * + * * CertificateRefs can reference to standard Kubernetes resources, i.e. * Secret, or implementation-specific custom resources. * + * * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls * + * * Support: Implementation-specific (More than one reference or other resource types) */ certificateRefs?: pulumi.Input[]>; + frontendValidation?: pulumi.Input; /** * Mode defines the TLS behavior for the TLS session initiated by the client. * There are two possible modes: * + * * - Terminate: The TLS session between the downstream client and the * Gateway is terminated at the Gateway. This mode requires certificates * to be specified in some way, such as populating the certificateRefs @@ -26139,6 +18115,7 @@ export declare namespace gateway { * the ClientHello message of the TLS protocol. The certificateRefs field * is ignored in this mode. * + * * Support: Core */ mode?: pulumi.Input; @@ -26147,11 +18124,13 @@ export declare namespace gateway { * configuration for each implementation. For example, configuring the * minimum TLS version or supported cipher suites. * + * * A set of common keys MAY be defined by the API in the future. To avoid * any ambiguity, implementation-specific definitions MUST use * domain-prefixed names, such as `example.com/my-custom-option`. * Un-prefixed names are reserved for key names defined by Gateway API. * + * * Support: Implementation-specific */ options?: pulumi.Input<{ @@ -26162,9 +18141,11 @@ export declare namespace gateway { * SecretObjectReference identifies an API object including its namespace, * defaulting to Secret. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. * + * * References to objects with invalid Group and Kind are not valid, and must * be rejected by the implementation, with appropriate Conditions set * on the containing object. @@ -26187,11 +18168,13 @@ export declare namespace gateway { * Namespace is the namespace of the referenced object. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -26200,9 +18183,11 @@ export declare namespace gateway { * SecretObjectReference identifies an API object including its namespace, * defaulting to Secret. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. * + * * References to objects with invalid Group and Kind are not valid, and must * be rejected by the implementation, with appropriate Conditions set * on the containing object. @@ -26225,26 +18210,193 @@ export declare namespace gateway { * Namespace is the namespace of the referenced object. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; } + /** + * FrontendValidation holds configuration information for validating the frontend (client). + * Setting this field will require clients to send a client certificate + * required for validation during the TLS handshake. In browsers this may result in a dialog appearing + * that requests a user to specify the client certificate. + * The maximum depth of a certificate chain accepted in verification is Implementation specific. + * + * + * Support: Extended + */ + interface GatewaySpecListenersTlsFrontendValidation { + /** + * CACertificateRefs contains one or more references to + * Kubernetes objects that contain TLS certificates of + * the Certificate Authorities that can be used + * as a trust anchor to validate the certificates presented by the client. + * + * + * A single CA certificate reference to a Kubernetes ConfigMap + * has "Core" support. + * Implementations MAY choose to support attaching multiple CA certificates to + * a Listener, but this behavior is implementation-specific. + * + * + * Support: Core - A single reference to a Kubernetes ConfigMap + * with the CA certificate in a key named `ca.crt`. + * + * + * Support: Implementation-specific (More than one reference, or other kinds + * of resources). + * + * + * References to a resource in a different namespace are invalid UNLESS there + * is a ReferenceGrant in the target namespace that allows the certificate + * to be attached. If a ReferenceGrant does not allow this reference, the + * "ResolvedRefs" condition MUST be set to False for this listener with the + * "RefNotPermitted" reason. + */ + caCertificateRefs?: pulumi.Input[]>; + } + /** + * ObjectReference identifies an API object including its namespace. + * + * + * The API object must be valid in the cluster; the Group and Kind must + * be registered in the cluster for this reference to be valid. + * + * + * References to objects with invalid Group and Kind are not valid, and must + * be rejected by the implementation, with appropriate Conditions set + * on the containing object. + */ + interface GatewaySpecListenersTlsFrontendValidationCaCertificateRefs { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group?: pulumi.Input; + /** + * Kind is kind of the referent. For example "ConfigMap" or "Service". + */ + kind?: pulumi.Input; + /** + * Name is the name of the referent. + */ + name?: pulumi.Input; + /** + * Namespace is the namespace of the referenced object. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace?: pulumi.Input; + } + /** + * ObjectReference identifies an API object including its namespace. + * + * + * The API object must be valid in the cluster; the Group and Kind must + * be registered in the cluster for this reference to be valid. + * + * + * References to objects with invalid Group and Kind are not valid, and must + * be rejected by the implementation, with appropriate Conditions set + * on the containing object. + */ + interface GatewaySpecListenersTlsFrontendValidationCaCertificateRefsPatch { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group?: pulumi.Input; + /** + * Kind is kind of the referent. For example "ConfigMap" or "Service". + */ + kind?: pulumi.Input; + /** + * Name is the name of the referent. + */ + name?: pulumi.Input; + /** + * Namespace is the namespace of the referenced object. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace?: pulumi.Input; + } + /** + * FrontendValidation holds configuration information for validating the frontend (client). + * Setting this field will require clients to send a client certificate + * required for validation during the TLS handshake. In browsers this may result in a dialog appearing + * that requests a user to specify the client certificate. + * The maximum depth of a certificate chain accepted in verification is Implementation specific. + * + * + * Support: Extended + */ + interface GatewaySpecListenersTlsFrontendValidationPatch { + /** + * CACertificateRefs contains one or more references to + * Kubernetes objects that contain TLS certificates of + * the Certificate Authorities that can be used + * as a trust anchor to validate the certificates presented by the client. + * + * + * A single CA certificate reference to a Kubernetes ConfigMap + * has "Core" support. + * Implementations MAY choose to support attaching multiple CA certificates to + * a Listener, but this behavior is implementation-specific. + * + * + * Support: Core - A single reference to a Kubernetes ConfigMap + * with the CA certificate in a key named `ca.crt`. + * + * + * Support: Implementation-specific (More than one reference, or other kinds + * of resources). + * + * + * References to a resource in a different namespace are invalid UNLESS there + * is a ReferenceGrant in the target namespace that allows the certificate + * to be attached. If a ReferenceGrant does not allow this reference, the + * "ResolvedRefs" condition MUST be set to False for this listener with the + * "RefNotPermitted" reason. + */ + caCertificateRefs?: pulumi.Input[]>; + } /** * TLS is the TLS configuration for the Listener. This field is required if * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field * if the Protocol field is "HTTP", "TCP", or "UDP". * - * The association of SNIs to Certificate defined in ListenerTLSConfig is + * + * The association of SNIs to Certificate defined in GatewayTLSConfig is * defined based on the Hostname field for this listener. * + * * The GatewayClass MUST use the longest matching SNI out of all * available certificates for any TLS handshake. * + * * Support: Core */ interface GatewaySpecListenersTlsPatch { @@ -26254,31 +18406,39 @@ export declare namespace gateway { * establish a TLS handshake for requests that match the hostname of the * associated listener. * + * * A single CertificateRef to a Kubernetes Secret has "Core" support. * Implementations MAY choose to support attaching multiple certificates to * a Listener, but this behavior is implementation-specific. * + * * References to a resource in different namespace are invalid UNLESS there * is a ReferenceGrant in the target namespace that allows the certificate * to be attached. If a ReferenceGrant does not allow this reference, the * "ResolvedRefs" condition MUST be set to False for this listener with the * "RefNotPermitted" reason. * + * * This field is required to have at least one element when the mode is set * to "Terminate" (default) and is optional otherwise. * + * * CertificateRefs can reference to standard Kubernetes resources, i.e. * Secret, or implementation-specific custom resources. * + * * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls * + * * Support: Implementation-specific (More than one reference or other resource types) */ certificateRefs?: pulumi.Input[]>; + frontendValidation?: pulumi.Input; /** * Mode defines the TLS behavior for the TLS session initiated by the client. * There are two possible modes: * + * * - Terminate: The TLS session between the downstream client and the * Gateway is terminated at the Gateway. This mode requires certificates * to be specified in some way, such as populating the certificateRefs @@ -26288,6 +18448,7 @@ export declare namespace gateway { * the ClientHello message of the TLS protocol. The certificateRefs field * is ignored in this mode. * + * * Support: Core */ mode?: pulumi.Input; @@ -26296,11 +18457,13 @@ export declare namespace gateway { * configuration for each implementation. For example, configuring the * minimum TLS version or supported cipher suites. * + * * A set of common keys MAY be defined by the API in the future. To avoid * any ambiguity, implementation-specific definitions MUST use * domain-prefixed names, such as `example.com/my-custom-option`. * Un-prefixed names are reserved for key names defined by Gateway API. * + * * Support: Implementation-specific */ options?: pulumi.Input<{ @@ -26315,7 +18478,8 @@ export declare namespace gateway { * Addresses requested for this Gateway. This is optional and behavior can * depend on the implementation. If a value is set in the spec and the * requested address is invalid or unavailable, the implementation MUST - * indicate this in an associated entry in GatewayStatus.Conditions. + * indicate this in the associated entry in GatewayStatus.Addresses. + * * * The Addresses field represents a request for the address(es) on the * "outside of the Gateway", that traffic bound for this Gateway will use. @@ -26323,38 +18487,20 @@ export declare namespace gateway { * other networking infrastructure, or some other address that traffic will * be sent to. * + * * If no Addresses are specified, the implementation MAY schedule the * Gateway in an implementation-specific manner, assigning an appropriate * set of Addresses. * + * * The implementation MUST bind all Listeners to every GatewayAddress that * it assigns to the Gateway and add a corresponding entry in * GatewayStatus.Addresses. * + * * Support: Extended */ addresses?: pulumi.Input[]>; - allowedListeners?: pulumi.Input; - /** - * DefaultScope, when set, configures the Gateway as a default Gateway, - * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute) - * attached to it, according to the scope configured here. - * - * If unset (the default) or set to None, the Gateway will not act as a - * default Gateway; if set, the Gateway will claim any Route with a - * matching scope set in its UseDefaultGateway field, subject to the usual - * rules about which routes the Gateway can attach to. - * - * Think carefully before using this functionality! While the normal rules - * about which Route can apply are still enforced, it is simply easier for - * the wrong Route to be accidentally attached to this Gateway in this - * configuration. If the Gateway operator is not also the operator in - * control of the scope (e.g. namespace) with tight controls and checks on - * what kind of workloads and Routes get added in that scope, we strongly - * recommend not using this just because it seems convenient, and instead - * stick to direct Route attachment. - */ - defaultScope?: pulumi.Input; /** * GatewayClassName used for this Gateway. This is the name of a * GatewayClass resource. @@ -26366,7 +18512,6 @@ export declare namespace gateway { * logical endpoints that are bound on this Gateway's addresses. * At least one Listener MUST be specified. * - * ## Distinct Listeners * * Each Listener in a set of Listeners (for example, in a single Gateway) * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to @@ -26375,107 +18520,97 @@ export declare namespace gateway { * from multiple Gateways onto a single data plane, and these rules _also_ * apply in that case). * + * * Practically, this means that each listener in a set MUST have a unique * combination of Port, Protocol, and, if supported by the protocol, Hostname. * - * Some combinations of port, protocol, and TLS settings are considered - * Core support and MUST be supported by implementations based on the objects - * they support: * - * HTTPRoute + * Some combinations of port, protocol, and TLS settings are considered + * Core support and MUST be supported by implementations based on their + * targeted conformance profile: + * + * + * HTTP Profile + * * * 1. HTTPRoute, Port: 80, Protocol: HTTP * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided * - * TLSRoute + * + * TLS Profile + * * * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough * + * * "Distinct" Listeners have the following property: * - * **The implementation can match inbound requests to a single distinct - * Listener**. * - * When multiple Listeners share values for fields (for + * The implementation can match inbound requests to a single distinct + * Listener. When multiple Listeners share values for fields (for * example, two Listeners with the same Port value), the implementation * can match requests to only one of the Listeners using other * Listener fields. * - * When multiple listeners have the same value for the Protocol field, then - * each of the Listeners with matching Protocol values MUST have different - * values for other fields. * - * The set of fields that MUST be different for a Listener differs per protocol. - * The following rules define the rules for what fields MUST be considered for - * Listeners to be distinct with each protocol currently defined in the - * Gateway API spec. + * For example, the following Listener scenarios are distinct: * - * The set of listeners that all share a protocol value MUST have _different_ - * values for _at least one_ of these fields to be distinct: * - * * **HTTP, HTTPS, TLS**: Port, Hostname - * * **TCP, UDP**: Port + * 1. Multiple Listeners with the same Port that all use the "HTTP" + * Protocol that all have unique Hostname values. + * 2. Multiple Listeners with the same Port that use either the "HTTPS" or + * "TLS" Protocol that all have unique Hostname values. + * 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener + * with the same Protocol has the same Port value. * - * One **very** important rule to call out involves what happens when an - * implementation: * - * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol - * Listeners, and - * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP - * Protocol. + * Some fields in the Listener struct have possible values that affect + * whether the Listener is distinct. Hostname is particularly relevant + * for HTTP or HTTPS protocols. * - * In this case all the Listeners that share a port with the - * TCP Listener are not distinct and so MUST NOT be accepted. * - * If an implementation does not support TCP Protocol Listeners, then the - * previous rule does not apply, and the TCP Listeners SHOULD NOT be - * accepted. + * When using the Hostname value to select between same-Port, same-Protocol + * Listeners, the Hostname value must be different on each Listener for the + * Listener to be distinct. * - * Note that the `tls` field is not used for determining if a listener is distinct, because - * Listeners that _only_ differ on TLS config will still conflict in all cases. * - * ### Listeners that are distinct only by Hostname - * - * When the Listeners are distinct based only on Hostname, inbound request + * When the Listeners are distinct based on Hostname, inbound request * hostnames MUST match from the most specific to least specific Hostname * values to choose the correct Listener and its associated set of Routes. * - * Exact matches MUST be processed before wildcard matches, and wildcard - * matches MUST be processed before fallback (empty Hostname value) + * + * Exact matches must be processed before wildcard matches, and wildcard + * matches must be processed before fallback (empty Hostname value) * matches. For example, `"foo.example.com"` takes precedence over * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. * + * * Additionally, if there are multiple wildcard entries, more specific * wildcard entries must be processed before less specific wildcard entries. * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. - * * The precise definition here is that the higher the number of dots in the * hostname to the right of the wildcard character, the higher the precedence. * + * * The wildcard character will match any number of characters _and dots_ to * the left, however, so `"*.example.com"` will match both * `"foo.bar.example.com"` _and_ `"bar.example.com"`. * - * ## Handling indistinct Listeners * * If a set of Listeners contains Listeners that are not distinct, then those - * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted" + * Listeners are Conflicted, and the implementation MUST set the "Conflicted" * condition in the Listener Status to "True". * - * The words "indistinct" and "conflicted" are considered equivalent for the - * purpose of this documentation. * * Implementations MAY choose to accept a Gateway with some Conflicted * Listeners only if they only accept the partial Listener set that contains - * no Conflicted Listeners. + * no Conflicted Listeners. To put this another way, implementations may + * accept a partial Listener set only if they throw out *all* the conflicting + * Listeners. No picking one of the conflicting listeners as the winner. + * This also means that the Gateway must have at least one non-conflicting + * Listener in this case, otherwise it violates the requirement that at + * least one Listener must be present. * - * Specifically, an implementation MAY accept a partial Listener set subject to - * the following rules: - * - * * The implementation MUST NOT pick one conflicting Listener as the winner. - * ALL indistinct Listeners must not be accepted for processing. - * * At least one distinct Listener MUST be present, or else the Gateway effectively - * contains _no_ Listeners, and must be rejected from processing as a whole. * * The implementation MUST set a "ListenersNotValid" condition on the * Gateway Status when the Gateway contains Conflicted Listeners whether or @@ -26484,634 +18619,41 @@ export declare namespace gateway { * Accepted. Additionally, the Listener status for those listeners SHOULD * indicate which Listeners are conflicted and not Accepted. * - * ## General Listener behavior * - * Note that, for all distinct Listeners, requests SHOULD match at most one Listener. - * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a - * request to "foo.example.com" SHOULD only be routed using routes attached - * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * A Gateway's Listeners are considered "compatible" if: * - * This concept is known as "Listener Isolation", and it is an Extended feature - * of Gateway API. Implementations that do not support Listener Isolation MUST - * clearly document this, and MUST NOT claim support for the - * `GatewayHTTPListenerIsolation` feature. - * - * Implementations that _do_ support Listener Isolation SHOULD claim support - * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated - * conformance tests. - * - * ## Compatible Listeners - * - * A Gateway's Listeners are considered _compatible_ if: * * 1. They are distinct. * 2. The implementation can serve them in compliance with the Addresses * requirement that all Listeners are available on all assigned * addresses. * + * * Compatible combinations in Extended support are expected to vary across * implementations. A combination that is compatible for one implementation * may not be compatible for another. * + * * For example, an implementation that cannot serve both TCP and UDP listeners * on the same address, or cannot mix HTTPS and generic TLS listens on the same port * would not consider those cases compatible, even though they are distinct. * + * + * Note that requests SHOULD match at most one Listener. For example, if + * Listeners are defined for "foo.example.com" and "*.example.com", a + * request to "foo.example.com" SHOULD only be routed using routes attached + * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * This concept is known as "Listener Isolation". Implementations that do + * not support Listener Isolation MUST clearly document this. + * + * * Implementations MAY merge separate Gateways onto a single set of * Addresses if all Listeners across all Gateways are compatible. * - * In a future release the MinItems=1 requirement MAY be dropped. * * Support: Core */ listeners?: pulumi.Input[]>; - tls?: pulumi.Input; - } - /** - * TLS specifies frontend and backend tls configuration for entire gateway. - * - * Support: Extended - */ - interface GatewaySpecTls { - backend?: pulumi.Input; - frontend?: pulumi.Input; - } - /** - * Backend describes TLS configuration for gateway when connecting - * to backends. - * - * Note that this contains only details for the Gateway as a TLS client, - * and does _not_ imply behavior about how to choose which backend should - * get a TLS connection. That is determined by the presence of a BackendTLSPolicy. - * - * Support: Core - */ - interface GatewaySpecTlsBackend { - clientCertificateRef?: pulumi.Input; - } - /** - * ClientCertificateRef is a reference to an object that contains a Client - * Certificate and the associated private key. - * - * References to a resource in different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - * - * ClientCertificateRef can reference to standard Kubernetes resources, i.e. - * Secret, or implementation-specific custom resources. - * - * Support: Core - */ - interface GatewaySpecTlsBackendClientCertificateRef { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. For example "Secret". - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - } - /** - * ClientCertificateRef is a reference to an object that contains a Client - * Certificate and the associated private key. - * - * References to a resource in different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - * - * ClientCertificateRef can reference to standard Kubernetes resources, i.e. - * Secret, or implementation-specific custom resources. - * - * Support: Core - */ - interface GatewaySpecTlsBackendClientCertificateRefPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. For example "Secret". - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - } - /** - * Backend describes TLS configuration for gateway when connecting - * to backends. - * - * Note that this contains only details for the Gateway as a TLS client, - * and does _not_ imply behavior about how to choose which backend should - * get a TLS connection. That is determined by the presence of a BackendTLSPolicy. - * - * Support: Core - */ - interface GatewaySpecTlsBackendPatch { - clientCertificateRef?: pulumi.Input; - } - /** - * Frontend describes TLS config when client connects to Gateway. - * Support: Core - */ - interface GatewaySpecTlsFrontend { - default?: pulumi.Input; - /** - * PerPort specifies tls configuration assigned per port. - * Per port configuration is optional. Once set this configuration overrides - * the default configuration for all Listeners handling HTTPS traffic - * that match this port. - * Each override port requires a unique TLS configuration. - * - * support: Core - */ - perPort?: pulumi.Input[]>; - } - /** - * Default specifies the default client certificate validation configuration - * for all Listeners handling HTTPS traffic, unless a per-port configuration - * is defined. - * - * support: Core - */ - interface GatewaySpecTlsFrontendDefault { - validation?: pulumi.Input; - } - /** - * Default specifies the default client certificate validation configuration - * for all Listeners handling HTTPS traffic, unless a per-port configuration - * is defined. - * - * support: Core - */ - interface GatewaySpecTlsFrontendDefaultPatch { - validation?: pulumi.Input; - } - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - interface GatewaySpecTlsFrontendDefaultValidation { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs?: pulumi.Input[]>; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode?: pulumi.Input; - } - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefs { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - } - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefsPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - } - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - interface GatewaySpecTlsFrontendDefaultValidationPatch { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs?: pulumi.Input[]>; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode?: pulumi.Input; - } - /** - * Frontend describes TLS config when client connects to Gateway. - * Support: Core - */ - interface GatewaySpecTlsFrontendPatch { - default?: pulumi.Input; - /** - * PerPort specifies tls configuration assigned per port. - * Per port configuration is optional. Once set this configuration overrides - * the default configuration for all Listeners handling HTTPS traffic - * that match this port. - * Each override port requires a unique TLS configuration. - * - * support: Core - */ - perPort?: pulumi.Input[]>; - } - interface GatewaySpecTlsFrontendPerPort { - /** - * The Port indicates the Port Number to which the TLS configuration will be - * applied. This configuration will be applied to all Listeners handling HTTPS - * traffic that match this port. - * - * Support: Core - */ - port?: pulumi.Input; - tls?: pulumi.Input; - } - interface GatewaySpecTlsFrontendPerPortPatch { - /** - * The Port indicates the Port Number to which the TLS configuration will be - * applied. This configuration will be applied to all Listeners handling HTTPS - * traffic that match this port. - * - * Support: Core - */ - port?: pulumi.Input; - tls?: pulumi.Input; - } - /** - * TLS store the configuration that will be applied to all Listeners handling - * HTTPS traffic and matching given port. - * - * Support: Core - */ - interface GatewaySpecTlsFrontendPerPortTls { - validation?: pulumi.Input; - } - /** - * TLS store the configuration that will be applied to all Listeners handling - * HTTPS traffic and matching given port. - * - * Support: Core - */ - interface GatewaySpecTlsFrontendPerPortTlsPatch { - validation?: pulumi.Input; - } - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - interface GatewaySpecTlsFrontendPerPortTlsValidation { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs?: pulumi.Input[]>; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode?: pulumi.Input; - } - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefs { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - } - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefsPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - } - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - interface GatewaySpecTlsFrontendPerPortTlsValidationPatch { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs?: pulumi.Input[]>; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode?: pulumi.Input; - } - /** - * TLS specifies frontend and backend tls configuration for entire gateway. - * - * Support: Extended - */ - interface GatewaySpecTlsPatch { - backend?: pulumi.Input; - frontend?: pulumi.Input; } /** * Status defines the current state of Gateway. @@ -27121,9 +18663,11 @@ export declare namespace gateway { * Addresses lists the network addresses that have been bound to the * Gateway. * + * * This list may differ from the addresses provided in the spec under some * conditions: * + * * * no addresses are specified, all addresses are dynamically assigned * * a combination of specified and dynamic addresses are assigned * * a specified address was unusable (e.g. already in use) @@ -27132,13 +18676,16 @@ export declare namespace gateway { /** * Conditions describe the current conditions of the Gateway. * + * * Implementations should prefer to express Gateway conditions * using the `GatewayConditionType` and `GatewayConditionReason` * constants so that operators and tools can converge on a common * vocabulary to describe Gateway state. * + * * Known condition types are: * + * * * "Accepted" * * "Programmed" * * "Ready" @@ -27161,12 +18708,29 @@ export declare namespace gateway { * Value of the address. The validity of the values will depend * on the type and support by the controller. * + * * Examples: `1.2.3.4`, `128::1`, `my-ip-address`. */ value?: pulumi.Input; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface GatewayStatusConditions { /** @@ -27199,6 +18763,10 @@ export declare namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } @@ -27210,6 +18778,7 @@ export declare namespace gateway { * AttachedRoutes represents the total number of Routes that have been * successfully attached to this Listener. * + * * Successful attachment of a Route to a Listener is based solely on the * combination of the AllowedRoutes field on the corresponding Listener * and the Route's ParentRefs field. A Route is successfully attached to @@ -27222,6 +18791,7 @@ export declare namespace gateway { * for Listeners with condition Accepted: false and MUST count successfully * attached Routes that may themselves have Accepted: false conditions. * + * * Uses for this field include troubleshooting Route attachment and * measuring blast radius/impact of changes to a Listener. */ @@ -27239,6 +18809,7 @@ export declare namespace gateway { * listener. This MUST represent the kinds an implementation supports for * that Listener configuration. * + * * If kinds are specified in Spec that are not supported, they MUST NOT * appear in this list and an implementation MUST set the "ResolvedRefs" * condition to "False" with the "InvalidRouteKinds" reason. If both valid @@ -27249,6 +18820,22 @@ export declare namespace gateway { } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface GatewayStatusListenersConditions { /** @@ -27281,6 +18868,10 @@ export declare namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } @@ -27330,17 +18921,21 @@ export declare namespace gateway { * performing a match and (absent of any applicable header modification * configuration) MUST forward this header unmodified to the backend. * + * * Valid values for Hostnames are determined by RFC 1123 definition of a * hostname with 2 notable exceptions: * + * * 1. IPs are not allowed. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label must appear by itself as the first label. * + * * If a hostname is specified by both the Listener and HTTPRoute, there * must be at least one intersecting hostname for the HTTPRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches HTTPRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -27351,31 +18946,38 @@ export declare namespace gateway { * all match. On the other hand, `example.com` and `test.example.net` would * not match. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * If both the Listener and HTTPRoute have specified hostnames, any * HTTPRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * HTTPRoute specified `test.example.com` and `test.example.net`, * `test.example.net` must not be considered for a match. * + * * If both the Listener and HTTPRoute have specified hostnames, and none * match with the criteria above, then the HTTPRoute is not accepted. The * implementation must raise an 'Accepted' Condition with a status of * `False` in the corresponding RouteParentStatus. * + * * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. * overlapping wildcard matching and exact matching hostnames), precedence must * be given to rules from the HTTPRoute with the largest number of: * + * * * Characters in a matching non-wildcard hostname. * * Characters in a matching hostname. * + * * If ties exist across multiple Routes, the matching precedence rules for * HTTPRouteMatches takes over. * + * * Support: Core */ hostnames?: pulumi.Input[]>; @@ -27391,16 +18993,21 @@ export declare namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -27410,8 +19017,10 @@ export declare namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -27419,12 +19028,14 @@ export declare namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -27432,10 +19043,12 @@ export declare namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -27447,33 +19060,21 @@ export declare namespace gateway { * Rules are a list of HTTP matchers, filters and actions. */ rules?: pulumi.Input[]>; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways?: pulumi.Input; } /** * ParentReference identifies an API object (usually a Gateway) that can be considered * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -27484,23 +19085,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -27508,6 +19114,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -27515,10 +19122,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -27526,6 +19135,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -27533,6 +19143,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -27542,15 +19153,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -27559,6 +19173,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -27566,6 +19181,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -27573,10 +19189,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -27586,6 +19204,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -27595,12 +19214,15 @@ export declare namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -27611,23 +19233,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -27635,6 +19262,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -27642,10 +19270,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -27653,6 +19283,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -27660,6 +19291,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -27669,15 +19301,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -27686,6 +19321,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -27693,6 +19329,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -27700,10 +19337,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -27713,6 +19352,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -27728,17 +19368,21 @@ export declare namespace gateway { * performing a match and (absent of any applicable header modification * configuration) MUST forward this header unmodified to the backend. * + * * Valid values for Hostnames are determined by RFC 1123 definition of a * hostname with 2 notable exceptions: * + * * 1. IPs are not allowed. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label must appear by itself as the first label. * + * * If a hostname is specified by both the Listener and HTTPRoute, there * must be at least one intersecting hostname for the HTTPRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches HTTPRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -27749,31 +19393,38 @@ export declare namespace gateway { * all match. On the other hand, `example.com` and `test.example.net` would * not match. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * If both the Listener and HTTPRoute have specified hostnames, any * HTTPRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * HTTPRoute specified `test.example.com` and `test.example.net`, * `test.example.net` must not be considered for a match. * + * * If both the Listener and HTTPRoute have specified hostnames, and none * match with the criteria above, then the HTTPRoute is not accepted. The * implementation must raise an 'Accepted' Condition with a status of * `False` in the corresponding RouteParentStatus. * + * * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. * overlapping wildcard matching and exact matching hostnames), precedence must * be given to rules from the HTTPRoute with the largest number of: * + * * * Characters in a matching non-wildcard hostname. * * Characters in a matching hostname. * + * * If ties exist across multiple Routes, the matching precedence rules for * HTTPRouteMatches takes over. * + * * Support: Core */ hostnames?: pulumi.Input[]>; @@ -27789,16 +19440,21 @@ export declare namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -27808,8 +19464,10 @@ export declare namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -27817,12 +19475,14 @@ export declare namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -27830,10 +19490,12 @@ export declare namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -27845,21 +19507,6 @@ export declare namespace gateway { * Rules are a list of HTTP matchers, filters and actions. */ rules?: pulumi.Input[]>; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways?: pulumi.Input; } /** * HTTPRouteRule defines semantics for matching an HTTP request based on @@ -27871,37 +19518,41 @@ export declare namespace gateway { * BackendRefs defines the backend(s) where matching requests should be * sent. * + * * Failure behavior here depends on how many BackendRefs are specified and * how many are invalid. * + * * If *all* entries in BackendRefs are invalid, and there are also no filters * specified in this route rule, *all* traffic which matches this rule MUST * receive a 500 status code. * + * * See the HTTPBackendRef definition for the rules about what makes a single * HTTPBackendRef invalid. * + * * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for * requests that would have otherwise been routed to an invalid backend. If * multiple backends are specified, and some are invalid, the proportion of * requests that would otherwise have been routed to an invalid backend * MUST receive a 500 status code. * + * * For example, if two backends are specified with equal weights, and one is * invalid, 50 percent of traffic must receive a 500. Implementations may * choose how that 50 percent is determined. * - * When a HTTPBackendRef refers to a Service that has no ready endpoints, - * implementations SHOULD return a 503 for requests to that backend instead. - * If an implementation chooses to do this, all of the above rules for 500 responses - * MUST also apply for responses that return a 503. * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Core */ backendRefs?: pulumi.Input[]>; @@ -27909,38 +19560,46 @@ export declare namespace gateway { * Filters define the filters that are applied to requests that match * this rule. * + * * Wherever possible, implementations SHOULD implement filters in the order * they are specified. * + * * Implementations MAY choose to implement this ordering strictly, rejecting - * any combination or order of filters that cannot be supported. If implementations + * any combination or order of filters that can not be supported. If implementations * choose a strict interpretation of filter ordering, they MUST clearly document * that behavior. * + * * To reject an invalid combination or order of filters, implementations SHOULD * consider the Route Rules with this configuration invalid. If all Route Rules * in a Route are invalid, the entire Route would be considered invalid. If only * a portion of Route Rules are invalid, implementations MUST set the * "PartiallyInvalid" condition for the Route. * + * * Conformance-levels at this level are defined based on the type of filter: * + * * - ALL core filters MUST be supported by all implementations. * - Implementers are encouraged to support extended filters. * - Implementation-specific custom filters have no API guarantees across * implementations. * + * * Specifying the same filter multiple times is not supported unless explicitly * indicated in the filter. * + * * All filters are expected to be compatible with each other except for the * URLRewrite and RequestRedirect filters, which may not be combined. If an - * implementation cannot support other combinations of filters, they must clearly + * implementation can not support other combinations of filters, they must clearly * document that limitation. In cases where incompatible or unsupported * filters are specified and cause the `Accepted` condition to be set to status * `False`, implementations may use the `IncompatibleFilters` reason to specify * this configuration error. * + * * Support: Core */ filters?: pulumi.Input[]>; @@ -27949,8 +19608,10 @@ export declare namespace gateway { * HTTP requests. Each match is independent, i.e. this rule will be matched * if **any** one of the matches is satisfied. * + * * For example, take the following matches configuration: * + * * ``` * matches: * - path: @@ -27962,85 +19623,100 @@ export declare namespace gateway { * value: "/v2/foo" * ``` * + * * For a request to match against this rule, a request must satisfy * EITHER of the two conditions: * + * * - path prefixed with `/foo` AND contains the header `version: v2` * - path prefix of `/v2/foo` * + * * See the documentation for HTTPRouteMatch on how to specify multiple * match conditions that should be ANDed together. * + * * If no matches are specified, the default is a prefix * path match on "/", which has the effect of matching every * HTTP request. * + * * Proxy or Load Balancer routing configuration generated from HTTPRoutes * MUST prioritize matches based on the following criteria, continuing on * ties. Across all rules specified on applicable Routes, precedence must be * given to the match having: * + * * * "Exact" path match. * * "Prefix" path match with largest number of characters. * * Method match. * * Largest number of header matches. * * Largest number of query param matches. * + * * Note: The precedence of RegularExpression path matches are implementation-specific. * + * * If ties still exist across multiple Routes, matching precedence MUST be * determined in order of the following criteria, continuing on ties: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * If ties still exist within an HTTPRoute, matching precedence MUST be granted * to the FIRST matching rule (in list order) with a match meeting the above * criteria. * + * * When no rules matching a request have been successfully attached to the * parent a request is coming from, a HTTP 404 status code MUST be returned. */ matches?: pulumi.Input[]>; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name?: pulumi.Input; - retry?: pulumi.Input; sessionPersistence?: pulumi.Input; timeouts?: pulumi.Input; } /** * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * */ interface HTTPRouteSpecRulesBackendRefs { /** * Filters defined at this level should be executed if and only if the * request is being forwarded to the backend defined here. * + * * Support: Implementation-specific (For broader support of filters, use the * Filters field in HTTPRouteRule.) */ @@ -28054,16 +19730,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -28075,11 +19755,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -28099,11 +19781,13 @@ export declare namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight?: pulumi.Input; @@ -28117,9 +19801,7 @@ export declare namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ interface HTTPRouteSpecRulesBackendRefsFilters { - cors?: pulumi.Input; extensionRef?: pulumi.Input; - externalAuth?: pulumi.Input; requestHeaderModifier?: pulumi.Input; requestMirror?: pulumi.Input; requestRedirect?: pulumi.Input; @@ -28128,14 +19810,17 @@ export declare namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -28144,16 +19829,20 @@ export declare namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -28161,424 +19850,16 @@ export declare namespace gateway { type?: pulumi.Input; urlRewrite?: pulumi.Input; } - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesBackendRefsFiltersCors { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials?: pulumi.Input; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders?: pulumi.Input[]>; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods?: pulumi.Input[]>; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins?: pulumi.Input[]>; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders?: pulumi.Input[]>; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge?: pulumi.Input; - } - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesBackendRefsFiltersCorsPatch { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials?: pulumi.Input; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders?: pulumi.Input[]>; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods?: pulumi.Input[]>; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins?: pulumi.Input[]>; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders?: pulumi.Input[]>; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge?: pulumi.Input; - } /** * ExtensionRef is an optional, implementation-specific extension to the * "filter" behavior. For example, resource "myroutefilter" in group * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRef { @@ -28602,8 +19883,10 @@ export declare namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRefPatch { @@ -28621,400 +19904,6 @@ export declare namespace gateway { */ name?: pulumi.Input; } - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuth { - backendRef?: pulumi.Input; - forwardBody?: pulumi.Input; - grpc?: pulumi.Input; - http?: pulumi.Input; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol?: pulumi.Input; - } - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRef { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port?: pulumi.Input; - } - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRefPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port?: pulumi.Input; - } - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBody { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize?: pulumi.Input; - } - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBodyPatch { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize?: pulumi.Input; - } - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpc { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders?: pulumi.Input[]>; - } - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpcPatch { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders?: pulumi.Input[]>; - } - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttp { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders?: pulumi.Input[]>; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders?: pulumi.Input[]>; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path?: pulumi.Input; - } - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttpPatch { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders?: pulumi.Input[]>; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders?: pulumi.Input[]>; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path?: pulumi.Input; - } - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthPatch { - backendRef?: pulumi.Input; - forwardBody?: pulumi.Input; - grpc?: pulumi.Input; - http?: pulumi.Input; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol?: pulumi.Input; - } /** * HTTPRouteFilter defines processing steps that must be completed during the * request or response lifecycle. HTTPRouteFilters are meant as an extension @@ -29024,9 +19913,7 @@ export declare namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ interface HTTPRouteSpecRulesBackendRefsFiltersPatch { - cors?: pulumi.Input; extensionRef?: pulumi.Input; - externalAuth?: pulumi.Input; requestHeaderModifier?: pulumi.Input; requestMirror?: pulumi.Input; requestRedirect?: pulumi.Input; @@ -29035,14 +19922,17 @@ export declare namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -29051,16 +19941,20 @@ export declare namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -29072,6 +19966,7 @@ export declare namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifier { @@ -29080,15 +19975,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -29100,15 +19998,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -29118,15 +20019,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -29139,7 +20043,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -29159,7 +20064,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -29177,6 +20083,7 @@ export declare namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch { @@ -29185,15 +20092,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -29205,15 +20115,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -29223,15 +20136,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -29244,7 +20160,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -29264,7 +20181,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -29283,48 +20201,46 @@ export declare namespace gateway { * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirror { backendRef?: pulumi.Input; - fraction?: pulumi.Input; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent?: pulumi.Input; } /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef { @@ -29337,16 +20253,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -29358,11 +20278,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -29378,26 +20300,32 @@ export declare namespace gateway { /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch { @@ -29410,16 +20338,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -29431,11 +20363,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -29448,56 +20382,27 @@ export declare namespace gateway { */ port?: pulumi.Input; } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFraction { - denominator?: pulumi.Input; - numerator?: pulumi.Input; - } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch { - denominator?: pulumi.Input; - numerator?: pulumi.Input; - } /** * RequestMirror defines a schema for a filter that mirrors requests. * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorPatch { backendRef?: pulumi.Input; - fraction?: pulumi.Input; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent?: pulumi.Input; } /** * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirect { @@ -29506,6 +20411,7 @@ export declare namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname?: pulumi.Input; @@ -29514,9 +20420,11 @@ export declare namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -29524,14 +20432,17 @@ export declare namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port?: pulumi.Input; @@ -29539,29 +20450,36 @@ export declare namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme?: pulumi.Input; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode?: pulumi.Input; @@ -29570,6 +20488,7 @@ export declare namespace gateway { * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPatch { @@ -29578,6 +20497,7 @@ export declare namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname?: pulumi.Input; @@ -29586,9 +20506,11 @@ export declare namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -29596,14 +20518,17 @@ export declare namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port?: pulumi.Input; @@ -29611,29 +20536,36 @@ export declare namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme?: pulumi.Input; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode?: pulumi.Input; @@ -29643,6 +20575,7 @@ export declare namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPath { @@ -29657,26 +20590,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -29688,6 +20638,7 @@ export declare namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPathPatch { @@ -29702,26 +20653,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -29732,6 +20700,7 @@ export declare namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifier { @@ -29740,15 +20709,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -29760,15 +20732,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -29778,15 +20753,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -29799,7 +20777,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -29819,7 +20798,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -29837,6 +20817,7 @@ export declare namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch { @@ -29845,15 +20826,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -29865,15 +20849,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -29883,15 +20870,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -29904,7 +20894,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -29924,7 +20915,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -29941,6 +20933,7 @@ export declare namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewrite { @@ -29948,6 +20941,7 @@ export declare namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname?: pulumi.Input; @@ -29956,6 +20950,7 @@ export declare namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePatch { @@ -29963,6 +20958,7 @@ export declare namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname?: pulumi.Input; @@ -29971,6 +20967,7 @@ export declare namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePath { @@ -29985,26 +20982,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -30014,6 +21028,7 @@ export declare namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePathPatch { @@ -30028,26 +21043,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -30057,31 +21089,42 @@ export declare namespace gateway { /** * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * */ interface HTTPRouteSpecRulesBackendRefsPatch { /** * Filters defined at this level should be executed if and only if the * request is being forwarded to the backend defined here. * + * * Support: Implementation-specific (For broader support of filters, use the * Filters field in HTTPRouteRule.) */ @@ -30095,16 +21138,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -30116,11 +21163,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -30140,11 +21189,13 @@ export declare namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight?: pulumi.Input; @@ -30158,9 +21209,7 @@ export declare namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ interface HTTPRouteSpecRulesFilters { - cors?: pulumi.Input; extensionRef?: pulumi.Input; - externalAuth?: pulumi.Input; requestHeaderModifier?: pulumi.Input; requestMirror?: pulumi.Input; requestRedirect?: pulumi.Input; @@ -30169,14 +21218,17 @@ export declare namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -30185,16 +21237,20 @@ export declare namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -30202,424 +21258,16 @@ export declare namespace gateway { type?: pulumi.Input; urlRewrite?: pulumi.Input; } - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesFiltersCors { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials?: pulumi.Input; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders?: pulumi.Input[]>; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods?: pulumi.Input[]>; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins?: pulumi.Input[]>; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders?: pulumi.Input[]>; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge?: pulumi.Input; - } - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesFiltersCorsPatch { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials?: pulumi.Input; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders?: pulumi.Input[]>; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods?: pulumi.Input[]>; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins?: pulumi.Input[]>; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders?: pulumi.Input[]>; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge?: pulumi.Input; - } /** * ExtensionRef is an optional, implementation-specific extension to the * "filter" behavior. For example, resource "myroutefilter" in group * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ interface HTTPRouteSpecRulesFiltersExtensionRef { @@ -30643,8 +21291,10 @@ export declare namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ interface HTTPRouteSpecRulesFiltersExtensionRefPatch { @@ -30662,400 +21312,6 @@ export declare namespace gateway { */ name?: pulumi.Input; } - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesFiltersExternalAuth { - backendRef?: pulumi.Input; - forwardBody?: pulumi.Input; - grpc?: pulumi.Input; - http?: pulumi.Input; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol?: pulumi.Input; - } - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - interface HTTPRouteSpecRulesFiltersExternalAuthBackendRef { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port?: pulumi.Input; - } - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - interface HTTPRouteSpecRulesFiltersExternalAuthBackendRefPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port?: pulumi.Input; - } - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - interface HTTPRouteSpecRulesFiltersExternalAuthForwardBody { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize?: pulumi.Input; - } - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - interface HTTPRouteSpecRulesFiltersExternalAuthForwardBodyPatch { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize?: pulumi.Input; - } - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesFiltersExternalAuthGrpc { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders?: pulumi.Input[]>; - } - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesFiltersExternalAuthGrpcPatch { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders?: pulumi.Input[]>; - } - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesFiltersExternalAuthHttp { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders?: pulumi.Input[]>; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders?: pulumi.Input[]>; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path?: pulumi.Input; - } - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesFiltersExternalAuthHttpPatch { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders?: pulumi.Input[]>; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders?: pulumi.Input[]>; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path?: pulumi.Input; - } - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesFiltersExternalAuthPatch { - backendRef?: pulumi.Input; - forwardBody?: pulumi.Input; - grpc?: pulumi.Input; - http?: pulumi.Input; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol?: pulumi.Input; - } /** * HTTPRouteFilter defines processing steps that must be completed during the * request or response lifecycle. HTTPRouteFilters are meant as an extension @@ -31065,9 +21321,7 @@ export declare namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ interface HTTPRouteSpecRulesFiltersPatch { - cors?: pulumi.Input; extensionRef?: pulumi.Input; - externalAuth?: pulumi.Input; requestHeaderModifier?: pulumi.Input; requestMirror?: pulumi.Input; requestRedirect?: pulumi.Input; @@ -31076,14 +21330,17 @@ export declare namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -31092,16 +21349,20 @@ export declare namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -31113,6 +21374,7 @@ export declare namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ interface HTTPRouteSpecRulesFiltersRequestHeaderModifier { @@ -31121,15 +21383,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -31141,15 +21406,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -31159,15 +21427,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -31180,7 +21451,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -31200,7 +21472,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -31218,6 +21491,7 @@ export declare namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ interface HTTPRouteSpecRulesFiltersRequestHeaderModifierPatch { @@ -31226,15 +21500,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -31246,15 +21523,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -31264,15 +21544,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -31285,7 +21568,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -31305,7 +21589,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -31324,48 +21609,46 @@ export declare namespace gateway { * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersRequestMirror { backendRef?: pulumi.Input; - fraction?: pulumi.Input; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent?: pulumi.Input; } /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRef { @@ -31378,16 +21661,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -31399,11 +21686,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -31419,26 +21708,32 @@ export declare namespace gateway { /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRefPatch { @@ -31451,16 +21746,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -31472,11 +21771,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -31489,56 +21790,27 @@ export declare namespace gateway { */ port?: pulumi.Input; } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - interface HTTPRouteSpecRulesFiltersRequestMirrorFraction { - denominator?: pulumi.Input; - numerator?: pulumi.Input; - } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - interface HTTPRouteSpecRulesFiltersRequestMirrorFractionPatch { - denominator?: pulumi.Input; - numerator?: pulumi.Input; - } /** * RequestMirror defines a schema for a filter that mirrors requests. * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersRequestMirrorPatch { backendRef?: pulumi.Input; - fraction?: pulumi.Input; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent?: pulumi.Input; } /** * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ interface HTTPRouteSpecRulesFiltersRequestRedirect { @@ -31547,6 +21819,7 @@ export declare namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname?: pulumi.Input; @@ -31555,9 +21828,11 @@ export declare namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -31565,14 +21840,17 @@ export declare namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port?: pulumi.Input; @@ -31580,29 +21858,36 @@ export declare namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme?: pulumi.Input; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode?: pulumi.Input; @@ -31611,6 +21896,7 @@ export declare namespace gateway { * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ interface HTTPRouteSpecRulesFiltersRequestRedirectPatch { @@ -31619,6 +21905,7 @@ export declare namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname?: pulumi.Input; @@ -31627,9 +21914,11 @@ export declare namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -31637,14 +21926,17 @@ export declare namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port?: pulumi.Input; @@ -31652,29 +21944,36 @@ export declare namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme?: pulumi.Input; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode?: pulumi.Input; @@ -31684,6 +21983,7 @@ export declare namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersRequestRedirectPath { @@ -31698,26 +21998,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -31729,6 +22046,7 @@ export declare namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersRequestRedirectPathPatch { @@ -31743,26 +22061,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -31773,6 +22108,7 @@ export declare namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersResponseHeaderModifier { @@ -31781,15 +22117,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -31801,15 +22140,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -31819,15 +22161,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -31840,7 +22185,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -31860,7 +22206,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -31878,6 +22225,7 @@ export declare namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersResponseHeaderModifierPatch { @@ -31886,15 +22234,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -31906,15 +22257,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -31924,15 +22278,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -31945,7 +22302,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -31965,7 +22323,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -31982,6 +22341,7 @@ export declare namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersUrlRewrite { @@ -31989,6 +22349,7 @@ export declare namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname?: pulumi.Input; @@ -31997,6 +22358,7 @@ export declare namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersUrlRewritePatch { @@ -32004,6 +22366,7 @@ export declare namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname?: pulumi.Input; @@ -32012,6 +22375,7 @@ export declare namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersUrlRewritePath { @@ -32026,26 +22390,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -32055,6 +22436,7 @@ export declare namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersUrlRewritePathPatch { @@ -32069,26 +22451,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -32100,18 +22499,22 @@ export declare namespace gateway { * action. Multiple match types are ANDed together, i.e. the match will * evaluate to true only if all conditions are satisfied. * + * * For example, the match below will match a HTTP request only if its path * starts with `/foo` AND it contains the `version: v1` header: * + * * ``` * match: * + * * path: * value: "/foo" * headers: * - name: "version" * value "v1" * + * * ``` */ interface HTTPRouteSpecRulesMatches { @@ -32126,6 +22529,7 @@ export declare namespace gateway { * When specified, this route will be matched only if the request has the * specified method. * + * * Support: Extended */ method?: pulumi.Input; @@ -32135,6 +22539,7 @@ export declare namespace gateway { * values are ANDed together, meaning, a request must match all the * specified query parameters to select the route. * + * * Support: Extended */ queryParams?: pulumi.Input[]>; @@ -32146,7 +22551,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesMatchesHeaders { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent @@ -32154,6 +22560,7 @@ export declare namespace gateway { * case-insensitivity of header names, "foo" and "Foo" are considered * equivalent. * + * * When a header is repeated in an HTTP request, it is * implementation-specific behavior as to how this is represented. * Generally, proxies should follow the guidance from the RFC: @@ -32164,10 +22571,13 @@ export declare namespace gateway { /** * Type specifies how to match against the value of the header. * + * * Support: Core (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression HeaderMatchType has implementation-specific * conformance, implementations can support POSIX, PCRE or any other dialects * of regular expressions. Please read the implementation's documentation to @@ -32186,7 +22596,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesMatchesHeadersPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent @@ -32194,6 +22605,7 @@ export declare namespace gateway { * case-insensitivity of header names, "foo" and "Foo" are considered * equivalent. * + * * When a header is repeated in an HTTP request, it is * implementation-specific behavior as to how this is represented. * Generally, proxies should follow the guidance from the RFC: @@ -32204,10 +22616,13 @@ export declare namespace gateway { /** * Type specifies how to match against the value of the header. * + * * Support: Core (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression HeaderMatchType has implementation-specific * conformance, implementations can support POSIX, PCRE or any other dialects * of regular expressions. Please read the implementation's documentation to @@ -32224,18 +22639,22 @@ export declare namespace gateway { * action. Multiple match types are ANDed together, i.e. the match will * evaluate to true only if all conditions are satisfied. * + * * For example, the match below will match a HTTP request only if its path * starts with `/foo` AND it contains the `version: v1` header: * + * * ``` * match: * + * * path: * value: "/foo" * headers: * - name: "version" * value "v1" * + * * ``` */ interface HTTPRouteSpecRulesMatchesPatch { @@ -32250,6 +22669,7 @@ export declare namespace gateway { * When specified, this route will be matched only if the request has the * specified method. * + * * Support: Extended */ method?: pulumi.Input; @@ -32259,6 +22679,7 @@ export declare namespace gateway { * values are ANDed together, meaning, a request must match all the * specified query parameters to select the route. * + * * Support: Extended */ queryParams?: pulumi.Input[]>; @@ -32271,8 +22692,10 @@ export declare namespace gateway { /** * Type specifies how to match against the path Value. * + * * Support: Core (Exact, PathPrefix) * + * * Support: Implementation-specific (RegularExpression) */ type?: pulumi.Input; @@ -32289,8 +22712,10 @@ export declare namespace gateway { /** * Type specifies how to match against the path Value. * + * * Support: Core (Exact, PathPrefix) * + * * Support: Implementation-specific (RegularExpression) */ type?: pulumi.Input; @@ -32309,10 +22734,12 @@ export declare namespace gateway { * exact string match. (See * https://tools.ietf.org/html/rfc7230#section-2.7.3). * + * * If multiple entries specify equivalent query param names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent * entries with an equivalent query param name MUST be ignored. * + * * If a query param is repeated in an HTTP request, the behavior is * purposely left undefined, since different data planes have different * capabilities. However, it is *recommended* that implementations should @@ -32320,6 +22747,7 @@ export declare namespace gateway { * as this behavior is expected in other load balancing contexts outside of * the Gateway API. * + * * Users SHOULD NOT route traffic based on repeated query params to guard * themselves against potential differences in the implementations. */ @@ -32327,10 +22755,13 @@ export declare namespace gateway { /** * Type specifies how to match against the value of the query parameter. * + * * Support: Extended (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression QueryParamMatchType has Implementation-specific * conformance, implementations can support POSIX, PCRE or any other * dialects of regular expressions. Please read the implementation's @@ -32352,10 +22783,12 @@ export declare namespace gateway { * exact string match. (See * https://tools.ietf.org/html/rfc7230#section-2.7.3). * + * * If multiple entries specify equivalent query param names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent * entries with an equivalent query param name MUST be ignored. * + * * If a query param is repeated in an HTTP request, the behavior is * purposely left undefined, since different data planes have different * capabilities. However, it is *recommended* that implementations should @@ -32363,6 +22796,7 @@ export declare namespace gateway { * as this behavior is expected in other load balancing contexts outside of * the Gateway API. * + * * Users SHOULD NOT route traffic based on repeated query params to guard * themselves against potential differences in the implementations. */ @@ -32370,10 +22804,13 @@ export declare namespace gateway { /** * Type specifies how to match against the value of the query parameter. * + * * Support: Extended (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression QueryParamMatchType has Implementation-specific * conformance, implementations can support POSIX, PCRE or any other * dialects of regular expressions. Please read the implementation's @@ -32395,37 +22832,41 @@ export declare namespace gateway { * BackendRefs defines the backend(s) where matching requests should be * sent. * + * * Failure behavior here depends on how many BackendRefs are specified and * how many are invalid. * + * * If *all* entries in BackendRefs are invalid, and there are also no filters * specified in this route rule, *all* traffic which matches this rule MUST * receive a 500 status code. * + * * See the HTTPBackendRef definition for the rules about what makes a single * HTTPBackendRef invalid. * + * * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for * requests that would have otherwise been routed to an invalid backend. If * multiple backends are specified, and some are invalid, the proportion of * requests that would otherwise have been routed to an invalid backend * MUST receive a 500 status code. * + * * For example, if two backends are specified with equal weights, and one is * invalid, 50 percent of traffic must receive a 500. Implementations may * choose how that 50 percent is determined. * - * When a HTTPBackendRef refers to a Service that has no ready endpoints, - * implementations SHOULD return a 503 for requests to that backend instead. - * If an implementation chooses to do this, all of the above rules for 500 responses - * MUST also apply for responses that return a 503. * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Core */ backendRefs?: pulumi.Input[]>; @@ -32433,38 +22874,46 @@ export declare namespace gateway { * Filters define the filters that are applied to requests that match * this rule. * + * * Wherever possible, implementations SHOULD implement filters in the order * they are specified. * + * * Implementations MAY choose to implement this ordering strictly, rejecting - * any combination or order of filters that cannot be supported. If implementations + * any combination or order of filters that can not be supported. If implementations * choose a strict interpretation of filter ordering, they MUST clearly document * that behavior. * + * * To reject an invalid combination or order of filters, implementations SHOULD * consider the Route Rules with this configuration invalid. If all Route Rules * in a Route are invalid, the entire Route would be considered invalid. If only * a portion of Route Rules are invalid, implementations MUST set the * "PartiallyInvalid" condition for the Route. * + * * Conformance-levels at this level are defined based on the type of filter: * + * * - ALL core filters MUST be supported by all implementations. * - Implementers are encouraged to support extended filters. * - Implementation-specific custom filters have no API guarantees across * implementations. * + * * Specifying the same filter multiple times is not supported unless explicitly * indicated in the filter. * + * * All filters are expected to be compatible with each other except for the * URLRewrite and RequestRedirect filters, which may not be combined. If an - * implementation cannot support other combinations of filters, they must clearly + * implementation can not support other combinations of filters, they must clearly * document that limitation. In cases where incompatible or unsupported * filters are specified and cause the `Accepted` condition to be set to status * `False`, implementations may use the `IncompatibleFilters` reason to specify * this configuration error. * + * * Support: Core */ filters?: pulumi.Input[]>; @@ -32473,8 +22922,10 @@ export declare namespace gateway { * HTTP requests. Each match is independent, i.e. this rule will be matched * if **any** one of the matches is satisfied. * + * * For example, take the following matches configuration: * + * * ``` * matches: * - path: @@ -32486,193 +22937,66 @@ export declare namespace gateway { * value: "/v2/foo" * ``` * + * * For a request to match against this rule, a request must satisfy * EITHER of the two conditions: * + * * - path prefixed with `/foo` AND contains the header `version: v2` * - path prefix of `/v2/foo` * + * * See the documentation for HTTPRouteMatch on how to specify multiple * match conditions that should be ANDed together. * + * * If no matches are specified, the default is a prefix * path match on "/", which has the effect of matching every * HTTP request. * + * * Proxy or Load Balancer routing configuration generated from HTTPRoutes * MUST prioritize matches based on the following criteria, continuing on * ties. Across all rules specified on applicable Routes, precedence must be * given to the match having: * + * * * "Exact" path match. * * "Prefix" path match with largest number of characters. * * Method match. * * Largest number of header matches. * * Largest number of query param matches. * + * * Note: The precedence of RegularExpression path matches are implementation-specific. * + * * If ties still exist across multiple Routes, matching precedence MUST be * determined in order of the following criteria, continuing on ties: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * If ties still exist within an HTTPRoute, matching precedence MUST be granted * to the FIRST matching rule (in list order) with a match meeting the above * criteria. * + * * When no rules matching a request have been successfully attached to the * parent a request is coming from, a HTTP 404 status code MUST be returned. */ matches?: pulumi.Input[]>; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name?: pulumi.Input; - retry?: pulumi.Input; sessionPersistence?: pulumi.Input; timeouts?: pulumi.Input; } - /** - * Retry defines the configuration for when to retry an HTTP request. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesRetry { - /** - * Attempts specifies the maximum number of times an individual request - * from the gateway to a backend should be retried. - * - * If the maximum number of retries has been attempted without a successful - * response from the backend, the Gateway MUST return an error. - * - * When this field is unspecified, the number of times to attempt to retry - * a backend request is implementation-specific. - * - * Support: Extended - */ - attempts?: pulumi.Input; - /** - * Backoff specifies the minimum duration a Gateway should wait between - * retry attempts and is represented in Gateway API Duration formatting. - * - * For example, setting the `rules[].retry.backoff` field to the value - * `100ms` will cause a backend request to first be retried approximately - * 100 milliseconds after timing out or receiving a response code configured - * to be retryable. - * - * An implementation MAY use an exponential or alternative backoff strategy - * for subsequent retry attempts, MAY cap the maximum backoff duration to - * some amount greater than the specified minimum, and MAY add arbitrary - * jitter to stagger requests, as long as unsuccessful backend requests are - * not retried before the configured minimum duration. - * - * If a Request timeout (`rules[].timeouts.request`) is configured on the - * route, the entire duration of the initial request and any retry attempts - * MUST not exceed the Request timeout duration. If any retry attempts are - * still in progress when the Request timeout duration has been reached, - * these SHOULD be canceled if possible and the Gateway MUST immediately - * return a timeout error. - * - * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is - * configured on the route, any retry attempts which reach the configured - * BackendRequest timeout duration without a response SHOULD be canceled if - * possible and the Gateway should wait for at least the specified backoff - * duration before attempting to retry the backend request again. - * - * If a BackendRequest timeout is _not_ configured on the route, retry - * attempts MAY time out after an implementation default duration, or MAY - * remain pending until a configured Request timeout or implementation - * default duration for total request time is reached. - * - * When this field is unspecified, the time to wait between retry attempts - * is implementation-specific. - * - * Support: Extended - */ - backoff?: pulumi.Input; - /** - * Codes defines the HTTP response status codes for which a backend request - * should be retried. - * - * Support: Extended - */ - codes?: pulumi.Input[]>; - } - /** - * Retry defines the configuration for when to retry an HTTP request. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesRetryPatch { - /** - * Attempts specifies the maximum number of times an individual request - * from the gateway to a backend should be retried. - * - * If the maximum number of retries has been attempted without a successful - * response from the backend, the Gateway MUST return an error. - * - * When this field is unspecified, the number of times to attempt to retry - * a backend request is implementation-specific. - * - * Support: Extended - */ - attempts?: pulumi.Input; - /** - * Backoff specifies the minimum duration a Gateway should wait between - * retry attempts and is represented in Gateway API Duration formatting. - * - * For example, setting the `rules[].retry.backoff` field to the value - * `100ms` will cause a backend request to first be retried approximately - * 100 milliseconds after timing out or receiving a response code configured - * to be retryable. - * - * An implementation MAY use an exponential or alternative backoff strategy - * for subsequent retry attempts, MAY cap the maximum backoff duration to - * some amount greater than the specified minimum, and MAY add arbitrary - * jitter to stagger requests, as long as unsuccessful backend requests are - * not retried before the configured minimum duration. - * - * If a Request timeout (`rules[].timeouts.request`) is configured on the - * route, the entire duration of the initial request and any retry attempts - * MUST not exceed the Request timeout duration. If any retry attempts are - * still in progress when the Request timeout duration has been reached, - * these SHOULD be canceled if possible and the Gateway MUST immediately - * return a timeout error. - * - * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is - * configured on the route, any retry attempts which reach the configured - * BackendRequest timeout duration without a response SHOULD be canceled if - * possible and the Gateway should wait for at least the specified backoff - * duration before attempting to retry the backend request again. - * - * If a BackendRequest timeout is _not_ configured on the route, retry - * attempts MAY time out after an implementation default duration, or MAY - * remain pending until a configured Request timeout or implementation - * default duration for total request time is reached. - * - * When this field is unspecified, the time to wait between retry attempts - * is implementation-specific. - * - * Support: Extended - */ - backoff?: pulumi.Input; - /** - * Codes defines the HTTP response status codes for which a backend request - * should be retried. - * - * Support: Extended - */ - codes?: pulumi.Input[]>; - } /** * SessionPersistence defines and configures session persistence * for the route rule. * + * * Support: Extended */ interface HTTPRouteSpecRulesSessionPersistence { @@ -32681,6 +23005,7 @@ export declare namespace gateway { * session. Once the AbsoluteTimeout duration has elapsed, the * session becomes invalid. * + * * Support: Extended */ absoluteTimeout?: pulumi.Input; @@ -32690,6 +23015,7 @@ export declare namespace gateway { * Once the session has been idle for more than the specified * IdleTimeout duration, the session becomes invalid. * + * * Support: Extended */ idleTimeout?: pulumi.Input; @@ -32699,6 +23025,7 @@ export declare namespace gateway { * should avoid reusing session names to prevent unintended * consequences, such as rejection or unpredictable behavior. * + * * Support: Implementation-specific */ sessionName?: pulumi.Input; @@ -32707,8 +23034,10 @@ export declare namespace gateway { * the use a header or cookie. Defaults to cookie based session * persistence. * + * * Support: Core for "Cookie" type * + * * Support: Extended for "Header" type */ type?: pulumi.Input; @@ -32717,6 +23046,7 @@ export declare namespace gateway { * CookieConfig provides configuration settings that are specific * to cookie-based session persistence. * + * * Support: Core */ interface HTTPRouteSpecRulesSessionPersistenceCookieConfig { @@ -32727,18 +23057,20 @@ export declare namespace gateway { * attributes, while a session cookie is deleted when the current * session ends. * + * * When set to "Permanent", AbsoluteTimeout indicates the * cookie's lifetime via the Expires or Max-Age cookie attributes * and is required. * + * * When set to "Session", AbsoluteTimeout indicates the * absolute lifetime of the cookie tracked by the gateway and * is optional. * - * Defaults to "Session". * * Support: Core for "Session" type * + * * Support: Extended for "Permanent" type */ lifetimeType?: pulumi.Input; @@ -32747,6 +23079,7 @@ export declare namespace gateway { * CookieConfig provides configuration settings that are specific * to cookie-based session persistence. * + * * Support: Core */ interface HTTPRouteSpecRulesSessionPersistenceCookieConfigPatch { @@ -32757,18 +23090,20 @@ export declare namespace gateway { * attributes, while a session cookie is deleted when the current * session ends. * + * * When set to "Permanent", AbsoluteTimeout indicates the * cookie's lifetime via the Expires or Max-Age cookie attributes * and is required. * + * * When set to "Session", AbsoluteTimeout indicates the * absolute lifetime of the cookie tracked by the gateway and * is optional. * - * Defaults to "Session". * * Support: Core for "Session" type * + * * Support: Extended for "Permanent" type */ lifetimeType?: pulumi.Input; @@ -32777,6 +23112,7 @@ export declare namespace gateway { * SessionPersistence defines and configures session persistence * for the route rule. * + * * Support: Extended */ interface HTTPRouteSpecRulesSessionPersistencePatch { @@ -32785,6 +23121,7 @@ export declare namespace gateway { * session. Once the AbsoluteTimeout duration has elapsed, the * session becomes invalid. * + * * Support: Extended */ absoluteTimeout?: pulumi.Input; @@ -32794,6 +23131,7 @@ export declare namespace gateway { * Once the session has been idle for more than the specified * IdleTimeout duration, the session becomes invalid. * + * * Support: Extended */ idleTimeout?: pulumi.Input; @@ -32803,6 +23141,7 @@ export declare namespace gateway { * should avoid reusing session names to prevent unintended * consequences, such as rejection or unpredictable behavior. * + * * Support: Implementation-specific */ sessionName?: pulumi.Input; @@ -32811,8 +23150,10 @@ export declare namespace gateway { * the use a header or cookie. Defaults to cookie based session * persistence. * + * * Support: Core for "Cookie" type * + * * Support: Extended for "Header" type */ type?: pulumi.Input; @@ -32820,6 +23161,7 @@ export declare namespace gateway { /** * Timeouts defines the timeouts that can be configured for an HTTP request. * + * * Support: Extended */ interface HTTPRouteSpecRulesTimeouts { @@ -32828,19 +23170,21 @@ export declare namespace gateway { * to a backend. This covers the time from when the request first starts being * sent from the gateway to when the full response has been received from the backend. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * An entire client HTTP transaction with a gateway, covered by the Request timeout, * may result in more than one call from the gateway to the destination backend, * for example, if automatic retries are supported. * - * The value of BackendRequest must be a Gateway API Duration string as defined by - * GEP-2257. When this field is unspecified, its behavior is implementation-specific; - * when specified, the value of BackendRequest must be no more than the value of the - * Request timeout (since the Request timeout encompasses the BackendRequest timeout). + * + * Because the Request timeout encompasses the BackendRequest timeout, the value of + * BackendRequest must be <= the value of Request timeout. + * * * Support: Extended */ @@ -32850,22 +23194,26 @@ export declare namespace gateway { * If the gateway has not been able to respond before this deadline is met, the gateway * MUST return a timeout error. * + * * For example, setting the `rules.timeouts.request` field to the value `10s` in an * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds * to complete. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * This timeout is intended to cover as close to the whole request-response transaction * as possible although an implementation MAY choose to start the timeout after the entire * request stream has been received instead of immediately after the transaction is * initiated by the client. * - * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this - * field is unspecified, request timeout behavior is implementation-specific. + * + * When this field is unspecified, request timeout behavior is implementation-specific. + * * * Support: Extended */ @@ -32874,6 +23222,7 @@ export declare namespace gateway { /** * Timeouts defines the timeouts that can be configured for an HTTP request. * + * * Support: Extended */ interface HTTPRouteSpecRulesTimeoutsPatch { @@ -32882,19 +23231,21 @@ export declare namespace gateway { * to a backend. This covers the time from when the request first starts being * sent from the gateway to when the full response has been received from the backend. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * An entire client HTTP transaction with a gateway, covered by the Request timeout, * may result in more than one call from the gateway to the destination backend, * for example, if automatic retries are supported. * - * The value of BackendRequest must be a Gateway API Duration string as defined by - * GEP-2257. When this field is unspecified, its behavior is implementation-specific; - * when specified, the value of BackendRequest must be no more than the value of the - * Request timeout (since the Request timeout encompasses the BackendRequest timeout). + * + * Because the Request timeout encompasses the BackendRequest timeout, the value of + * BackendRequest must be <= the value of Request timeout. + * * * Support: Extended */ @@ -32904,22 +23255,26 @@ export declare namespace gateway { * If the gateway has not been able to respond before this deadline is met, the gateway * MUST return a timeout error. * + * * For example, setting the `rules.timeouts.request` field to the value `10s` in an * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds * to complete. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * This timeout is intended to cover as close to the whole request-response transaction * as possible although an implementation MAY choose to start the timeout after the entire * request stream has been received instead of immediately after the transaction is * initiated by the client. * - * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this - * field is unspecified, request timeout behavior is implementation-specific. + * + * When this field is unspecified, request timeout behavior is implementation-specific. + * * * Support: Extended */ @@ -32937,11 +23292,13 @@ export declare namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -32957,19 +23314,23 @@ export declare namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -32979,12 +23340,15 @@ export declare namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -32994,6 +23358,22 @@ export declare namespace gateway { } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface HTTPRouteStatusParentsConditions { /** @@ -33026,6 +23406,10 @@ export declare namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } @@ -33040,23 +23424,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -33064,6 +23453,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -33071,10 +23461,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -33082,6 +23474,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -33089,6 +23482,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -33098,15 +23492,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -33115,6 +23512,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -33122,6 +23520,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -33129,10 +23528,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -33142,253 +23543,83 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; } } - namespace v1alpha1 { + namespace v1alpha2 { /** - * XBackendTrafficPolicy defines the configuration for how traffic to a - * target backend should be handled. + * BackendLBPolicy provides a way to define load balancing rules + * for a backend. */ - interface XBackendTrafficPolicy { + interface BackendLBPolicy { /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">; + apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - kind?: pulumi.Input<"XBackendTrafficPolicy">; + kind?: pulumi.Input<"BackendLBPolicy">; /** * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata */ metadata?: pulumi.Input; - spec?: pulumi.Input; - status?: pulumi.Input; + spec?: pulumi.Input; + status?: pulumi.Input; } /** - * Spec defines the desired state of BackendTrafficPolicy. + * Spec defines the desired state of BackendLBPolicy. */ - interface XBackendTrafficPolicySpec { - retryConstraint?: pulumi.Input; - sessionPersistence?: pulumi.Input; + interface BackendLBPolicySpec { + sessionPersistence?: pulumi.Input; /** - * TargetRefs identifies API object(s) to apply this policy to. - * Currently, Backends (A grouping of like endpoints such as Service, - * ServiceImport, or any implementation-specific backendRef) are the only - * valid API target references. - * - * Currently, a TargetRef can not be scoped to a specific port on a - * Service. + * TargetRef identifies an API object to apply policy to. + * Currently, Backends (i.e. Service, ServiceImport, or any + * implementation-specific backendRef) are the only valid API + * target references. */ - targetRefs?: pulumi.Input[]>; + targetRefs?: pulumi.Input[]>; } /** - * Spec defines the desired state of BackendTrafficPolicy. + * Spec defines the desired state of BackendLBPolicy. */ - interface XBackendTrafficPolicySpecPatch { - retryConstraint?: pulumi.Input; - sessionPersistence?: pulumi.Input; + interface BackendLBPolicySpecPatch { + sessionPersistence?: pulumi.Input; /** - * TargetRefs identifies API object(s) to apply this policy to. - * Currently, Backends (A grouping of like endpoints such as Service, - * ServiceImport, or any implementation-specific backendRef) are the only - * valid API target references. - * - * Currently, a TargetRef can not be scoped to a specific port on a - * Service. + * TargetRef identifies an API object to apply policy to. + * Currently, Backends (i.e. Service, ServiceImport, or any + * implementation-specific backendRef) are the only valid API + * target references. */ - targetRefs?: pulumi.Input[]>; - } - /** - * RetryConstraint defines the configuration for when to allow or prevent - * further retries to a target backend, by dynamically calculating a 'retry - * budget'. This budget is calculated based on the percentage of incoming - * traffic composed of retries over a given time interval. Once the budget - * is exceeded, additional retries will be rejected. - * - * For example, if the retry budget interval is 10 seconds, there have been - * 1000 active requests in the past 10 seconds, and the allowed percentage - * of requests that can be retried is 20% (the default), then 200 of those - * requests may be composed of retries. Active requests will only be - * considered for the duration of the interval when calculating the retry - * budget. Retrying the same original request multiple times within the - * retry budget interval will lead to each retry being counted towards - * calculating the budget. - * - * Configuring a RetryConstraint in BackendTrafficPolicy is compatible with - * HTTPRoute Retry settings for each HTTPRouteRule that targets the same - * backend. While the HTTPRouteRule Retry stanza can specify whether a - * request will be retried, and the number of retry attempts each client - * may perform, RetryConstraint helps prevent cascading failures such as - * retry storms during periods of consistent failures. - * - * After the retry budget has been exceeded, additional retries to the - * backend MUST return a 503 response to the client. - * - * Additional configurations for defining a constraint on retries MAY be - * defined in the future. - * - * Support: Extended - */ - interface XBackendTrafficPolicySpecRetryConstraint { - budget?: pulumi.Input; - minRetryRate?: pulumi.Input; - } - /** - * Budget holds the details of the retry budget configuration. - */ - interface XBackendTrafficPolicySpecRetryConstraintBudget { - /** - * Interval defines the duration in which requests will be considered - * for calculating the budget for retries. - * - * Support: Extended - */ - interval?: pulumi.Input; - /** - * Percent defines the maximum percentage of active requests that may - * be made up of retries. - * - * Support: Extended - */ - percent?: pulumi.Input; - } - /** - * Budget holds the details of the retry budget configuration. - */ - interface XBackendTrafficPolicySpecRetryConstraintBudgetPatch { - /** - * Interval defines the duration in which requests will be considered - * for calculating the budget for retries. - * - * Support: Extended - */ - interval?: pulumi.Input; - /** - * Percent defines the maximum percentage of active requests that may - * be made up of retries. - * - * Support: Extended - */ - percent?: pulumi.Input; - } - /** - * MinRetryRate defines the minimum rate of retries that will be allowable - * over a specified duration of time. - * - * The effective overall minimum rate of retries targeting the backend - * service may be much higher, as there can be any number of clients which - * are applying this setting locally. - * - * This ensures that requests can still be retried during periods of low - * traffic, where the budget for retries may be calculated as a very low - * value. - * - * Support: Extended - */ - interface XBackendTrafficPolicySpecRetryConstraintMinRetryRate { - /** - * Count specifies the number of requests per time interval. - * - * Support: Extended - */ - count?: pulumi.Input; - /** - * Interval specifies the divisor of the rate of requests, the amount of - * time during which the given count of requests occur. - * - * Support: Extended - */ - interval?: pulumi.Input; - } - /** - * MinRetryRate defines the minimum rate of retries that will be allowable - * over a specified duration of time. - * - * The effective overall minimum rate of retries targeting the backend - * service may be much higher, as there can be any number of clients which - * are applying this setting locally. - * - * This ensures that requests can still be retried during periods of low - * traffic, where the budget for retries may be calculated as a very low - * value. - * - * Support: Extended - */ - interface XBackendTrafficPolicySpecRetryConstraintMinRetryRatePatch { - /** - * Count specifies the number of requests per time interval. - * - * Support: Extended - */ - count?: pulumi.Input; - /** - * Interval specifies the divisor of the rate of requests, the amount of - * time during which the given count of requests occur. - * - * Support: Extended - */ - interval?: pulumi.Input; - } - /** - * RetryConstraint defines the configuration for when to allow or prevent - * further retries to a target backend, by dynamically calculating a 'retry - * budget'. This budget is calculated based on the percentage of incoming - * traffic composed of retries over a given time interval. Once the budget - * is exceeded, additional retries will be rejected. - * - * For example, if the retry budget interval is 10 seconds, there have been - * 1000 active requests in the past 10 seconds, and the allowed percentage - * of requests that can be retried is 20% (the default), then 200 of those - * requests may be composed of retries. Active requests will only be - * considered for the duration of the interval when calculating the retry - * budget. Retrying the same original request multiple times within the - * retry budget interval will lead to each retry being counted towards - * calculating the budget. - * - * Configuring a RetryConstraint in BackendTrafficPolicy is compatible with - * HTTPRoute Retry settings for each HTTPRouteRule that targets the same - * backend. While the HTTPRouteRule Retry stanza can specify whether a - * request will be retried, and the number of retry attempts each client - * may perform, RetryConstraint helps prevent cascading failures such as - * retry storms during periods of consistent failures. - * - * After the retry budget has been exceeded, additional retries to the - * backend MUST return a 503 response to the client. - * - * Additional configurations for defining a constraint on retries MAY be - * defined in the future. - * - * Support: Extended - */ - interface XBackendTrafficPolicySpecRetryConstraintPatch { - budget?: pulumi.Input; - minRetryRate?: pulumi.Input; + targetRefs?: pulumi.Input[]>; } /** * SessionPersistence defines and configures session persistence * for the backend. * + * * Support: Extended */ - interface XBackendTrafficPolicySpecSessionPersistence { + interface BackendLBPolicySpecSessionPersistence { /** * AbsoluteTimeout defines the absolute timeout of the persistent * session. Once the AbsoluteTimeout duration has elapsed, the * session becomes invalid. * + * * Support: Extended */ absoluteTimeout?: pulumi.Input; - cookieConfig?: pulumi.Input; + cookieConfig?: pulumi.Input; /** * IdleTimeout defines the idle timeout of the persistent session. * Once the session has been idle for more than the specified * IdleTimeout duration, the session becomes invalid. * + * * Support: Extended */ idleTimeout?: pulumi.Input; @@ -33398,6 +23629,7 @@ export declare namespace gateway { * should avoid reusing session names to prevent unintended * consequences, such as rejection or unpredictable behavior. * + * * Support: Implementation-specific */ sessionName?: pulumi.Input; @@ -33406,8 +23638,10 @@ export declare namespace gateway { * the use a header or cookie. Defaults to cookie based session * persistence. * + * * Support: Core for "Cookie" type * + * * Support: Extended for "Header" type */ type?: pulumi.Input; @@ -33416,9 +23650,10 @@ export declare namespace gateway { * CookieConfig provides configuration settings that are specific * to cookie-based session persistence. * + * * Support: Core */ - interface XBackendTrafficPolicySpecSessionPersistenceCookieConfig { + interface BackendLBPolicySpecSessionPersistenceCookieConfig { /** * LifetimeType specifies whether the cookie has a permanent or * session-based lifetime. A permanent cookie persists until its @@ -33426,18 +23661,20 @@ export declare namespace gateway { * attributes, while a session cookie is deleted when the current * session ends. * + * * When set to "Permanent", AbsoluteTimeout indicates the * cookie's lifetime via the Expires or Max-Age cookie attributes * and is required. * + * * When set to "Session", AbsoluteTimeout indicates the * absolute lifetime of the cookie tracked by the gateway and * is optional. * - * Defaults to "Session". * * Support: Core for "Session" type * + * * Support: Extended for "Permanent" type */ lifetimeType?: pulumi.Input; @@ -33446,9 +23683,10 @@ export declare namespace gateway { * CookieConfig provides configuration settings that are specific * to cookie-based session persistence. * + * * Support: Core */ - interface XBackendTrafficPolicySpecSessionPersistenceCookieConfigPatch { + interface BackendLBPolicySpecSessionPersistenceCookieConfigPatch { /** * LifetimeType specifies whether the cookie has a permanent or * session-based lifetime. A permanent cookie persists until its @@ -33456,18 +23694,20 @@ export declare namespace gateway { * attributes, while a session cookie is deleted when the current * session ends. * + * * When set to "Permanent", AbsoluteTimeout indicates the * cookie's lifetime via the Expires or Max-Age cookie attributes * and is required. * + * * When set to "Session", AbsoluteTimeout indicates the * absolute lifetime of the cookie tracked by the gateway and * is optional. * - * Defaults to "Session". * * Support: Core for "Session" type * + * * Support: Extended for "Permanent" type */ lifetimeType?: pulumi.Input; @@ -33476,23 +23716,26 @@ export declare namespace gateway { * SessionPersistence defines and configures session persistence * for the backend. * + * * Support: Extended */ - interface XBackendTrafficPolicySpecSessionPersistencePatch { + interface BackendLBPolicySpecSessionPersistencePatch { /** * AbsoluteTimeout defines the absolute timeout of the persistent * session. Once the AbsoluteTimeout duration has elapsed, the * session becomes invalid. * + * * Support: Extended */ absoluteTimeout?: pulumi.Input; - cookieConfig?: pulumi.Input; + cookieConfig?: pulumi.Input; /** * IdleTimeout defines the idle timeout of the persistent session. * Once the session has been idle for more than the specified * IdleTimeout duration, the session becomes invalid. * + * * Support: Extended */ idleTimeout?: pulumi.Input; @@ -33502,6 +23745,7 @@ export declare namespace gateway { * should avoid reusing session names to prevent unintended * consequences, such as rejection or unpredictable behavior. * + * * Support: Implementation-specific */ sessionName?: pulumi.Input; @@ -33510,8 +23754,10 @@ export declare namespace gateway { * the use a header or cookie. Defaults to cookie based session * persistence. * + * * Support: Core for "Cookie" type * + * * Support: Extended for "Header" type */ type?: pulumi.Input; @@ -33523,7 +23769,7 @@ export declare namespace gateway { * policy attachment model works, and a sample Policy resource, refer to * the policy attachment documentation for Gateway API. */ - interface XBackendTrafficPolicySpecTargetRefs { + interface BackendLBPolicySpecTargetRefs { /** * Group is the group of the target resource. */ @@ -33544,7 +23790,7 @@ export declare namespace gateway { * policy attachment model works, and a sample Policy resource, refer to * the policy attachment documentation for Gateway API. */ - interface XBackendTrafficPolicySpecTargetRefsPatch { + interface BackendLBPolicySpecTargetRefsPatch { /** * Group is the group of the target resource. */ @@ -33559,9 +23805,9 @@ export declare namespace gateway { name?: pulumi.Input; } /** - * Status defines the current state of BackendTrafficPolicy. + * Status defines the current state of BackendLBPolicy. */ - interface XBackendTrafficPolicyStatus { + interface BackendLBPolicyStatus { /** * Ancestors is a list of ancestor resources (usually Gateways) that are * associated with the policy, and the status of the policy with respect to @@ -33570,22 +23816,27 @@ export declare namespace gateway { * the controller first sees the policy and SHOULD update the entry as * appropriate when the relevant ancestor is modified. * + * * Note that choosing the relevant ancestor is left to the Policy designers; * an important part of Policy design is designing the right object level at * which to namespace this status. * + * * Note also that implementations MUST ONLY populate ancestor status for * the Ancestor resources they are responsible for. Implementations MUST * use the ControllerName field to uniquely identify the entries in this list * that they are responsible for. * + * * Note that to achieve this, the list of PolicyAncestorStatus structs * MUST be treated as a map with a composite key, made up of the AncestorRef * and ControllerName fields combined. * + * * A maximum of 16 ancestors will be represented in this list. An empty list * means the Policy is not relevant for any ancestors. * + * * If this slice is full, implementations MUST NOT add further entries. * Instead they MUST consider the policy unimplementable and signal that * on any related resources such as the ancestor that would be referenced @@ -33593,12 +23844,13 @@ export declare namespace gateway { * additional Gateways would be able to reference the Service targeted by * the BackendTLSPolicy. */ - ancestors?: pulumi.Input[]>; + ancestors?: pulumi.Input[]>; } /** * PolicyAncestorStatus describes the status of a route with respect to an * associated Ancestor. * + * * Ancestors refer to objects that are either the Target of a policy or above it * in terms of object hierarchy. For example, if a policy targets a Service, the * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and @@ -33607,43 +23859,51 @@ export declare namespace gateway { * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers * have a _very_ good reason otherwise. * + * * In the context of policy attachment, the Ancestor is used to distinguish which * resource results in a distinct application of this policy. For example, if a policy * targets a Service, it may have a distinct result per attached Gateway. * + * * Policies targeting the same resource may have different effects depending on the * ancestors of those resources. For example, different Gateways targeting the same * Service may have different capabilities, especially if they have different underlying * implementations. * + * * For example, in BackendTLSPolicy, the Policy attaches to a Service that is * used as a backend in a HTTPRoute that is itself attached to a Gateway. * In this case, the relevant object for status is the Gateway, and that is the * ancestor object referred to in this status. * + * * Note that a parent is also an ancestor, so for objects where the parent is the * relevant object for status, this struct SHOULD still be used. * + * * This struct is intended to be used in a slice that's effectively a map, * with a composite key made up of the AncestorRef and the ControllerName. */ - interface XBackendTrafficPolicyStatusAncestors { - ancestorRef?: pulumi.Input; + interface BackendLBPolicyStatusAncestors { + ancestorRef?: pulumi.Input; /** * Conditions describes the status of the Policy with respect to the given Ancestor. */ - conditions?: pulumi.Input[]>; + conditions?: pulumi.Input[]>; /** * ControllerName is a domain/path string that indicates the name of the * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -33654,30 +23914,35 @@ export declare namespace gateway { * AncestorRef corresponds with a ParentRef in the spec that this * PolicyAncestorStatus struct describes the status of. */ - interface XBackendTrafficPolicyStatusAncestorsAncestorRef { + interface BackendLBPolicyStatusAncestorsAncestorRef { /** * Group is the group of the referent. * When unspecified, "gateway.networking.k8s.io" is inferred. * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -33685,6 +23950,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -33692,10 +23958,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -33703,6 +23971,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -33710,6 +23979,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -33719,15 +23989,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -33736,6 +24009,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -33743,6 +24017,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -33750,10 +24025,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -33763,14 +24040,31 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ - interface XBackendTrafficPolicyStatusAncestorsConditions { + interface BackendLBPolicyStatusAncestorsConditions { /** * lastTransitionTime is the last time the condition transitioned from one status to another. * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. @@ -33801,523 +24095,861 @@ export declare namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } /** - * XListenerSet defines a set of additional listeners to attach to an existing Gateway. - * This resource provides a mechanism to merge multiple listeners into a single Gateway. + * GRPCRoute provides a way to route gRPC requests. This includes the capability + * to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. + * Filters can be used to specify additional processing steps. Backends specify + * where matching requests will be routed. * - * The parent Gateway must explicitly allow ListenerSet attachment through its - * AllowedListeners configuration. By default, Gateways do not allow ListenerSet - * attachment. * - * Routes can attach to a ListenerSet by specifying it as a parentRef, and can - * optionally target specific listeners using the sectionName field. + * GRPCRoute falls under extended support within the Gateway API. Within the + * following specification, the word "MUST" indicates that an implementation + * supporting GRPCRoute must conform to the indicated requirement, but an + * implementation not supporting this route type need not follow the requirement + * unless explicitly indicated. * - * Policy Attachment: - * - Policies that attach to a ListenerSet apply to all listeners defined in that resource - * - Policies do not impact listeners in the parent Gateway - * - Different ListenerSets attached to the same Gateway can have different policies - * - If an implementation cannot apply a policy to specific listeners, it should reject the policy * - * ReferenceGrant Semantics: - * - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets - * - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners - * - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant + * Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST + * accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via + * ALPN. If the implementation does not support this, then it MUST set the + * "Accepted" condition to "False" for the affected listener with a reason of + * "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections + * with an upgrade from HTTP/1. * - * Gateway Integration: - * - The parent Gateway's status will include an "AttachedListenerSets" condition - * - This condition will be: - * - True: when AllowedListeners is set and at least one child ListenerSet is attached - * - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false - * - Unknown: when no AllowedListeners config is present + * + * Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST + * support HTTP/2 over cleartext TCP (h2c, + * https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial + * upgrade from HTTP/1.1, i.e. with prior knowledge + * (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation + * does not support this, then it MUST set the "Accepted" condition to "False" + * for the affected listener with a reason of "UnsupportedProtocol". + * Implementations MAY also accept HTTP/2 connections with an upgrade from + * HTTP/1, i.e. without prior knowledge. */ - interface XListenerSet { + interface GRPCRoute { /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">; + apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - kind?: pulumi.Input<"XListenerSet">; + kind?: pulumi.Input<"GRPCRoute">; /** * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata */ metadata?: pulumi.Input; - spec?: pulumi.Input; - status?: pulumi.Input; + spec?: pulumi.Input; + status?: pulumi.Input; } /** - * Spec defines the desired state of ListenerSet. + * Spec defines the desired state of GRPCRoute. */ - interface XListenerSetSpec { + interface GRPCRouteSpec { /** - * Listeners associated with this ListenerSet. Listeners define - * logical endpoints that are bound on this referenced parent Gateway's addresses. + * Hostnames defines a set of hostnames to match against the GRPC + * Host header to select a GRPCRoute to process the request. This matches + * the RFC 1123 definition of a hostname with 2 notable exceptions: * - * Listeners in a `Gateway` and their attached `ListenerSets` are concatenated - * as a list when programming the underlying infrastructure. Each listener - * name does not need to be unique across the Gateway and ListenerSets. - * See ListenerEntry.Name for more details. * - * Implementations MUST treat the parent Gateway as having the merged - * list of all listeners from itself and attached ListenerSets using - * the following precedence: + * 1. IPs are not allowed. + * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + * label MUST appear by itself as the first label. * - * 1. "parent" Gateway - * 2. ListenerSet ordered by creation time (oldest first) - * 3. ListenerSet ordered alphabetically by "{namespace}/{name}". * - * An implementation MAY reject listeners by setting the ListenerEntryStatus - * `Accepted` condition to False with the Reason `TooManyListeners` + * If a hostname is specified by both the Listener and GRPCRoute, there + * MUST be at least one intersecting hostname for the GRPCRoute to be + * attached to the Listener. For example: * - * If a listener has a conflict, this will be reported in the - * Status.ListenerEntryStatus setting the `Conflicted` condition to True. * - * Implementations SHOULD be cautious about what information from the - * parent or siblings are reported to avoid accidentally leaking - * sensitive information that the child would not otherwise have access - * to. This can include contents of secrets etc. - */ - listeners?: pulumi.Input[]>; - parentRef?: pulumi.Input; - } - interface XListenerSetSpecListeners { - allowedRoutes?: pulumi.Input; - /** - * Hostname specifies the virtual hostname to match for protocol types that - * define this concept. When unspecified, all hostnames are matched. This - * field is ignored for protocols that don't require hostname based - * matching. + * * A Listener with `test.example.com` as the hostname matches GRPCRoutes + * that have either not specified any hostnames, or have specified at + * least one of `test.example.com` or `*.example.com`. + * * A Listener with `*.example.com` as the hostname matches GRPCRoutes + * that have either not specified any hostnames or have specified at least + * one hostname that matches the Listener hostname. For example, + * `test.example.com` and `*.example.com` would both match. On the other + * hand, `example.com` and `test.example.net` would not match. * - * Implementations MUST apply Hostname matching appropriately for each of - * the following protocols: - * - * * TLS: The Listener Hostname MUST match the SNI. - * * HTTP: The Listener Hostname MUST match the Host header of the request. - * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP - * protocol layers as described above. If an implementation does not - * ensure that both the SNI and Host header match the Listener hostname, - * it MUST clearly document that. - * - * For HTTPRoute and TLSRoute resources, there is an interaction with the - * `spec.hostnames` array. When both listener and route specify hostnames, - * there MUST be an intersection between the values for a Route to be - * accepted. For more information, refer to the Route specific Hostnames - * documentation. * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - */ - hostname?: pulumi.Input; - /** - * Name is the name of the Listener. This name MUST be unique within a - * ListenerSet. * - * Name is not required to be unique across a Gateway and ListenerSets. - * Routes can attach to a Listener by having a ListenerSet as a parentRef - * and setting the SectionName - */ - name?: pulumi.Input; - /** - * Port is the network port. Multiple listeners may use the - * same port, subject to the Listener compatibility rules. * - * If the port is not set or specified as zero, the implementation will assign - * a unique port. If the implementation does not support dynamic port - * assignment, it MUST set `Accepted` condition to `False` with the - * `UnsupportedPort` reason. - */ - port?: pulumi.Input; - /** - * Protocol specifies the network protocol this listener expects to receive. - */ - protocol?: pulumi.Input; - tls?: pulumi.Input; - } - /** - * AllowedRoutes defines the types of routes that MAY be attached to a - * Listener and the trusted namespaces where those Route resources MAY be - * present. - * - * Although a client request may match multiple route rules, only one rule - * may ultimately receive the request. Matching precedence MUST be - * determined in order of the following criteria: - * - * * The most specific match as defined by the Route type. - * * The oldest Route based on creation timestamp. For example, a Route with - * a creation timestamp of "2020-09-08 01:02:03" is given precedence over - * a Route with a creation timestamp of "2020-09-08 01:02:04". - * * If everything else is equivalent, the Route appearing first in - * alphabetical order (namespace/name) should be given precedence. For - * example, foo/bar is given precedence over foo/baz. - * - * All valid rules within a Route attached to this Listener should be - * implemented. Invalid Route rules can be ignored (sometimes that will mean - * the full Route). If a Route rule transitions from valid to invalid, - * support for that Route rule should be dropped to ensure consistency. For - * example, even if a filter specified by a Route rule is invalid, the rest - * of the rules within that Route should still be supported. - */ - interface XListenerSetSpecListenersAllowedRoutes { - /** - * Kinds specifies the groups and kinds of Routes that are allowed to bind - * to this Gateway Listener. When unspecified or empty, the kinds of Routes - * selected are determined using the Listener protocol. + * If both the Listener and GRPCRoute have specified hostnames, any + * GRPCRoute hostnames that do not match the Listener hostname MUST be + * ignored. For example, if a Listener specified `*.example.com`, and the + * GRPCRoute specified `test.example.com` and `test.example.net`, + * `test.example.net` MUST NOT be considered for a match. + * + * + * If both the Listener and GRPCRoute have specified hostnames, and none + * match with the criteria above, then the GRPCRoute MUST NOT be accepted by + * the implementation. The implementation MUST raise an 'Accepted' Condition + * with a status of `False` in the corresponding RouteParentStatus. + * + * + * If a Route (A) of type HTTPRoute or GRPCRoute is attached to a + * Listener and that listener already has another Route (B) of the other + * type attached and the intersection of the hostnames of A and B is + * non-empty, then the implementation MUST accept exactly one of these two + * routes, determined by the following criteria, in order: + * + * + * * The oldest Route based on creation timestamp. + * * The Route appearing first in alphabetical order by + * "{namespace}/{name}". + * + * + * The rejected Route MUST raise an 'Accepted' condition with a status of + * 'False' in the corresponding RouteParentStatus. * - * A RouteGroupKind MUST correspond to kinds of Routes that are compatible - * with the application protocol specified in the Listener's Protocol field. - * If an implementation does not support or recognize this resource type, it - * MUST set the "ResolvedRefs" condition to False for this Listener with the - * "InvalidRouteKinds" reason. * * Support: Core */ - kinds?: pulumi.Input[]>; - namespaces?: pulumi.Input; + hostnames?: pulumi.Input[]>; + /** + * ParentRefs references the resources (usually Gateways) that a Route wants + * to be attached to. Note that the referenced parent resource needs to + * allow this for the attachment to be complete. For Gateways, that means + * the Gateway needs to allow attachment from Routes of this kind and + * namespace. For Services, that means the Service must either be in the same + * namespace for a "producer" route, or the mesh implementation must support + * and allow "consumer" routes for the referenced Service. ReferenceGrant is + * not applicable for governing ParentRefs to Services - it is not possible to + * create a "producer" route for a Service in a different namespace from the + * Route. + * + * + * There are two kinds of parent resources with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * This API may be extended in the future to support additional kinds of parent + * resources. + * + * + * ParentRefs must be _distinct_. This means either that: + * + * + * * They select different objects. If this is the case, then parentRef + * entries are distinct. In terms of fields, this means that the + * multi-part key defined by `group`, `kind`, `namespace`, and `name` must + * be unique across all parentRef entries in the Route. + * * They do not select different objects, but for each optional field used, + * each ParentRef that selects the same object must set the same set of + * optional fields to different values. If one ParentRef sets a + * combination of optional fields, all must set the same combination. + * + * + * Some examples: + * + * + * * If one ParentRef sets `sectionName`, all ParentRefs referencing the + * same object must also set `sectionName`. + * * If one ParentRef sets `port`, all ParentRefs referencing the same + * object must also set `port`. + * * If one ParentRef sets `sectionName` and `port`, all ParentRefs + * referencing the same object must also set `sectionName` and `port`. + * + * + * It is possible to separately reference multiple distinct objects that may + * be collapsed by an implementation. For example, some implementations may + * choose to merge compatible Gateway Listeners together. If that is the + * case, the list of routes attached to those resources should also be + * merged. + * + * + * Note that for ParentRefs that cross namespace boundaries, there are specific + * rules. Cross-namespace references are only valid if they are explicitly + * allowed by something in the namespace they are referring to. For example, + * Gateway has the AllowedRoutes field, and ReferenceGrant provides a + * generic way to enable other kinds of cross-namespace reference. + * + * + * + * ParentRefs from a Route to a Service in the same namespace are "producer" + * routes, which apply default routing rules to inbound connections from + * any namespace to the Service. + * + * + * ParentRefs from a Route to a Service in a different namespace are + * "consumer" routes, and these routing rules are only applied to outbound + * connections originating from the same namespace as the Route, for which + * the intended destination of the connections are a Service targeted as a + * ParentRef of the Route. + */ + parentRefs?: pulumi.Input[]>; + /** + * Rules are a list of GRPC matchers, filters and actions. + */ + rules?: pulumi.Input[]>; } /** - * RouteGroupKind indicates the group and kind of a Route resource. - */ - interface XListenerSetSpecListenersAllowedRoutesKinds { - /** - * Group is the group of the Route. - */ - group?: pulumi.Input; - /** - * Kind is the kind of the Route. - */ - kind?: pulumi.Input; - } - /** - * RouteGroupKind indicates the group and kind of a Route resource. - */ - interface XListenerSetSpecListenersAllowedRoutesKindsPatch { - /** - * Group is the group of the Route. - */ - group?: pulumi.Input; - /** - * Kind is the kind of the Route. - */ - kind?: pulumi.Input; - } - /** - * Namespaces indicates namespaces from which Routes may be attached to this - * Listener. This is restricted to the namespace of this Gateway by default. + * ParentReference identifies an API object (usually a Gateway) that can be considered + * a parent of this resource (usually a route). There are two kinds of parent resources + * with "Core" support: * - * Support: Core - */ - interface XListenerSetSpecListenersAllowedRoutesNamespaces { - /** - * From indicates where Routes will be selected for this Gateway. Possible - * values are: - * - * * All: Routes in all namespaces may be used by this Gateway. - * * Selector: Routes in namespaces selected by the selector may be used by - * this Gateway. - * * Same: Only Routes in the same namespace may be used by this Gateway. - * - * Support: Core - */ - from?: pulumi.Input; - selector?: pulumi.Input; - } - /** - * Namespaces indicates namespaces from which Routes may be attached to this - * Listener. This is restricted to the namespace of this Gateway by default. * - * Support: Core - */ - interface XListenerSetSpecListenersAllowedRoutesNamespacesPatch { - /** - * From indicates where Routes will be selected for this Gateway. Possible - * values are: - * - * * All: Routes in all namespaces may be used by this Gateway. - * * Selector: Routes in namespaces selected by the selector may be used by - * this Gateway. - * * Same: Only Routes in the same namespace may be used by this Gateway. - * - * Support: Core - */ - from?: pulumi.Input; - selector?: pulumi.Input; - } - /** - * Selector must be specified when From is set to "Selector". In that case, - * only Routes in Namespaces matching this Selector will be selected by this - * Gateway. This field is ignored for other values of "From". + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) * - * Support: Core - */ - interface XListenerSetSpecListenersAllowedRoutesNamespacesSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface XListenerSetSpecListenersAllowedRoutesNamespacesSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface XListenerSetSpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * Selector must be specified when From is set to "Selector". In that case, - * only Routes in Namespaces matching this Selector will be selected by this - * Gateway. This field is ignored for other values of "From". * - * Support: Core - */ - interface XListenerSetSpecListenersAllowedRoutesNamespacesSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * AllowedRoutes defines the types of routes that MAY be attached to a - * Listener and the trusted namespaces where those Route resources MAY be - * present. + * This API may be extended in the future to support additional kinds of parent + * resources. * - * Although a client request may match multiple route rules, only one rule - * may ultimately receive the request. Matching precedence MUST be - * determined in order of the following criteria: - * - * * The most specific match as defined by the Route type. - * * The oldest Route based on creation timestamp. For example, a Route with - * a creation timestamp of "2020-09-08 01:02:03" is given precedence over - * a Route with a creation timestamp of "2020-09-08 01:02:04". - * * If everything else is equivalent, the Route appearing first in - * alphabetical order (namespace/name) should be given precedence. For - * example, foo/bar is given precedence over foo/baz. - * - * All valid rules within a Route attached to this Listener should be - * implemented. Invalid Route rules can be ignored (sometimes that will mean - * the full Route). If a Route rule transitions from valid to invalid, - * support for that Route rule should be dropped to ensure consistency. For - * example, even if a filter specified by a Route rule is invalid, the rest - * of the rules within that Route should still be supported. - */ - interface XListenerSetSpecListenersAllowedRoutesPatch { - /** - * Kinds specifies the groups and kinds of Routes that are allowed to bind - * to this Gateway Listener. When unspecified or empty, the kinds of Routes - * selected are determined using the Listener protocol. - * - * A RouteGroupKind MUST correspond to kinds of Routes that are compatible - * with the application protocol specified in the Listener's Protocol field. - * If an implementation does not support or recognize this resource type, it - * MUST set the "ResolvedRefs" condition to False for this Listener with the - * "InvalidRouteKinds" reason. - * - * Support: Core - */ - kinds?: pulumi.Input[]>; - namespaces?: pulumi.Input; - } - interface XListenerSetSpecListenersPatch { - allowedRoutes?: pulumi.Input; - /** - * Hostname specifies the virtual hostname to match for protocol types that - * define this concept. When unspecified, all hostnames are matched. This - * field is ignored for protocols that don't require hostname based - * matching. - * - * Implementations MUST apply Hostname matching appropriately for each of - * the following protocols: - * - * * TLS: The Listener Hostname MUST match the SNI. - * * HTTP: The Listener Hostname MUST match the Host header of the request. - * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP - * protocol layers as described above. If an implementation does not - * ensure that both the SNI and Host header match the Listener hostname, - * it MUST clearly document that. - * - * For HTTPRoute and TLSRoute resources, there is an interaction with the - * `spec.hostnames` array. When both listener and route specify hostnames, - * there MUST be an intersection between the values for a Route to be - * accepted. For more information, refer to the Route specific Hostnames - * documentation. - * - * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted - * as a suffix match. That means that a match for `*.example.com` would match - * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - */ - hostname?: pulumi.Input; - /** - * Name is the name of the Listener. This name MUST be unique within a - * ListenerSet. - * - * Name is not required to be unique across a Gateway and ListenerSets. - * Routes can attach to a Listener by having a ListenerSet as a parentRef - * and setting the SectionName - */ - name?: pulumi.Input; - /** - * Port is the network port. Multiple listeners may use the - * same port, subject to the Listener compatibility rules. - * - * If the port is not set or specified as zero, the implementation will assign - * a unique port. If the implementation does not support dynamic port - * assignment, it MUST set `Accepted` condition to `False` with the - * `UnsupportedPort` reason. - */ - port?: pulumi.Input; - /** - * Protocol specifies the network protocol this listener expects to receive. - */ - protocol?: pulumi.Input; - tls?: pulumi.Input; - } - /** - * TLS is the TLS configuration for the Listener. This field is required if - * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field - * if the Protocol field is "HTTP", "TCP", or "UDP". - * - * The association of SNIs to Certificate defined in ListenerTLSConfig is - * defined based on the Hostname field for this listener. - * - * The GatewayClass MUST use the longest matching SNI out of all - * available certificates for any TLS handshake. - */ - interface XListenerSetSpecListenersTls { - /** - * CertificateRefs contains a series of references to Kubernetes objects that - * contains TLS certificates and private keys. These certificates are used to - * establish a TLS handshake for requests that match the hostname of the - * associated listener. - * - * A single CertificateRef to a Kubernetes Secret has "Core" support. - * Implementations MAY choose to support attaching multiple certificates to - * a Listener, but this behavior is implementation-specific. - * - * References to a resource in different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - * - * This field is required to have at least one element when the mode is set - * to "Terminate" (default) and is optional otherwise. - * - * CertificateRefs can reference to standard Kubernetes resources, i.e. - * Secret, or implementation-specific custom resources. - * - * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls - * - * Support: Implementation-specific (More than one reference or other resource types) - */ - certificateRefs?: pulumi.Input[]>; - /** - * Mode defines the TLS behavior for the TLS session initiated by the client. - * There are two possible modes: - * - * - Terminate: The TLS session between the downstream client and the - * Gateway is terminated at the Gateway. This mode requires certificates - * to be specified in some way, such as populating the certificateRefs - * field. - * - Passthrough: The TLS session is NOT terminated by the Gateway. This - * implies that the Gateway can't decipher the TLS stream except for - * the ClientHello message of the TLS protocol. The certificateRefs field - * is ignored in this mode. - * - * Support: Core - */ - mode?: pulumi.Input; - /** - * Options are a list of key/value pairs to enable extended TLS - * configuration for each implementation. For example, configuring the - * minimum TLS version or supported cipher suites. - * - * A set of common keys MAY be defined by the API in the future. To avoid - * any ambiguity, implementation-specific definitions MUST use - * domain-prefixed names, such as `example.com/my-custom-option`. - * Un-prefixed names are reserved for key names defined by Gateway API. - * - * Support: Implementation-specific - */ - options?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * SecretObjectReference identifies an API object including its namespace, - * defaulting to Secret. * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. */ - interface XListenerSetSpecListenersTlsCertificateRefs { + interface GRPCRouteSpecParentRefs { + /** + * Group is the group of the referent. + * When unspecified, "gateway.networking.k8s.io" is inferred. + * To set the core API group (such as for a "Service" kind referent), + * Group must be explicitly set to "" (empty string). + * + * + * Support: Core + */ + group?: pulumi.Input; + /** + * Kind is kind of the referent. + * + * + * There are two kinds of parent resources with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * Support for other resources is Implementation-Specific. + */ + kind?: pulumi.Input; + /** + * Name is the name of the referent. + * + * + * Support: Core + */ + name?: pulumi.Input; + /** + * Namespace is the namespace of the referent. When unspecified, this refers + * to the local namespace of the Route. + * + * + * Note that there are specific rules for ParentRefs which cross namespace + * boundaries. Cross-namespace references are only valid if they are explicitly + * allowed by something in the namespace they are referring to. For example: + * Gateway has the AllowedRoutes field, and ReferenceGrant provides a + * generic way to enable any other kind of cross-namespace reference. + * + * + * + * ParentRefs from a Route to a Service in the same namespace are "producer" + * routes, which apply default routing rules to inbound connections from + * any namespace to the Service. + * + * + * ParentRefs from a Route to a Service in a different namespace are + * "consumer" routes, and these routing rules are only applied to outbound + * connections originating from the same namespace as the Route, for which + * the intended destination of the connections are a Service targeted as a + * ParentRef of the Route. + * + * + * + * Support: Core + */ + namespace?: pulumi.Input; + /** + * Port is the network port this Route targets. It can be interpreted + * differently based on the type of parent resource. + * + * + * When the parent resource is a Gateway, this targets all listeners + * listening on the specified port that also support this kind of Route(and + * select this Route). It's not recommended to set `Port` unless the + * networking behaviors specified in a Route must apply to a specific port + * as opposed to a listener(s) whose port(s) may be changed. When both Port + * and SectionName are specified, the name and port of the selected listener + * must match both specified values. + * + * + * + * When the parent resource is a Service, this targets a specific port in the + * Service spec. When both Port (experimental) and SectionName are specified, + * the name and port of the selected port must match both specified values. + * + * + * + * Implementations MAY choose to support other parent resources. + * Implementations supporting other types of parent resources MUST clearly + * document how/if Port is interpreted. + * + * + * For the purpose of status, an attachment is considered successful as + * long as the parent resource accepts it partially. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + * from the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, + * the Route MUST be considered detached from the Gateway. + * + * + * Support: Extended + */ + port?: pulumi.Input; + /** + * SectionName is the name of a section within the target resource. In the + * following resources, SectionName is interpreted as the following: + * + * + * * Gateway: Listener name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * * Service: Port name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * + * + * Implementations MAY choose to support attaching Routes to other resources. + * If that is the case, they MUST clearly document how SectionName is + * interpreted. + * + * + * When unspecified (empty string), this will reference the entire resource. + * For the purpose of status, an attachment is considered successful if at + * least one section in the parent resource accepts it. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + * the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, the + * Route MUST be considered detached from the Gateway. + * + * + * Support: Core + */ + sectionName?: pulumi.Input; + } + /** + * ParentReference identifies an API object (usually a Gateway) that can be considered + * a parent of this resource (usually a route). There are two kinds of parent resources + * with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * This API may be extended in the future to support additional kinds of parent + * resources. + * + * + * The API object must be valid in the cluster; the Group and Kind must + * be registered in the cluster for this reference to be valid. + */ + interface GRPCRouteSpecParentRefsPatch { + /** + * Group is the group of the referent. + * When unspecified, "gateway.networking.k8s.io" is inferred. + * To set the core API group (such as for a "Service" kind referent), + * Group must be explicitly set to "" (empty string). + * + * + * Support: Core + */ + group?: pulumi.Input; + /** + * Kind is kind of the referent. + * + * + * There are two kinds of parent resources with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * Support for other resources is Implementation-Specific. + */ + kind?: pulumi.Input; + /** + * Name is the name of the referent. + * + * + * Support: Core + */ + name?: pulumi.Input; + /** + * Namespace is the namespace of the referent. When unspecified, this refers + * to the local namespace of the Route. + * + * + * Note that there are specific rules for ParentRefs which cross namespace + * boundaries. Cross-namespace references are only valid if they are explicitly + * allowed by something in the namespace they are referring to. For example: + * Gateway has the AllowedRoutes field, and ReferenceGrant provides a + * generic way to enable any other kind of cross-namespace reference. + * + * + * + * ParentRefs from a Route to a Service in the same namespace are "producer" + * routes, which apply default routing rules to inbound connections from + * any namespace to the Service. + * + * + * ParentRefs from a Route to a Service in a different namespace are + * "consumer" routes, and these routing rules are only applied to outbound + * connections originating from the same namespace as the Route, for which + * the intended destination of the connections are a Service targeted as a + * ParentRef of the Route. + * + * + * + * Support: Core + */ + namespace?: pulumi.Input; + /** + * Port is the network port this Route targets. It can be interpreted + * differently based on the type of parent resource. + * + * + * When the parent resource is a Gateway, this targets all listeners + * listening on the specified port that also support this kind of Route(and + * select this Route). It's not recommended to set `Port` unless the + * networking behaviors specified in a Route must apply to a specific port + * as opposed to a listener(s) whose port(s) may be changed. When both Port + * and SectionName are specified, the name and port of the selected listener + * must match both specified values. + * + * + * + * When the parent resource is a Service, this targets a specific port in the + * Service spec. When both Port (experimental) and SectionName are specified, + * the name and port of the selected port must match both specified values. + * + * + * + * Implementations MAY choose to support other parent resources. + * Implementations supporting other types of parent resources MUST clearly + * document how/if Port is interpreted. + * + * + * For the purpose of status, an attachment is considered successful as + * long as the parent resource accepts it partially. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + * from the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, + * the Route MUST be considered detached from the Gateway. + * + * + * Support: Extended + */ + port?: pulumi.Input; + /** + * SectionName is the name of a section within the target resource. In the + * following resources, SectionName is interpreted as the following: + * + * + * * Gateway: Listener name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * * Service: Port name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * + * + * Implementations MAY choose to support attaching Routes to other resources. + * If that is the case, they MUST clearly document how SectionName is + * interpreted. + * + * + * When unspecified (empty string), this will reference the entire resource. + * For the purpose of status, an attachment is considered successful if at + * least one section in the parent resource accepts it. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + * the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, the + * Route MUST be considered detached from the Gateway. + * + * + * Support: Core + */ + sectionName?: pulumi.Input; + } + /** + * Spec defines the desired state of GRPCRoute. + */ + interface GRPCRouteSpecPatch { + /** + * Hostnames defines a set of hostnames to match against the GRPC + * Host header to select a GRPCRoute to process the request. This matches + * the RFC 1123 definition of a hostname with 2 notable exceptions: + * + * + * 1. IPs are not allowed. + * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + * label MUST appear by itself as the first label. + * + * + * If a hostname is specified by both the Listener and GRPCRoute, there + * MUST be at least one intersecting hostname for the GRPCRoute to be + * attached to the Listener. For example: + * + * + * * A Listener with `test.example.com` as the hostname matches GRPCRoutes + * that have either not specified any hostnames, or have specified at + * least one of `test.example.com` or `*.example.com`. + * * A Listener with `*.example.com` as the hostname matches GRPCRoutes + * that have either not specified any hostnames or have specified at least + * one hostname that matches the Listener hostname. For example, + * `test.example.com` and `*.example.com` would both match. On the other + * hand, `example.com` and `test.example.net` would not match. + * + * + * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + * as a suffix match. That means that a match for `*.example.com` would match + * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + * + * + * If both the Listener and GRPCRoute have specified hostnames, any + * GRPCRoute hostnames that do not match the Listener hostname MUST be + * ignored. For example, if a Listener specified `*.example.com`, and the + * GRPCRoute specified `test.example.com` and `test.example.net`, + * `test.example.net` MUST NOT be considered for a match. + * + * + * If both the Listener and GRPCRoute have specified hostnames, and none + * match with the criteria above, then the GRPCRoute MUST NOT be accepted by + * the implementation. The implementation MUST raise an 'Accepted' Condition + * with a status of `False` in the corresponding RouteParentStatus. + * + * + * If a Route (A) of type HTTPRoute or GRPCRoute is attached to a + * Listener and that listener already has another Route (B) of the other + * type attached and the intersection of the hostnames of A and B is + * non-empty, then the implementation MUST accept exactly one of these two + * routes, determined by the following criteria, in order: + * + * + * * The oldest Route based on creation timestamp. + * * The Route appearing first in alphabetical order by + * "{namespace}/{name}". + * + * + * The rejected Route MUST raise an 'Accepted' condition with a status of + * 'False' in the corresponding RouteParentStatus. + * + * + * Support: Core + */ + hostnames?: pulumi.Input[]>; + /** + * ParentRefs references the resources (usually Gateways) that a Route wants + * to be attached to. Note that the referenced parent resource needs to + * allow this for the attachment to be complete. For Gateways, that means + * the Gateway needs to allow attachment from Routes of this kind and + * namespace. For Services, that means the Service must either be in the same + * namespace for a "producer" route, or the mesh implementation must support + * and allow "consumer" routes for the referenced Service. ReferenceGrant is + * not applicable for governing ParentRefs to Services - it is not possible to + * create a "producer" route for a Service in a different namespace from the + * Route. + * + * + * There are two kinds of parent resources with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * This API may be extended in the future to support additional kinds of parent + * resources. + * + * + * ParentRefs must be _distinct_. This means either that: + * + * + * * They select different objects. If this is the case, then parentRef + * entries are distinct. In terms of fields, this means that the + * multi-part key defined by `group`, `kind`, `namespace`, and `name` must + * be unique across all parentRef entries in the Route. + * * They do not select different objects, but for each optional field used, + * each ParentRef that selects the same object must set the same set of + * optional fields to different values. If one ParentRef sets a + * combination of optional fields, all must set the same combination. + * + * + * Some examples: + * + * + * * If one ParentRef sets `sectionName`, all ParentRefs referencing the + * same object must also set `sectionName`. + * * If one ParentRef sets `port`, all ParentRefs referencing the same + * object must also set `port`. + * * If one ParentRef sets `sectionName` and `port`, all ParentRefs + * referencing the same object must also set `sectionName` and `port`. + * + * + * It is possible to separately reference multiple distinct objects that may + * be collapsed by an implementation. For example, some implementations may + * choose to merge compatible Gateway Listeners together. If that is the + * case, the list of routes attached to those resources should also be + * merged. + * + * + * Note that for ParentRefs that cross namespace boundaries, there are specific + * rules. Cross-namespace references are only valid if they are explicitly + * allowed by something in the namespace they are referring to. For example, + * Gateway has the AllowedRoutes field, and ReferenceGrant provides a + * generic way to enable other kinds of cross-namespace reference. + * + * + * + * ParentRefs from a Route to a Service in the same namespace are "producer" + * routes, which apply default routing rules to inbound connections from + * any namespace to the Service. + * + * + * ParentRefs from a Route to a Service in a different namespace are + * "consumer" routes, and these routing rules are only applied to outbound + * connections originating from the same namespace as the Route, for which + * the intended destination of the connections are a Service targeted as a + * ParentRef of the Route. + */ + parentRefs?: pulumi.Input[]>; + /** + * Rules are a list of GRPC matchers, filters and actions. + */ + rules?: pulumi.Input[]>; + } + /** + * GRPCRouteRule defines the semantics for matching a gRPC request based on + * conditions (matches), processing it (filters), and forwarding the request to + * an API object (backendRefs). + */ + interface GRPCRouteSpecRules { + /** + * BackendRefs defines the backend(s) where matching requests should be + * sent. + * + * + * Failure behavior here depends on how many BackendRefs are specified and + * how many are invalid. + * + * + * If *all* entries in BackendRefs are invalid, and there are also no filters + * specified in this route rule, *all* traffic which matches this rule MUST + * receive an `UNAVAILABLE` status. + * + * + * See the GRPCBackendRef definition for the rules about what makes a single + * GRPCBackendRef invalid. + * + * + * When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for + * requests that would have otherwise been routed to an invalid backend. If + * multiple backends are specified, and some are invalid, the proportion of + * requests that would otherwise have been routed to an invalid backend + * MUST receive an `UNAVAILABLE` status. + * + * + * For example, if two backends are specified with equal weights, and one is + * invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. + * Implementations may choose how that 50 percent is determined. + * + * + * Support: Core for Kubernetes Service + * + * + * Support: Implementation-specific for any other resource + * + * + * Support for weight: Core + */ + backendRefs?: pulumi.Input[]>; + /** + * Filters define the filters that are applied to requests that match + * this rule. + * + * + * The effects of ordering of multiple behaviors are currently unspecified. + * This can change in the future based on feedback during the alpha stage. + * + * + * Conformance-levels at this level are defined based on the type of filter: + * + * + * - ALL core filters MUST be supported by all implementations that support + * GRPCRoute. + * - Implementers are encouraged to support extended filters. + * - Implementation-specific custom filters have no API guarantees across + * implementations. + * + * + * Specifying the same filter multiple times is not supported unless explicitly + * indicated in the filter. + * + * + * If an implementation can not support a combination of filters, it must clearly + * document that limitation. In cases where incompatible or unsupported + * filters are specified and cause the `Accepted` condition to be set to status + * `False`, implementations may use the `IncompatibleFilters` reason to specify + * this configuration error. + * + * + * Support: Core + */ + filters?: pulumi.Input[]>; + /** + * Matches define conditions used for matching the rule against incoming + * gRPC requests. Each match is independent, i.e. this rule will be matched + * if **any** one of the matches is satisfied. + * + * + * For example, take the following matches configuration: + * + * + * ``` + * matches: + * - method: + * service: foo.bar + * headers: + * values: + * version: 2 + * - method: + * service: foo.bar.v2 + * ``` + * + * + * For a request to match against this rule, it MUST satisfy + * EITHER of the two conditions: + * + * + * - service of foo.bar AND contains the header `version: 2` + * - service of foo.bar.v2 + * + * + * See the documentation for GRPCRouteMatch on how to specify multiple + * match conditions to be ANDed together. + * + * + * If no matches are specified, the implementation MUST match every gRPC request. + * + * + * Proxy or Load Balancer routing configuration generated from GRPCRoutes + * MUST prioritize rules based on the following criteria, continuing on + * ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. + * Precedence MUST be given to the rule with the largest number of: + * + * + * * Characters in a matching non-wildcard hostname. + * * Characters in a matching hostname. + * * Characters in a matching service. + * * Characters in a matching method. + * * Header matches. + * + * + * If ties still exist across multiple Routes, matching precedence MUST be + * determined in order of the following criteria, continuing on ties: + * + * + * * The oldest Route based on creation timestamp. + * * The Route appearing first in alphabetical order by + * "{namespace}/{name}". + * + * + * If ties still exist within the Route that has been given precedence, + * matching precedence MUST be granted to the first matching rule meeting + * the above criteria. + */ + matches?: pulumi.Input[]>; + sessionPersistence?: pulumi.Input; + } + /** + * GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. + * + * + * Note that when a namespace different than the local namespace is specified, a + * ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * + * + * + * When the BackendRef points to a Kubernetes Service, implementations SHOULD + * honor the appProtocol field if it is set for the target Service Port. + * + * + * Implementations supporting appProtocol SHOULD recognize the Kubernetes + * Standard Application Protocols defined in KEP-3726. + * + * + * If a Service appProtocol isn't specified, an implementation MAY infer the + * backend protocol through its own means. Implementations MAY infer the + * protocol from the Route type referring to the backend Service. + * + * + * If a Route is not able to send traffic to the backend using the specified + * protocol then the backend is considered invalid. Implementations MUST set the + * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * + */ + interface GRPCRouteSpecRulesBackendRefs { + /** + * Filters defined at this level MUST be executed if and only if the + * request is being forwarded to the backend defined here. + * + * + * Support: Implementation-specific (For broader support of filters, use the + * Filters field in GRPCRouteRule.) + */ + filters?: pulumi.Input[]>; /** * Group is the group of the referent. For example, "gateway.networking.k8s.io". * When unspecified or empty string, core API group is inferred. */ group?: pulumi.Input; /** - * Kind is kind of the referent. For example "Secret". + * Kind is the Kubernetes resource kind of the referent. For example + * "Service". + * + * + * Defaults to "Service" when not specified. + * + * + * ExternalName services can refer to CNAME DNS records that may live + * outside of the cluster and as such are difficult to reason about in + * terms of conformance. They also may not be safe to forward to (see + * CVE-2021-25740 for more information). Implementations SHOULD NOT + * support ExternalName Services. + * + * + * Support: Core (Services with a type other than ExternalName) + * + * + * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; /** @@ -34325,37 +24957,498 @@ export declare namespace gateway { */ name?: pulumi.Input; /** - * Namespace is the namespace of the referenced object. When unspecified, the local + * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; + /** + * Port specifies the destination port number to use for this resource. + * Port is required when the referent is a Kubernetes Service. In this + * case, the port number is the service port number, not the target port. + * For other resources, destination port might be derived from the referent + * resource or this field. + */ + port?: pulumi.Input; + /** + * Weight specifies the proportion of requests forwarded to the referenced + * backend. This is computed as weight/(sum of all weights in this + * BackendRefs list). For non-zero values, there may be some epsilon from + * the exact proportion defined here depending on the precision an + * implementation supports. Weight is not a percentage and the sum of + * weights does not need to equal 100. + * + * + * If only one backend is specified and it has a weight greater than 0, 100% + * of the traffic is forwarded to that backend. If weight is set to 0, no + * traffic should be forwarded for this entry. If unspecified, weight + * defaults to 1. + * + * + * Support for this field varies based on the context where used. + */ + weight?: pulumi.Input; } /** - * SecretObjectReference identifies an API object including its namespace, - * defaulting to Secret. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. + * GRPCRouteFilter defines processing steps that must be completed during the + * request or response lifecycle. GRPCRouteFilters are meant as an extension + * point to express processing that may be done in Gateway implementations. Some + * examples include request or response modification, implementing + * authentication strategies, rate-limiting, and traffic shaping. API + * guarantee/conformance is defined based on the type of the filter. */ - interface XListenerSetSpecListenersTlsCertificateRefsPatch { + interface GRPCRouteSpecRulesBackendRefsFilters { + extensionRef?: pulumi.Input; + requestHeaderModifier?: pulumi.Input; + requestMirror?: pulumi.Input; + responseHeaderModifier?: pulumi.Input; + /** + * Type identifies the type of filter to apply. As with other API fields, + * types are classified into three conformance levels: + * + * + * - Core: Filter types and their corresponding configuration defined by + * "Support: Core" in this package, e.g. "RequestHeaderModifier". All + * implementations supporting GRPCRoute MUST support core filters. + * + * + * - Extended: Filter types and their corresponding configuration defined by + * "Support: Extended" in this package, e.g. "RequestMirror". Implementers + * are encouraged to support extended filters. + * + * + * - Implementation-specific: Filters that are defined and supported by specific vendors. + * In the future, filters showing convergence in behavior across multiple + * implementations will be considered for inclusion in extended or core + * conformance levels. Filter-specific configuration for such filters + * is specified using the ExtensionRef field. `Type` MUST be set to + * "ExtensionRef" for custom filters. + * + * + * Implementers are encouraged to define custom implementation types to + * extend the core API with implementation-specific behavior. + * + * + * If a reference to a custom filter type cannot be resolved, the filter + * MUST NOT be skipped. Instead, requests that would have been processed by + * that filter MUST receive a HTTP error response. + */ + type?: pulumi.Input; + } + /** + * ExtensionRef is an optional, implementation-specific extension to the + * "filter" behavior. For example, resource "myroutefilter" in group + * "networking.example.net"). ExtensionRef MUST NOT be used for core and + * extended filters. + * + * + * Support: Implementation-specific + * + * + * This filter can be used multiple times within the same rule. + */ + interface GRPCRouteSpecRulesBackendRefsFiltersExtensionRef { /** * Group is the group of the referent. For example, "gateway.networking.k8s.io". * When unspecified or empty string, core API group is inferred. */ group?: pulumi.Input; /** - * Kind is kind of the referent. For example "Secret". + * Kind is kind of the referent. For example "HTTPRoute" or "Service". + */ + kind?: pulumi.Input; + /** + * Name is the name of the referent. + */ + name?: pulumi.Input; + } + /** + * ExtensionRef is an optional, implementation-specific extension to the + * "filter" behavior. For example, resource "myroutefilter" in group + * "networking.example.net"). ExtensionRef MUST NOT be used for core and + * extended filters. + * + * + * Support: Implementation-specific + * + * + * This filter can be used multiple times within the same rule. + */ + interface GRPCRouteSpecRulesBackendRefsFiltersExtensionRefPatch { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group?: pulumi.Input; + /** + * Kind is kind of the referent. For example "HTTPRoute" or "Service". + */ + kind?: pulumi.Input; + /** + * Name is the name of the referent. + */ + name?: pulumi.Input; + } + /** + * GRPCRouteFilter defines processing steps that must be completed during the + * request or response lifecycle. GRPCRouteFilters are meant as an extension + * point to express processing that may be done in Gateway implementations. Some + * examples include request or response modification, implementing + * authentication strategies, rate-limiting, and traffic shaping. API + * guarantee/conformance is defined based on the type of the filter. + */ + interface GRPCRouteSpecRulesBackendRefsFiltersPatch { + extensionRef?: pulumi.Input; + requestHeaderModifier?: pulumi.Input; + requestMirror?: pulumi.Input; + responseHeaderModifier?: pulumi.Input; + /** + * Type identifies the type of filter to apply. As with other API fields, + * types are classified into three conformance levels: + * + * + * - Core: Filter types and their corresponding configuration defined by + * "Support: Core" in this package, e.g. "RequestHeaderModifier". All + * implementations supporting GRPCRoute MUST support core filters. + * + * + * - Extended: Filter types and their corresponding configuration defined by + * "Support: Extended" in this package, e.g. "RequestMirror". Implementers + * are encouraged to support extended filters. + * + * + * - Implementation-specific: Filters that are defined and supported by specific vendors. + * In the future, filters showing convergence in behavior across multiple + * implementations will be considered for inclusion in extended or core + * conformance levels. Filter-specific configuration for such filters + * is specified using the ExtensionRef field. `Type` MUST be set to + * "ExtensionRef" for custom filters. + * + * + * Implementers are encouraged to define custom implementation types to + * extend the core API with implementation-specific behavior. + * + * + * If a reference to a custom filter type cannot be resolved, the filter + * MUST NOT be skipped. Instead, requests that would have been processed by + * that filter MUST receive a HTTP error response. + */ + type?: pulumi.Input; + } + /** + * RequestHeaderModifier defines a schema for a filter that modifies request + * headers. + * + * + * Support: Core + */ + interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifier { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add?: pulumi.Input[]>; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove?: pulumi.Input[]>; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set?: pulumi.Input[]>; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + /** + * RequestHeaderModifier defines a schema for a filter that modifies request + * headers. + * + * + * Support: Core + */ + interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add?: pulumi.Input[]>; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove?: pulumi.Input[]>; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set?: pulumi.Input[]>; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + /** + * RequestMirror defines a schema for a filter that mirrors requests. + * Requests are sent to the specified destination, but responses from + * that destination are ignored. + * + * + * This filter can be used multiple times within the same rule. Note that + * not all implementations will be able to support mirroring to multiple + * backends. + * + * + * Support: Extended + */ + interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirror { + backendRef?: pulumi.Input; + } + /** + * BackendRef references a resource where mirrored requests are sent. + * + * + * Mirrored requests must be sent only to a single destination endpoint + * within this BackendRef, irrespective of how many endpoints are present + * within this BackendRef. + * + * + * If the referent cannot be found, this BackendRef is invalid and must be + * dropped from the Gateway. The controller must ensure the "ResolvedRefs" + * condition on the Route status is set to `status: False` and not configure + * this backend in the underlying implementation. + * + * + * If there is a cross-namespace reference to an *existing* object + * that is not allowed by a ReferenceGrant, the controller must ensure the + * "ResolvedRefs" condition on the Route is set to `status: False`, + * with the "RefNotPermitted" reason and not configure this backend in the + * underlying implementation. + * + * + * In either error case, the Message of the `ResolvedRefs` Condition + * should be used to provide more detail about the problem. + * + * + * Support: Extended for Kubernetes Service + * + * + * Support: Implementation-specific for any other resource + */ + interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group?: pulumi.Input; + /** + * Kind is the Kubernetes resource kind of the referent. For example + * "Service". + * + * + * Defaults to "Service" when not specified. + * + * + * ExternalName services can refer to CNAME DNS records that may live + * outside of the cluster and as such are difficult to reason about in + * terms of conformance. They also may not be safe to forward to (see + * CVE-2021-25740 for more information). Implementations SHOULD NOT + * support ExternalName Services. + * + * + * Support: Core (Services with a type other than ExternalName) + * + * + * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; /** @@ -34363,99 +25456,84 @@ export declare namespace gateway { */ name?: pulumi.Input; /** - * Namespace is the namespace of the referenced object. When unspecified, the local + * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; + /** + * Port specifies the destination port number to use for this resource. + * Port is required when the referent is a Kubernetes Service. In this + * case, the port number is the service port number, not the target port. + * For other resources, destination port might be derived from the referent + * resource or this field. + */ + port?: pulumi.Input; } /** - * TLS is the TLS configuration for the Listener. This field is required if - * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field - * if the Protocol field is "HTTP", "TCP", or "UDP". + * BackendRef references a resource where mirrored requests are sent. * - * The association of SNIs to Certificate defined in ListenerTLSConfig is - * defined based on the Hostname field for this listener. * - * The GatewayClass MUST use the longest matching SNI out of all - * available certificates for any TLS handshake. + * Mirrored requests must be sent only to a single destination endpoint + * within this BackendRef, irrespective of how many endpoints are present + * within this BackendRef. + * + * + * If the referent cannot be found, this BackendRef is invalid and must be + * dropped from the Gateway. The controller must ensure the "ResolvedRefs" + * condition on the Route status is set to `status: False` and not configure + * this backend in the underlying implementation. + * + * + * If there is a cross-namespace reference to an *existing* object + * that is not allowed by a ReferenceGrant, the controller must ensure the + * "ResolvedRefs" condition on the Route is set to `status: False`, + * with the "RefNotPermitted" reason and not configure this backend in the + * underlying implementation. + * + * + * In either error case, the Message of the `ResolvedRefs` Condition + * should be used to provide more detail about the problem. + * + * + * Support: Extended for Kubernetes Service + * + * + * Support: Implementation-specific for any other resource */ - interface XListenerSetSpecListenersTlsPatch { + interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch { /** - * CertificateRefs contains a series of references to Kubernetes objects that - * contains TLS certificates and private keys. These certificates are used to - * establish a TLS handshake for requests that match the hostname of the - * associated listener. - * - * A single CertificateRef to a Kubernetes Secret has "Core" support. - * Implementations MAY choose to support attaching multiple certificates to - * a Listener, but this behavior is implementation-specific. - * - * References to a resource in different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - * - * This field is required to have at least one element when the mode is set - * to "Terminate" (default) and is optional otherwise. - * - * CertificateRefs can reference to standard Kubernetes resources, i.e. - * Secret, or implementation-specific custom resources. - * - * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls - * - * Support: Implementation-specific (More than one reference or other resource types) - */ - certificateRefs?: pulumi.Input[]>; - /** - * Mode defines the TLS behavior for the TLS session initiated by the client. - * There are two possible modes: - * - * - Terminate: The TLS session between the downstream client and the - * Gateway is terminated at the Gateway. This mode requires certificates - * to be specified in some way, such as populating the certificateRefs - * field. - * - Passthrough: The TLS session is NOT terminated by the Gateway. This - * implies that the Gateway can't decipher the TLS stream except for - * the ClientHello message of the TLS protocol. The certificateRefs field - * is ignored in this mode. - * - * Support: Core - */ - mode?: pulumi.Input; - /** - * Options are a list of key/value pairs to enable extended TLS - * configuration for each implementation. For example, configuring the - * minimum TLS version or supported cipher suites. - * - * A set of common keys MAY be defined by the API in the future. To avoid - * any ambiguity, implementation-specific definitions MUST use - * domain-prefixed names, such as `example.com/my-custom-option`. - * Un-prefixed names are reserved for key names defined by Gateway API. - * - * Support: Implementation-specific - */ - options?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * ParentRef references the Gateway that the listeners are attached to. - */ - interface XListenerSetSpecParentRef { - /** - * Group is the group of the referent. + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. */ group?: pulumi.Input; /** - * Kind is kind of the referent. For example "Gateway". + * Kind is the Kubernetes resource kind of the referent. For example + * "Service". + * + * + * Defaults to "Service" when not specified. + * + * + * ExternalName services can refer to CNAME DNS records that may live + * outside of the cluster and as such are difficult to reason about in + * terms of conformance. They also may not be safe to forward to (see + * CVE-2021-25740 for more information). Implementations SHOULD NOT + * support ExternalName Services. + * + * + * Support: Core (Services with a type other than ExternalName) + * + * + * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; /** @@ -34463,22 +25541,345 @@ export declare namespace gateway { */ name?: pulumi.Input; /** - * Namespace is the namespace of the referent. If not present, - * the namespace of the referent is assumed to be the same as - * the namespace of the referring object. + * Namespace is the namespace of the backend. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core */ namespace?: pulumi.Input; + /** + * Port specifies the destination port number to use for this resource. + * Port is required when the referent is a Kubernetes Service. In this + * case, the port number is the service port number, not the target port. + * For other resources, destination port might be derived from the referent + * resource or this field. + */ + port?: pulumi.Input; } /** - * ParentRef references the Gateway that the listeners are attached to. + * RequestMirror defines a schema for a filter that mirrors requests. + * Requests are sent to the specified destination, but responses from + * that destination are ignored. + * + * + * This filter can be used multiple times within the same rule. Note that + * not all implementations will be able to support mirroring to multiple + * backends. + * + * + * Support: Extended */ - interface XListenerSetSpecParentRefPatch { + interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorPatch { + backendRef?: pulumi.Input; + } + /** + * ResponseHeaderModifier defines a schema for a filter that modifies response + * headers. + * + * + * Support: Extended + */ + interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifier { /** - * Group is the group of the referent. + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add?: pulumi.Input[]>; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove?: pulumi.Input[]>; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set?: pulumi.Input[]>; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + /** + * ResponseHeaderModifier defines a schema for a filter that modifies response + * headers. + * + * + * Support: Extended + */ + interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add?: pulumi.Input[]>; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove?: pulumi.Input[]>; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set?: pulumi.Input[]>; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + /** + * GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. + * + * + * Note that when a namespace different than the local namespace is specified, a + * ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * + * + * + * When the BackendRef points to a Kubernetes Service, implementations SHOULD + * honor the appProtocol field if it is set for the target Service Port. + * + * + * Implementations supporting appProtocol SHOULD recognize the Kubernetes + * Standard Application Protocols defined in KEP-3726. + * + * + * If a Service appProtocol isn't specified, an implementation MAY infer the + * backend protocol through its own means. Implementations MAY infer the + * protocol from the Route type referring to the backend Service. + * + * + * If a Route is not able to send traffic to the backend using the specified + * protocol then the backend is considered invalid. Implementations MUST set the + * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * + */ + interface GRPCRouteSpecRulesBackendRefsPatch { + /** + * Filters defined at this level MUST be executed if and only if the + * request is being forwarded to the backend defined here. + * + * + * Support: Implementation-specific (For broader support of filters, use the + * Filters field in GRPCRouteRule.) + */ + filters?: pulumi.Input[]>; + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. */ group?: pulumi.Input; /** - * Kind is kind of the referent. For example "Gateway". + * Kind is the Kubernetes resource kind of the referent. For example + * "Service". + * + * + * Defaults to "Service" when not specified. + * + * + * ExternalName services can refer to CNAME DNS records that may live + * outside of the cluster and as such are difficult to reason about in + * terms of conformance. They also may not be safe to forward to (see + * CVE-2021-25740 for more information). Implementations SHOULD NOT + * support ExternalName Services. + * + * + * Support: Core (Services with a type other than ExternalName) + * + * + * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; /** @@ -34486,160 +25887,1445 @@ export declare namespace gateway { */ name?: pulumi.Input; /** - * Namespace is the namespace of the referent. If not present, - * the namespace of the referent is assumed to be the same as - * the namespace of the referring object. + * Namespace is the namespace of the backend. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core */ namespace?: pulumi.Input; - } - /** - * Spec defines the desired state of ListenerSet. - */ - interface XListenerSetSpecPatch { /** - * Listeners associated with this ListenerSet. Listeners define - * logical endpoints that are bound on this referenced parent Gateway's addresses. - * - * Listeners in a `Gateway` and their attached `ListenerSets` are concatenated - * as a list when programming the underlying infrastructure. Each listener - * name does not need to be unique across the Gateway and ListenerSets. - * See ListenerEntry.Name for more details. - * - * Implementations MUST treat the parent Gateway as having the merged - * list of all listeners from itself and attached ListenerSets using - * the following precedence: - * - * 1. "parent" Gateway - * 2. ListenerSet ordered by creation time (oldest first) - * 3. ListenerSet ordered alphabetically by "{namespace}/{name}". - * - * An implementation MAY reject listeners by setting the ListenerEntryStatus - * `Accepted` condition to False with the Reason `TooManyListeners` - * - * If a listener has a conflict, this will be reported in the - * Status.ListenerEntryStatus setting the `Conflicted` condition to True. - * - * Implementations SHOULD be cautious about what information from the - * parent or siblings are reported to avoid accidentally leaking - * sensitive information that the child would not otherwise have access - * to. This can include contents of secrets etc. - */ - listeners?: pulumi.Input[]>; - parentRef?: pulumi.Input; - } - /** - * Status defines the current state of ListenerSet. - */ - interface XListenerSetStatus { - /** - * Conditions describe the current conditions of the ListenerSet. - * - * Implementations MUST express ListenerSet conditions using the - * `ListenerSetConditionType` and `ListenerSetConditionReason` - * constants so that operators and tools can converge on a common - * vocabulary to describe ListenerSet state. - * - * Known condition types are: - * - * * "Accepted" - * * "Programmed" - */ - conditions?: pulumi.Input[]>; - /** - * Listeners provide status for each unique listener port defined in the Spec. - */ - listeners?: pulumi.Input[]>; - } - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - interface XListenerSetStatusConditions { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime?: pulumi.Input; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message?: pulumi.Input; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration?: pulumi.Input; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason?: pulumi.Input; - /** - * status of the condition, one of True, False, Unknown. - */ - status?: pulumi.Input; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type?: pulumi.Input; - } - /** - * ListenerStatus is the status associated with a Listener. - */ - interface XListenerSetStatusListeners { - /** - * AttachedRoutes represents the total number of Routes that have been - * successfully attached to this Listener. - * - * Successful attachment of a Route to a Listener is based solely on the - * combination of the AllowedRoutes field on the corresponding Listener - * and the Route's ParentRefs field. A Route is successfully attached to - * a Listener when it is selected by the Listener's AllowedRoutes field - * AND the Route has a valid ParentRef selecting the whole Gateway - * resource or a specific Listener as a parent resource (more detail on - * attachment semantics can be found in the documentation on the various - * Route kinds ParentRefs fields). Listener or Route status does not impact - * successful attachment, i.e. the AttachedRoutes field count MUST be set - * for Listeners with condition Accepted: false and MUST count successfully - * attached Routes that may themselves have Accepted: false conditions. - * - * Uses for this field include troubleshooting Route attachment and - * measuring blast radius/impact of changes to a Listener. - */ - attachedRoutes?: pulumi.Input; - /** - * Conditions describe the current condition of this listener. - */ - conditions?: pulumi.Input[]>; - /** - * Name is the name of the Listener that this status corresponds to. - */ - name?: pulumi.Input; - /** - * Port is the network port the listener is configured to listen on. + * Port specifies the destination port number to use for this resource. + * Port is required when the referent is a Kubernetes Service. In this + * case, the port number is the service port number, not the target port. + * For other resources, destination port might be derived from the referent + * resource or this field. */ port?: pulumi.Input; /** - * SupportedKinds is the list indicating the Kinds supported by this - * listener. This MUST represent the kinds an implementation supports for - * that Listener configuration. + * Weight specifies the proportion of requests forwarded to the referenced + * backend. This is computed as weight/(sum of all weights in this + * BackendRefs list). For non-zero values, there may be some epsilon from + * the exact proportion defined here depending on the precision an + * implementation supports. Weight is not a percentage and the sum of + * weights does not need to equal 100. * - * If kinds are specified in Spec that are not supported, they MUST NOT - * appear in this list and an implementation MUST set the "ResolvedRefs" - * condition to "False" with the "InvalidRouteKinds" reason. If both valid - * and invalid Route kinds are specified, the implementation MUST - * reference the valid Route kinds that have been specified. + * + * If only one backend is specified and it has a weight greater than 0, 100% + * of the traffic is forwarded to that backend. If weight is set to 0, no + * traffic should be forwarded for this entry. If unspecified, weight + * defaults to 1. + * + * + * Support for this field varies based on the context where used. */ - supportedKinds?: pulumi.Input[]>; + weight?: pulumi.Input; + } + /** + * GRPCRouteFilter defines processing steps that must be completed during the + * request or response lifecycle. GRPCRouteFilters are meant as an extension + * point to express processing that may be done in Gateway implementations. Some + * examples include request or response modification, implementing + * authentication strategies, rate-limiting, and traffic shaping. API + * guarantee/conformance is defined based on the type of the filter. + */ + interface GRPCRouteSpecRulesFilters { + extensionRef?: pulumi.Input; + requestHeaderModifier?: pulumi.Input; + requestMirror?: pulumi.Input; + responseHeaderModifier?: pulumi.Input; + /** + * Type identifies the type of filter to apply. As with other API fields, + * types are classified into three conformance levels: + * + * + * - Core: Filter types and their corresponding configuration defined by + * "Support: Core" in this package, e.g. "RequestHeaderModifier". All + * implementations supporting GRPCRoute MUST support core filters. + * + * + * - Extended: Filter types and their corresponding configuration defined by + * "Support: Extended" in this package, e.g. "RequestMirror". Implementers + * are encouraged to support extended filters. + * + * + * - Implementation-specific: Filters that are defined and supported by specific vendors. + * In the future, filters showing convergence in behavior across multiple + * implementations will be considered for inclusion in extended or core + * conformance levels. Filter-specific configuration for such filters + * is specified using the ExtensionRef field. `Type` MUST be set to + * "ExtensionRef" for custom filters. + * + * + * Implementers are encouraged to define custom implementation types to + * extend the core API with implementation-specific behavior. + * + * + * If a reference to a custom filter type cannot be resolved, the filter + * MUST NOT be skipped. Instead, requests that would have been processed by + * that filter MUST receive a HTTP error response. + */ + type?: pulumi.Input; + } + /** + * ExtensionRef is an optional, implementation-specific extension to the + * "filter" behavior. For example, resource "myroutefilter" in group + * "networking.example.net"). ExtensionRef MUST NOT be used for core and + * extended filters. + * + * + * Support: Implementation-specific + * + * + * This filter can be used multiple times within the same rule. + */ + interface GRPCRouteSpecRulesFiltersExtensionRef { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group?: pulumi.Input; + /** + * Kind is kind of the referent. For example "HTTPRoute" or "Service". + */ + kind?: pulumi.Input; + /** + * Name is the name of the referent. + */ + name?: pulumi.Input; + } + /** + * ExtensionRef is an optional, implementation-specific extension to the + * "filter" behavior. For example, resource "myroutefilter" in group + * "networking.example.net"). ExtensionRef MUST NOT be used for core and + * extended filters. + * + * + * Support: Implementation-specific + * + * + * This filter can be used multiple times within the same rule. + */ + interface GRPCRouteSpecRulesFiltersExtensionRefPatch { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group?: pulumi.Input; + /** + * Kind is kind of the referent. For example "HTTPRoute" or "Service". + */ + kind?: pulumi.Input; + /** + * Name is the name of the referent. + */ + name?: pulumi.Input; + } + /** + * GRPCRouteFilter defines processing steps that must be completed during the + * request or response lifecycle. GRPCRouteFilters are meant as an extension + * point to express processing that may be done in Gateway implementations. Some + * examples include request or response modification, implementing + * authentication strategies, rate-limiting, and traffic shaping. API + * guarantee/conformance is defined based on the type of the filter. + */ + interface GRPCRouteSpecRulesFiltersPatch { + extensionRef?: pulumi.Input; + requestHeaderModifier?: pulumi.Input; + requestMirror?: pulumi.Input; + responseHeaderModifier?: pulumi.Input; + /** + * Type identifies the type of filter to apply. As with other API fields, + * types are classified into three conformance levels: + * + * + * - Core: Filter types and their corresponding configuration defined by + * "Support: Core" in this package, e.g. "RequestHeaderModifier". All + * implementations supporting GRPCRoute MUST support core filters. + * + * + * - Extended: Filter types and their corresponding configuration defined by + * "Support: Extended" in this package, e.g. "RequestMirror". Implementers + * are encouraged to support extended filters. + * + * + * - Implementation-specific: Filters that are defined and supported by specific vendors. + * In the future, filters showing convergence in behavior across multiple + * implementations will be considered for inclusion in extended or core + * conformance levels. Filter-specific configuration for such filters + * is specified using the ExtensionRef field. `Type` MUST be set to + * "ExtensionRef" for custom filters. + * + * + * Implementers are encouraged to define custom implementation types to + * extend the core API with implementation-specific behavior. + * + * + * If a reference to a custom filter type cannot be resolved, the filter + * MUST NOT be skipped. Instead, requests that would have been processed by + * that filter MUST receive a HTTP error response. + */ + type?: pulumi.Input; + } + /** + * RequestHeaderModifier defines a schema for a filter that modifies request + * headers. + * + * + * Support: Core + */ + interface GRPCRouteSpecRulesFiltersRequestHeaderModifier { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add?: pulumi.Input[]>; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove?: pulumi.Input[]>; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set?: pulumi.Input[]>; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesFiltersRequestHeaderModifierAdd { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesFiltersRequestHeaderModifierAddPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + /** + * RequestHeaderModifier defines a schema for a filter that modifies request + * headers. + * + * + * Support: Core + */ + interface GRPCRouteSpecRulesFiltersRequestHeaderModifierPatch { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add?: pulumi.Input[]>; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove?: pulumi.Input[]>; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set?: pulumi.Input[]>; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesFiltersRequestHeaderModifierSet { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesFiltersRequestHeaderModifierSetPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + /** + * RequestMirror defines a schema for a filter that mirrors requests. + * Requests are sent to the specified destination, but responses from + * that destination are ignored. + * + * + * This filter can be used multiple times within the same rule. Note that + * not all implementations will be able to support mirroring to multiple + * backends. + * + * + * Support: Extended + */ + interface GRPCRouteSpecRulesFiltersRequestMirror { + backendRef?: pulumi.Input; + } + /** + * BackendRef references a resource where mirrored requests are sent. + * + * + * Mirrored requests must be sent only to a single destination endpoint + * within this BackendRef, irrespective of how many endpoints are present + * within this BackendRef. + * + * + * If the referent cannot be found, this BackendRef is invalid and must be + * dropped from the Gateway. The controller must ensure the "ResolvedRefs" + * condition on the Route status is set to `status: False` and not configure + * this backend in the underlying implementation. + * + * + * If there is a cross-namespace reference to an *existing* object + * that is not allowed by a ReferenceGrant, the controller must ensure the + * "ResolvedRefs" condition on the Route is set to `status: False`, + * with the "RefNotPermitted" reason and not configure this backend in the + * underlying implementation. + * + * + * In either error case, the Message of the `ResolvedRefs` Condition + * should be used to provide more detail about the problem. + * + * + * Support: Extended for Kubernetes Service + * + * + * Support: Implementation-specific for any other resource + */ + interface GRPCRouteSpecRulesFiltersRequestMirrorBackendRef { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group?: pulumi.Input; + /** + * Kind is the Kubernetes resource kind of the referent. For example + * "Service". + * + * + * Defaults to "Service" when not specified. + * + * + * ExternalName services can refer to CNAME DNS records that may live + * outside of the cluster and as such are difficult to reason about in + * terms of conformance. They also may not be safe to forward to (see + * CVE-2021-25740 for more information). Implementations SHOULD NOT + * support ExternalName Services. + * + * + * Support: Core (Services with a type other than ExternalName) + * + * + * Support: Implementation-specific (Services with type ExternalName) + */ + kind?: pulumi.Input; + /** + * Name is the name of the referent. + */ + name?: pulumi.Input; + /** + * Namespace is the namespace of the backend. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace?: pulumi.Input; + /** + * Port specifies the destination port number to use for this resource. + * Port is required when the referent is a Kubernetes Service. In this + * case, the port number is the service port number, not the target port. + * For other resources, destination port might be derived from the referent + * resource or this field. + */ + port?: pulumi.Input; + } + /** + * BackendRef references a resource where mirrored requests are sent. + * + * + * Mirrored requests must be sent only to a single destination endpoint + * within this BackendRef, irrespective of how many endpoints are present + * within this BackendRef. + * + * + * If the referent cannot be found, this BackendRef is invalid and must be + * dropped from the Gateway. The controller must ensure the "ResolvedRefs" + * condition on the Route status is set to `status: False` and not configure + * this backend in the underlying implementation. + * + * + * If there is a cross-namespace reference to an *existing* object + * that is not allowed by a ReferenceGrant, the controller must ensure the + * "ResolvedRefs" condition on the Route is set to `status: False`, + * with the "RefNotPermitted" reason and not configure this backend in the + * underlying implementation. + * + * + * In either error case, the Message of the `ResolvedRefs` Condition + * should be used to provide more detail about the problem. + * + * + * Support: Extended for Kubernetes Service + * + * + * Support: Implementation-specific for any other resource + */ + interface GRPCRouteSpecRulesFiltersRequestMirrorBackendRefPatch { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group?: pulumi.Input; + /** + * Kind is the Kubernetes resource kind of the referent. For example + * "Service". + * + * + * Defaults to "Service" when not specified. + * + * + * ExternalName services can refer to CNAME DNS records that may live + * outside of the cluster and as such are difficult to reason about in + * terms of conformance. They also may not be safe to forward to (see + * CVE-2021-25740 for more information). Implementations SHOULD NOT + * support ExternalName Services. + * + * + * Support: Core (Services with a type other than ExternalName) + * + * + * Support: Implementation-specific (Services with type ExternalName) + */ + kind?: pulumi.Input; + /** + * Name is the name of the referent. + */ + name?: pulumi.Input; + /** + * Namespace is the namespace of the backend. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace?: pulumi.Input; + /** + * Port specifies the destination port number to use for this resource. + * Port is required when the referent is a Kubernetes Service. In this + * case, the port number is the service port number, not the target port. + * For other resources, destination port might be derived from the referent + * resource or this field. + */ + port?: pulumi.Input; + } + /** + * RequestMirror defines a schema for a filter that mirrors requests. + * Requests are sent to the specified destination, but responses from + * that destination are ignored. + * + * + * This filter can be used multiple times within the same rule. Note that + * not all implementations will be able to support mirroring to multiple + * backends. + * + * + * Support: Extended + */ + interface GRPCRouteSpecRulesFiltersRequestMirrorPatch { + backendRef?: pulumi.Input; + } + /** + * ResponseHeaderModifier defines a schema for a filter that modifies response + * headers. + * + * + * Support: Extended + */ + interface GRPCRouteSpecRulesFiltersResponseHeaderModifier { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add?: pulumi.Input[]>; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove?: pulumi.Input[]>; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set?: pulumi.Input[]>; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesFiltersResponseHeaderModifierAdd { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesFiltersResponseHeaderModifierAddPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + /** + * ResponseHeaderModifier defines a schema for a filter that modifies response + * headers. + * + * + * Support: Extended + */ + interface GRPCRouteSpecRulesFiltersResponseHeaderModifierPatch { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add?: pulumi.Input[]>; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove?: pulumi.Input[]>; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set?: pulumi.Input[]>; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesFiltersResponseHeaderModifierSet { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesFiltersResponseHeaderModifierSetPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + /** + * GRPCRouteMatch defines the predicate used to match requests to a given + * action. Multiple match types are ANDed together, i.e. the match will + * evaluate to true only if all conditions are satisfied. + * + * + * For example, the match below will match a gRPC request only if its service + * is `foo` AND it contains the `version: v1` header: + * + * + * ``` + * matches: + * - method: + * type: Exact + * service: "foo" + * headers: + * - name: "version" + * value "v1" + * + * + * ``` + */ + interface GRPCRouteSpecRulesMatches { + /** + * Headers specifies gRPC request header matchers. Multiple match values are + * ANDed together, meaning, a request MUST match all the specified headers + * to select the route. + */ + headers?: pulumi.Input[]>; + method?: pulumi.Input; + } + /** + * GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request + * headers. + */ + interface GRPCRouteSpecRulesMatchesHeaders { + /** + * Name is the name of the gRPC Header to be matched. + * + * + * If multiple entries specify equivalent header names, only the first + * entry with an equivalent name MUST be considered for a match. Subsequent + * entries with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Type specifies how to match against the value of the header. + */ + type?: pulumi.Input; + /** + * Value is the value of the gRPC Header to be matched. + */ + value?: pulumi.Input; + } + /** + * GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request + * headers. + */ + interface GRPCRouteSpecRulesMatchesHeadersPatch { + /** + * Name is the name of the gRPC Header to be matched. + * + * + * If multiple entries specify equivalent header names, only the first + * entry with an equivalent name MUST be considered for a match. Subsequent + * entries with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Type specifies how to match against the value of the header. + */ + type?: pulumi.Input; + /** + * Value is the value of the gRPC Header to be matched. + */ + value?: pulumi.Input; + } + /** + * Method specifies a gRPC request service/method matcher. If this field is + * not specified, all services and methods will match. + */ + interface GRPCRouteSpecRulesMatchesMethod { + /** + * Value of the method to match against. If left empty or omitted, will + * match all services. + * + * + * At least one of Service and Method MUST be a non-empty string. + */ + method?: pulumi.Input; + /** + * Value of the service to match against. If left empty or omitted, will + * match any service. + * + * + * At least one of Service and Method MUST be a non-empty string. + */ + service?: pulumi.Input; + /** + * Type specifies how to match against the service and/or method. + * Support: Core (Exact with service and method specified) + * + * + * Support: Implementation-specific (Exact with method specified but no service specified) + * + * + * Support: Implementation-specific (RegularExpression) + */ + type?: pulumi.Input; + } + /** + * Method specifies a gRPC request service/method matcher. If this field is + * not specified, all services and methods will match. + */ + interface GRPCRouteSpecRulesMatchesMethodPatch { + /** + * Value of the method to match against. If left empty or omitted, will + * match all services. + * + * + * At least one of Service and Method MUST be a non-empty string. + */ + method?: pulumi.Input; + /** + * Value of the service to match against. If left empty or omitted, will + * match any service. + * + * + * At least one of Service and Method MUST be a non-empty string. + */ + service?: pulumi.Input; + /** + * Type specifies how to match against the service and/or method. + * Support: Core (Exact with service and method specified) + * + * + * Support: Implementation-specific (Exact with method specified but no service specified) + * + * + * Support: Implementation-specific (RegularExpression) + */ + type?: pulumi.Input; + } + /** + * GRPCRouteMatch defines the predicate used to match requests to a given + * action. Multiple match types are ANDed together, i.e. the match will + * evaluate to true only if all conditions are satisfied. + * + * + * For example, the match below will match a gRPC request only if its service + * is `foo` AND it contains the `version: v1` header: + * + * + * ``` + * matches: + * - method: + * type: Exact + * service: "foo" + * headers: + * - name: "version" + * value "v1" + * + * + * ``` + */ + interface GRPCRouteSpecRulesMatchesPatch { + /** + * Headers specifies gRPC request header matchers. Multiple match values are + * ANDed together, meaning, a request MUST match all the specified headers + * to select the route. + */ + headers?: pulumi.Input[]>; + method?: pulumi.Input; + } + /** + * GRPCRouteRule defines the semantics for matching a gRPC request based on + * conditions (matches), processing it (filters), and forwarding the request to + * an API object (backendRefs). + */ + interface GRPCRouteSpecRulesPatch { + /** + * BackendRefs defines the backend(s) where matching requests should be + * sent. + * + * + * Failure behavior here depends on how many BackendRefs are specified and + * how many are invalid. + * + * + * If *all* entries in BackendRefs are invalid, and there are also no filters + * specified in this route rule, *all* traffic which matches this rule MUST + * receive an `UNAVAILABLE` status. + * + * + * See the GRPCBackendRef definition for the rules about what makes a single + * GRPCBackendRef invalid. + * + * + * When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for + * requests that would have otherwise been routed to an invalid backend. If + * multiple backends are specified, and some are invalid, the proportion of + * requests that would otherwise have been routed to an invalid backend + * MUST receive an `UNAVAILABLE` status. + * + * + * For example, if two backends are specified with equal weights, and one is + * invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. + * Implementations may choose how that 50 percent is determined. + * + * + * Support: Core for Kubernetes Service + * + * + * Support: Implementation-specific for any other resource + * + * + * Support for weight: Core + */ + backendRefs?: pulumi.Input[]>; + /** + * Filters define the filters that are applied to requests that match + * this rule. + * + * + * The effects of ordering of multiple behaviors are currently unspecified. + * This can change in the future based on feedback during the alpha stage. + * + * + * Conformance-levels at this level are defined based on the type of filter: + * + * + * - ALL core filters MUST be supported by all implementations that support + * GRPCRoute. + * - Implementers are encouraged to support extended filters. + * - Implementation-specific custom filters have no API guarantees across + * implementations. + * + * + * Specifying the same filter multiple times is not supported unless explicitly + * indicated in the filter. + * + * + * If an implementation can not support a combination of filters, it must clearly + * document that limitation. In cases where incompatible or unsupported + * filters are specified and cause the `Accepted` condition to be set to status + * `False`, implementations may use the `IncompatibleFilters` reason to specify + * this configuration error. + * + * + * Support: Core + */ + filters?: pulumi.Input[]>; + /** + * Matches define conditions used for matching the rule against incoming + * gRPC requests. Each match is independent, i.e. this rule will be matched + * if **any** one of the matches is satisfied. + * + * + * For example, take the following matches configuration: + * + * + * ``` + * matches: + * - method: + * service: foo.bar + * headers: + * values: + * version: 2 + * - method: + * service: foo.bar.v2 + * ``` + * + * + * For a request to match against this rule, it MUST satisfy + * EITHER of the two conditions: + * + * + * - service of foo.bar AND contains the header `version: 2` + * - service of foo.bar.v2 + * + * + * See the documentation for GRPCRouteMatch on how to specify multiple + * match conditions to be ANDed together. + * + * + * If no matches are specified, the implementation MUST match every gRPC request. + * + * + * Proxy or Load Balancer routing configuration generated from GRPCRoutes + * MUST prioritize rules based on the following criteria, continuing on + * ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. + * Precedence MUST be given to the rule with the largest number of: + * + * + * * Characters in a matching non-wildcard hostname. + * * Characters in a matching hostname. + * * Characters in a matching service. + * * Characters in a matching method. + * * Header matches. + * + * + * If ties still exist across multiple Routes, matching precedence MUST be + * determined in order of the following criteria, continuing on ties: + * + * + * * The oldest Route based on creation timestamp. + * * The Route appearing first in alphabetical order by + * "{namespace}/{name}". + * + * + * If ties still exist within the Route that has been given precedence, + * matching precedence MUST be granted to the first matching rule meeting + * the above criteria. + */ + matches?: pulumi.Input[]>; + sessionPersistence?: pulumi.Input; + } + /** + * SessionPersistence defines and configures session persistence + * for the route rule. + * + * + * Support: Extended + */ + interface GRPCRouteSpecRulesSessionPersistence { + /** + * AbsoluteTimeout defines the absolute timeout of the persistent + * session. Once the AbsoluteTimeout duration has elapsed, the + * session becomes invalid. + * + * + * Support: Extended + */ + absoluteTimeout?: pulumi.Input; + cookieConfig?: pulumi.Input; + /** + * IdleTimeout defines the idle timeout of the persistent session. + * Once the session has been idle for more than the specified + * IdleTimeout duration, the session becomes invalid. + * + * + * Support: Extended + */ + idleTimeout?: pulumi.Input; + /** + * SessionName defines the name of the persistent session token + * which may be reflected in the cookie or the header. Users + * should avoid reusing session names to prevent unintended + * consequences, such as rejection or unpredictable behavior. + * + * + * Support: Implementation-specific + */ + sessionName?: pulumi.Input; + /** + * Type defines the type of session persistence such as through + * the use a header or cookie. Defaults to cookie based session + * persistence. + * + * + * Support: Core for "Cookie" type + * + * + * Support: Extended for "Header" type + */ + type?: pulumi.Input; + } + /** + * CookieConfig provides configuration settings that are specific + * to cookie-based session persistence. + * + * + * Support: Core + */ + interface GRPCRouteSpecRulesSessionPersistenceCookieConfig { + /** + * LifetimeType specifies whether the cookie has a permanent or + * session-based lifetime. A permanent cookie persists until its + * specified expiry time, defined by the Expires or Max-Age cookie + * attributes, while a session cookie is deleted when the current + * session ends. + * + * + * When set to "Permanent", AbsoluteTimeout indicates the + * cookie's lifetime via the Expires or Max-Age cookie attributes + * and is required. + * + * + * When set to "Session", AbsoluteTimeout indicates the + * absolute lifetime of the cookie tracked by the gateway and + * is optional. + * + * + * Support: Core for "Session" type + * + * + * Support: Extended for "Permanent" type + */ + lifetimeType?: pulumi.Input; + } + /** + * CookieConfig provides configuration settings that are specific + * to cookie-based session persistence. + * + * + * Support: Core + */ + interface GRPCRouteSpecRulesSessionPersistenceCookieConfigPatch { + /** + * LifetimeType specifies whether the cookie has a permanent or + * session-based lifetime. A permanent cookie persists until its + * specified expiry time, defined by the Expires or Max-Age cookie + * attributes, while a session cookie is deleted when the current + * session ends. + * + * + * When set to "Permanent", AbsoluteTimeout indicates the + * cookie's lifetime via the Expires or Max-Age cookie attributes + * and is required. + * + * + * When set to "Session", AbsoluteTimeout indicates the + * absolute lifetime of the cookie tracked by the gateway and + * is optional. + * + * + * Support: Core for "Session" type + * + * + * Support: Extended for "Permanent" type + */ + lifetimeType?: pulumi.Input; + } + /** + * SessionPersistence defines and configures session persistence + * for the route rule. + * + * + * Support: Extended + */ + interface GRPCRouteSpecRulesSessionPersistencePatch { + /** + * AbsoluteTimeout defines the absolute timeout of the persistent + * session. Once the AbsoluteTimeout duration has elapsed, the + * session becomes invalid. + * + * + * Support: Extended + */ + absoluteTimeout?: pulumi.Input; + cookieConfig?: pulumi.Input; + /** + * IdleTimeout defines the idle timeout of the persistent session. + * Once the session has been idle for more than the specified + * IdleTimeout duration, the session becomes invalid. + * + * + * Support: Extended + */ + idleTimeout?: pulumi.Input; + /** + * SessionName defines the name of the persistent session token + * which may be reflected in the cookie or the header. Users + * should avoid reusing session names to prevent unintended + * consequences, such as rejection or unpredictable behavior. + * + * + * Support: Implementation-specific + */ + sessionName?: pulumi.Input; + /** + * Type defines the type of session persistence such as through + * the use a header or cookie. Defaults to cookie based session + * persistence. + * + * + * Support: Core for "Cookie" type + * + * + * Support: Extended for "Header" type + */ + type?: pulumi.Input; + } + /** + * Status defines the current state of GRPCRoute. + */ + interface GRPCRouteStatus { + /** + * Parents is a list of parent resources (usually Gateways) that are + * associated with the route, and the status of the route with respect to + * each parent. When this route attaches to a parent, the controller that + * manages the parent must add an entry to this list when the controller + * first sees the route and should update the entry as appropriate when the + * route or gateway is modified. + * + * + * Note that parent references that cannot be resolved by an implementation + * of this API will not be added to this list. Implementations of this API + * can only populate Route status for the Gateways/parent resources they are + * responsible for. + * + * + * A maximum of 32 Gateways will be represented in this list. An empty list + * means the route has not been attached to any Gateway. + */ + parents?: pulumi.Input[]>; + } + /** + * RouteParentStatus describes the status of a route with respect to an + * associated Parent. + */ + interface GRPCRouteStatusParents { + /** + * Conditions describes the status of the route with respect to the Gateway. + * Note that the route's availability is also subject to the Gateway's own + * status conditions and listener status. + * + * + * If the Route's ParentRef specifies an existing Gateway that supports + * Routes of this kind AND that Gateway's controller has sufficient access, + * then that Gateway's controller MUST set the "Accepted" condition on the + * Route, to indicate whether the route has been accepted or rejected by the + * Gateway, and why. + * + * + * A Route MUST be considered "Accepted" if at least one of the Route's + * rules is implemented by the Gateway. + * + * + * There are a number of cases where the "Accepted" condition may not be set + * due to lack of controller visibility, that includes when: + * + * + * * The Route refers to a non-existent parent. + * * The Route is of a type that the controller does not support. + * * The Route is in a namespace the controller does not have access to. + */ + conditions?: pulumi.Input[]>; + /** + * ControllerName is a domain/path string that indicates the name of the + * controller that wrote this status. This corresponds with the + * controllerName field on GatewayClass. + * + * + * Example: "example.net/gateway-controller". + * + * + * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + * valid Kubernetes names + * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + * + * + * Controllers MUST populate this field when writing status. Controllers should ensure that + * entries to status populated with their ControllerName are cleaned up when they are no + * longer necessary. + */ + controllerName?: pulumi.Input; + parentRef?: pulumi.Input; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ - interface XListenerSetStatusListenersConditions { + interface GRPCRouteStatusParentsConditions { /** * lastTransitionTime is the last time the condition transitioned from one status to another. * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. @@ -34670,223 +27356,382 @@ export declare namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } /** - * RouteGroupKind indicates the group and kind of a Route resource. + * ParentRef corresponds with a ParentRef in the spec that this + * RouteParentStatus struct describes the status of. */ - interface XListenerSetStatusListenersSupportedKinds { + interface GRPCRouteStatusParentsParentRef { /** - * Group is the group of the Route. + * Group is the group of the referent. + * When unspecified, "gateway.networking.k8s.io" is inferred. + * To set the core API group (such as for a "Service" kind referent), + * Group must be explicitly set to "" (empty string). + * + * + * Support: Core */ group?: pulumi.Input; /** - * Kind is the kind of the Route. + * Kind is kind of the referent. + * + * + * There are two kinds of parent resources with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; + /** + * Name is the name of the referent. + * + * + * Support: Core + */ + name?: pulumi.Input; + /** + * Namespace is the namespace of the referent. When unspecified, this refers + * to the local namespace of the Route. + * + * + * Note that there are specific rules for ParentRefs which cross namespace + * boundaries. Cross-namespace references are only valid if they are explicitly + * allowed by something in the namespace they are referring to. For example: + * Gateway has the AllowedRoutes field, and ReferenceGrant provides a + * generic way to enable any other kind of cross-namespace reference. + * + * + * + * ParentRefs from a Route to a Service in the same namespace are "producer" + * routes, which apply default routing rules to inbound connections from + * any namespace to the Service. + * + * + * ParentRefs from a Route to a Service in a different namespace are + * "consumer" routes, and these routing rules are only applied to outbound + * connections originating from the same namespace as the Route, for which + * the intended destination of the connections are a Service targeted as a + * ParentRef of the Route. + * + * + * + * Support: Core + */ + namespace?: pulumi.Input; + /** + * Port is the network port this Route targets. It can be interpreted + * differently based on the type of parent resource. + * + * + * When the parent resource is a Gateway, this targets all listeners + * listening on the specified port that also support this kind of Route(and + * select this Route). It's not recommended to set `Port` unless the + * networking behaviors specified in a Route must apply to a specific port + * as opposed to a listener(s) whose port(s) may be changed. When both Port + * and SectionName are specified, the name and port of the selected listener + * must match both specified values. + * + * + * + * When the parent resource is a Service, this targets a specific port in the + * Service spec. When both Port (experimental) and SectionName are specified, + * the name and port of the selected port must match both specified values. + * + * + * + * Implementations MAY choose to support other parent resources. + * Implementations supporting other types of parent resources MUST clearly + * document how/if Port is interpreted. + * + * + * For the purpose of status, an attachment is considered successful as + * long as the parent resource accepts it partially. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + * from the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, + * the Route MUST be considered detached from the Gateway. + * + * + * Support: Extended + */ + port?: pulumi.Input; + /** + * SectionName is the name of a section within the target resource. In the + * following resources, SectionName is interpreted as the following: + * + * + * * Gateway: Listener name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * * Service: Port name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * + * + * Implementations MAY choose to support attaching Routes to other resources. + * If that is the case, they MUST clearly document how SectionName is + * interpreted. + * + * + * When unspecified (empty string), this will reference the entire resource. + * For the purpose of status, an attachment is considered successful if at + * least one section in the parent resource accepts it. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + * the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, the + * Route MUST be considered detached from the Gateway. + * + * + * Support: Core + */ + sectionName?: pulumi.Input; } /** - * XMesh defines mesh-wide characteristics of a GAMMA-compliant service mesh. + * ReferenceGrant identifies kinds of resources in other namespaces that are + * trusted to reference the specified kinds of resources in the same namespace + * as the policy. + * + * + * Each ReferenceGrant can be used to represent a unique trust relationship. + * Additional Reference Grants can be used to add to the set of trusted + * sources of inbound references for the namespace they are defined within. + * + * + * A ReferenceGrant is required for all cross-namespace references in Gateway API + * (with the exception of cross-namespace Route-Gateway attachment, which is + * governed by the AllowedRoutes configuration on the Gateway, and cross-namespace + * Service ParentRefs on a "consumer" mesh Route, which defines routing rules + * applicable only to workloads in the Route namespace). ReferenceGrants allowing + * a reference from a Route to a Service are only applicable to BackendRefs. + * + * + * ReferenceGrant is a form of runtime verification allowing users to assert + * which cross-namespace object references are permitted. Implementations that + * support ReferenceGrant MUST NOT permit cross-namespace references which have + * no grant, and MUST respond to the removal of a grant by revoking the access + * that the grant allowed. */ - interface XMesh { + interface ReferenceGrant { /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">; + apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - kind?: pulumi.Input<"XMesh">; + kind?: pulumi.Input<"ReferenceGrant">; /** * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata */ metadata?: pulumi.Input; - spec?: pulumi.Input; - status?: pulumi.Input; + spec?: pulumi.Input; } /** - * Spec defines the desired state of XMesh. + * Spec defines the desired state of ReferenceGrant. */ - interface XMeshSpec { + interface ReferenceGrantSpec { /** - * ControllerName is the name of a controller that is managing Gateway API - * resources for mesh traffic management. The value of this field MUST be a - * domain prefixed path. + * From describes the trusted namespaces and kinds that can reference the + * resources described in "To". Each entry in this list MUST be considered + * to be an additional place that references can be valid from, or to put + * this another way, entries MUST be combined using OR. * - * Example: "example.com/awesome-mesh". - * - * This field is not mutable and cannot be empty. * * Support: Core */ - controllerName?: pulumi.Input; + from?: pulumi.Input[]>; /** - * Description optionally provides a human-readable description of a Mesh. + * To describes the resources that may be referenced by the resources + * described in "From". Each entry in this list MUST be considered to be an + * additional place that references can be valid to, or to put this another + * way, entries MUST be combined using OR. + * + * + * Support: Core */ - description?: pulumi.Input; - parametersRef?: pulumi.Input; + to?: pulumi.Input[]>; } /** - * ParametersRef is an optional reference to a resource that contains - * implementation-specific configuration for this Mesh. If no - * implementation-specific parameters are needed, this field MUST be - * omitted. - * - * ParametersRef can reference a standard Kubernetes resource, i.e. - * ConfigMap, or an implementation-specific custom resource. The resource - * can be cluster-scoped or namespace-scoped. - * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the Mesh MUST be rejected - * with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. - * - * Support: Implementation-specific + * ReferenceGrantFrom describes trusted namespaces and kinds. */ - interface XMeshSpecParametersRef { + interface ReferenceGrantSpecFrom { /** * Group is the group of the referent. + * When empty, the Kubernetes core API group is inferred. + * + * + * Support: Core */ group?: pulumi.Input; /** - * Kind is kind of the referent. + * Kind is the kind of the referent. Although implementations may support + * additional resources, the following types are part of the "Core" + * support level for this field. + * + * + * When used to permit a SecretObjectReference: + * + * + * * Gateway + * + * + * When used to permit a BackendObjectReference: + * + * + * * GRPCRoute + * * HTTPRoute + * * TCPRoute + * * TLSRoute + * * UDPRoute */ kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; /** * Namespace is the namespace of the referent. - * This field is required when referring to a Namespace-scoped resource and - * MUST be unset when referring to a Cluster-scoped resource. + * + * + * Support: Core */ namespace?: pulumi.Input; } /** - * ParametersRef is an optional reference to a resource that contains - * implementation-specific configuration for this Mesh. If no - * implementation-specific parameters are needed, this field MUST be - * omitted. - * - * ParametersRef can reference a standard Kubernetes resource, i.e. - * ConfigMap, or an implementation-specific custom resource. The resource - * can be cluster-scoped or namespace-scoped. - * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the Mesh MUST be rejected - * with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. - * - * Support: Implementation-specific + * ReferenceGrantFrom describes trusted namespaces and kinds. */ - interface XMeshSpecParametersRefPatch { + interface ReferenceGrantSpecFromPatch { /** * Group is the group of the referent. + * When empty, the Kubernetes core API group is inferred. + * + * + * Support: Core */ group?: pulumi.Input; /** - * Kind is kind of the referent. + * Kind is the kind of the referent. Although implementations may support + * additional resources, the following types are part of the "Core" + * support level for this field. + * + * + * When used to permit a SecretObjectReference: + * + * + * * Gateway + * + * + * When used to permit a BackendObjectReference: + * + * + * * GRPCRoute + * * HTTPRoute + * * TCPRoute + * * TLSRoute + * * UDPRoute */ kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; /** * Namespace is the namespace of the referent. - * This field is required when referring to a Namespace-scoped resource and - * MUST be unset when referring to a Cluster-scoped resource. + * + * + * Support: Core */ namespace?: pulumi.Input; } /** - * Spec defines the desired state of XMesh. + * Spec defines the desired state of ReferenceGrant. */ - interface XMeshSpecPatch { + interface ReferenceGrantSpecPatch { /** - * ControllerName is the name of a controller that is managing Gateway API - * resources for mesh traffic management. The value of this field MUST be a - * domain prefixed path. + * From describes the trusted namespaces and kinds that can reference the + * resources described in "To". Each entry in this list MUST be considered + * to be an additional place that references can be valid from, or to put + * this another way, entries MUST be combined using OR. * - * Example: "example.com/awesome-mesh". - * - * This field is not mutable and cannot be empty. * * Support: Core */ - controllerName?: pulumi.Input; + from?: pulumi.Input[]>; /** - * Description optionally provides a human-readable description of a Mesh. - */ - description?: pulumi.Input; - parametersRef?: pulumi.Input; - } - /** - * Status defines the current state of XMesh. - */ - interface XMeshStatus { - /** - * Conditions is the current status from the controller for - * this Mesh. + * To describes the resources that may be referenced by the resources + * described in "From". Each entry in this list MUST be considered to be an + * additional place that references can be valid to, or to put this another + * way, entries MUST be combined using OR. * - * Controllers should prefer to publish conditions using values - * of MeshConditionType for the type of each Condition. + * + * Support: Core */ - conditions?: pulumi.Input[]>; - /** - * SupportedFeatures is the set of features the Mesh support. - * It MUST be sorted in ascending alphabetical order by the Name key. - */ - supportedFeatures?: pulumi.Input[]>; + to?: pulumi.Input[]>; } /** - * Condition contains details for one aspect of the current state of this API Resource. + * ReferenceGrantTo describes what Kinds are allowed as targets of the + * references. */ - interface XMeshStatusConditions { + interface ReferenceGrantSpecTo { /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + * Group is the group of the referent. + * When empty, the Kubernetes core API group is inferred. + * + * + * Support: Core */ - lastTransitionTime?: pulumi.Input; + group?: pulumi.Input; /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. + * Kind is the kind of the referent. Although implementations may support + * additional resources, the following types are part of the "Core" + * support level for this field: + * + * + * * Secret when used to permit a SecretObjectReference + * * Service when used to permit a BackendObjectReference */ - message?: pulumi.Input; + kind?: pulumi.Input; /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration?: pulumi.Input; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason?: pulumi.Input; - /** - * status of the condition, one of True, False, Unknown. - */ - status?: pulumi.Input; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type?: pulumi.Input; - } - interface XMeshStatusSupportedFeatures { - /** - * FeatureName is used to describe distinct features that are covered by - * conformance tests. + * Name is the name of the referent. When unspecified, this policy + * refers to all resources of the specified Group and Kind in the local + * namespace. + */ + name?: pulumi.Input; + } + /** + * ReferenceGrantTo describes what Kinds are allowed as targets of the + * references. + */ + interface ReferenceGrantSpecToPatch { + /** + * Group is the group of the referent. + * When empty, the Kubernetes core API group is inferred. + * + * + * Support: Core + */ + group?: pulumi.Input; + /** + * Kind is the kind of the referent. Although implementations may support + * additional resources, the following types are part of the "Core" + * support level for this field: + * + * + * * Secret when used to permit a SecretObjectReference + * * Service when used to permit a BackendObjectReference + */ + kind?: pulumi.Input; + /** + * Name is the name of the referent. When unspecified, this policy + * refers to all resources of the specified Group and Kind in the local + * namespace. */ name?: pulumi.Input; } - } - namespace v1alpha2 { /** * TCPRoute provides a way to route TCP requests. When combined with a Gateway * listener, it can be used to forward connections on the port specified by the @@ -34924,16 +27769,21 @@ export declare namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -34943,8 +27793,10 @@ export declare namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -34952,12 +27804,14 @@ export declare namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -34965,10 +27819,12 @@ export declare namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -34980,33 +27836,21 @@ export declare namespace gateway { * Rules are a list of TCP matchers and actions. */ rules?: pulumi.Input[]>; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways?: pulumi.Input; } /** * ParentReference identifies an API object (usually a Gateway) that can be considered * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -35017,23 +27861,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -35041,6 +27890,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -35048,10 +27898,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -35059,6 +27911,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -35066,6 +27919,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -35075,15 +27929,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -35092,6 +27949,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -35099,6 +27957,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -35106,10 +27965,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -35119,6 +27980,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -35128,12 +27990,15 @@ export declare namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -35144,23 +28009,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -35168,6 +28038,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -35175,10 +28046,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -35186,6 +28059,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -35193,6 +28067,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -35202,15 +28077,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -35219,6 +28097,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -35226,6 +28105,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -35233,10 +28113,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -35246,6 +28128,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -35266,16 +28149,21 @@ export declare namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -35285,8 +28173,10 @@ export declare namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -35294,12 +28184,14 @@ export declare namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -35307,10 +28199,12 @@ export declare namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -35322,21 +28216,6 @@ export declare namespace gateway { * Rules are a list of TCP matchers and actions. */ rules?: pulumi.Input[]>; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways?: pulumi.Input; } /** * TCPRouteRule is the configuration for a given rule. @@ -35344,53 +28223,61 @@ export declare namespace gateway { interface TCPRouteSpecRules { /** * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or a + * sent. If unspecified or invalid (refers to a non-existent resource or a * Service with no endpoints), the underlying implementation MUST actively * reject connection attempts to this backend. Connection rejections must * respect weight; if an invalid backend is requested to have 80% of * connections, then 80% of connections must be rejected instead. * + * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Extended */ backendRefs?: pulumi.Input[]>; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name?: pulumi.Input; } /** * BackendRef defines how a Route should forward a request to a Kubernetes * resource. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. * * + * + * + * * Note that when the BackendTLSPolicy object is enabled by the implementation, * there are some extra rules about validity to consider here. See the fields * where this struct is used for more information about the exact behavior. @@ -35405,16 +28292,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -35426,11 +28317,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -35450,11 +28343,13 @@ export declare namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight?: pulumi.Input; @@ -35463,27 +28358,37 @@ export declare namespace gateway { * BackendRef defines how a Route should forward a request to a Kubernetes * resource. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. * * + * + * + * * Note that when the BackendTLSPolicy object is enabled by the implementation, * there are some extra rules about validity to consider here. See the fields * where this struct is used for more information about the exact behavior. @@ -35498,16 +28403,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -35519,11 +28428,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -35543,11 +28454,13 @@ export declare namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight?: pulumi.Input; @@ -35558,27 +28471,25 @@ export declare namespace gateway { interface TCPRouteSpecRulesPatch { /** * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or a + * sent. If unspecified or invalid (refers to a non-existent resource or a * Service with no endpoints), the underlying implementation MUST actively * reject connection attempts to this backend. Connection rejections must * respect weight; if an invalid backend is requested to have 80% of * connections, then 80% of connections must be rejected instead. * + * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Extended */ backendRefs?: pulumi.Input[]>; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name?: pulumi.Input; } /** * Status defines the current state of TCPRoute. @@ -35592,11 +28503,13 @@ export declare namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -35612,19 +28525,23 @@ export declare namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -35634,12 +28551,15 @@ export declare namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -35649,6 +28569,22 @@ export declare namespace gateway { } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface TCPRouteStatusParentsConditions { /** @@ -35681,6 +28617,10 @@ export declare namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } @@ -35695,23 +28635,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -35719,6 +28664,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -35726,10 +28672,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -35737,6 +28685,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -35744,6 +28693,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -35753,15 +28703,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -35770,6 +28723,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -35777,6 +28731,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -35784,10 +28739,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -35797,6 +28754,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -35806,6 +28764,7 @@ export declare namespace gateway { * to match against TLS-specific metadata. This allows more flexibility * in matching streams for a given TLS listener. * + * * If you need to forward traffic to a single target for a TLS listener, you * could choose to use a TCPRoute with a TLS listener. */ @@ -35834,14 +28793,17 @@ export declare namespace gateway { * SNI attribute of TLS ClientHello message in TLS handshake. This matches * the RFC 1123 definition of a hostname with 2 notable exceptions: * + * * 1. IPs are not allowed in SNI names per RFC 6066. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label must appear by itself as the first label. * + * * If a hostname is specified by both the Listener and TLSRoute, there * must be at least one intersecting hostname for the TLSRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches TLSRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -35851,17 +28813,20 @@ export declare namespace gateway { * `test.example.com` and `*.example.com` would both match. On the other * hand, `example.com` and `test.example.net` would not match. * + * * If both the Listener and TLSRoute have specified hostnames, any * TLSRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * TLSRoute specified `test.example.com` and `test.example.net`, * `test.example.net` must not be considered for a match. * + * * If both the Listener and TLSRoute have specified hostnames, and none * match with the criteria above, then the TLSRoute is not accepted. The * implementation must raise an 'Accepted' Condition with a status of * `False` in the corresponding RouteParentStatus. * + * * Support: Core */ hostnames?: pulumi.Input[]>; @@ -35877,16 +28842,21 @@ export declare namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -35896,8 +28866,10 @@ export declare namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -35905,12 +28877,14 @@ export declare namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -35918,10 +28892,12 @@ export declare namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -35933,33 +28909,21 @@ export declare namespace gateway { * Rules are a list of TLS matchers and actions. */ rules?: pulumi.Input[]>; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways?: pulumi.Input; } /** * ParentReference identifies an API object (usually a Gateway) that can be considered * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -35970,23 +28934,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -35994,6 +28963,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -36001,10 +28971,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -36012,6 +28984,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -36019,6 +28992,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -36028,15 +29002,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -36045,6 +29022,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -36052,6 +29030,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -36059,10 +29038,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -36072,6 +29053,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -36081,12 +29063,15 @@ export declare namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -36097,23 +29082,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -36121,6 +29111,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -36128,10 +29119,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -36139,6 +29132,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -36146,6 +29140,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -36155,15 +29150,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -36172,6 +29170,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -36179,6 +29178,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -36186,10 +29186,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -36199,6 +29201,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -36212,14 +29215,17 @@ export declare namespace gateway { * SNI attribute of TLS ClientHello message in TLS handshake. This matches * the RFC 1123 definition of a hostname with 2 notable exceptions: * + * * 1. IPs are not allowed in SNI names per RFC 6066. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label must appear by itself as the first label. * + * * If a hostname is specified by both the Listener and TLSRoute, there * must be at least one intersecting hostname for the TLSRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches TLSRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -36229,17 +29235,20 @@ export declare namespace gateway { * `test.example.com` and `*.example.com` would both match. On the other * hand, `example.com` and `test.example.net` would not match. * + * * If both the Listener and TLSRoute have specified hostnames, any * TLSRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * TLSRoute specified `test.example.com` and `test.example.net`, * `test.example.net` must not be considered for a match. * + * * If both the Listener and TLSRoute have specified hostnames, and none * match with the criteria above, then the TLSRoute is not accepted. The * implementation must raise an 'Accepted' Condition with a status of * `False` in the corresponding RouteParentStatus. * + * * Support: Core */ hostnames?: pulumi.Input[]>; @@ -36255,16 +29264,21 @@ export declare namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -36274,8 +29288,10 @@ export declare namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -36283,12 +29299,14 @@ export declare namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -36296,10 +29314,12 @@ export declare namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -36311,21 +29331,6 @@ export declare namespace gateway { * Rules are a list of TLS matchers and actions. */ rules?: pulumi.Input[]>; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways?: pulumi.Input; } /** * TLSRouteRule is the configuration for a given rule. @@ -36333,7 +29338,7 @@ export declare namespace gateway { interface TLSRouteSpecRules { /** * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or + * sent. If unspecified or invalid (refers to a non-existent resource or * a Service with no endpoints), the rule performs no forwarding; if no * filters are specified that would result in a response being sent, the * underlying implementation must actively reject request attempts to this @@ -36342,47 +29347,55 @@ export declare namespace gateway { * requested to have 80% of requests, then 80% of requests must be rejected * instead. * + * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Extended */ backendRefs?: pulumi.Input[]>; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name?: pulumi.Input; } /** * BackendRef defines how a Route should forward a request to a Kubernetes * resource. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. * * + * + * + * * Note that when the BackendTLSPolicy object is enabled by the implementation, * there are some extra rules about validity to consider here. See the fields * where this struct is used for more information about the exact behavior. @@ -36397,16 +29410,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -36418,11 +29435,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -36442,11 +29461,13 @@ export declare namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight?: pulumi.Input; @@ -36455,27 +29476,37 @@ export declare namespace gateway { * BackendRef defines how a Route should forward a request to a Kubernetes * resource. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. * * + * + * + * * Note that when the BackendTLSPolicy object is enabled by the implementation, * there are some extra rules about validity to consider here. See the fields * where this struct is used for more information about the exact behavior. @@ -36490,16 +29521,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -36511,11 +29546,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -36535,11 +29572,13 @@ export declare namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight?: pulumi.Input; @@ -36550,7 +29589,7 @@ export declare namespace gateway { interface TLSRouteSpecRulesPatch { /** * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or + * sent. If unspecified or invalid (refers to a non-existent resource or * a Service with no endpoints), the rule performs no forwarding; if no * filters are specified that would result in a response being sent, the * underlying implementation must actively reject request attempts to this @@ -36559,21 +29598,19 @@ export declare namespace gateway { * requested to have 80% of requests, then 80% of requests must be rejected * instead. * + * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Extended */ backendRefs?: pulumi.Input[]>; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name?: pulumi.Input; } /** * Status defines the current state of TLSRoute. @@ -36587,11 +29624,13 @@ export declare namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -36607,19 +29646,23 @@ export declare namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -36629,12 +29672,15 @@ export declare namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -36644,6 +29690,22 @@ export declare namespace gateway { } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface TLSRouteStatusParentsConditions { /** @@ -36676,6 +29738,10 @@ export declare namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } @@ -36690,23 +29756,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -36714,6 +29785,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -36721,10 +29793,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -36732,6 +29806,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -36739,6 +29814,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -36748,15 +29824,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -36765,6 +29844,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -36772,6 +29852,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -36779,10 +29860,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -36792,6 +29875,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -36833,16 +29917,21 @@ export declare namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -36852,8 +29941,10 @@ export declare namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -36861,12 +29952,14 @@ export declare namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -36874,10 +29967,12 @@ export declare namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -36889,33 +29984,21 @@ export declare namespace gateway { * Rules are a list of UDP matchers and actions. */ rules?: pulumi.Input[]>; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways?: pulumi.Input; } /** * ParentReference identifies an API object (usually a Gateway) that can be considered * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -36926,23 +30009,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -36950,6 +30038,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -36957,10 +30046,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -36968,6 +30059,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -36975,6 +30067,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -36984,15 +30077,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -37001,6 +30097,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -37008,6 +30105,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -37015,10 +30113,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -37028,6 +30128,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -37037,12 +30138,15 @@ export declare namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -37053,23 +30157,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -37077,6 +30186,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -37084,10 +30194,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -37095,6 +30207,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -37102,6 +30215,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -37111,15 +30225,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -37128,6 +30245,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -37135,6 +30253,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -37142,10 +30261,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -37155,6 +30276,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -37175,16 +30297,21 @@ export declare namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -37194,8 +30321,10 @@ export declare namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -37203,12 +30332,14 @@ export declare namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -37216,10 +30347,12 @@ export declare namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -37231,21 +30364,6 @@ export declare namespace gateway { * Rules are a list of UDP matchers and actions. */ rules?: pulumi.Input[]>; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways?: pulumi.Input; } /** * UDPRouteRule is the configuration for a given rule. @@ -37253,53 +30371,61 @@ export declare namespace gateway { interface UDPRouteSpecRules { /** * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or a + * sent. If unspecified or invalid (refers to a non-existent resource or a * Service with no endpoints), the underlying implementation MUST actively * reject connection attempts to this backend. Packet drops must * respect weight; if an invalid backend is requested to have 80% of * the packets, then 80% of packets must be dropped instead. * + * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Extended */ backendRefs?: pulumi.Input[]>; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name?: pulumi.Input; } /** * BackendRef defines how a Route should forward a request to a Kubernetes * resource. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. * * + * + * + * * Note that when the BackendTLSPolicy object is enabled by the implementation, * there are some extra rules about validity to consider here. See the fields * where this struct is used for more information about the exact behavior. @@ -37314,16 +30440,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -37335,11 +30465,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -37359,11 +30491,13 @@ export declare namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight?: pulumi.Input; @@ -37372,27 +30506,37 @@ export declare namespace gateway { * BackendRef defines how a Route should forward a request to a Kubernetes * resource. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. * * + * + * + * * Note that when the BackendTLSPolicy object is enabled by the implementation, * there are some extra rules about validity to consider here. See the fields * where this struct is used for more information about the exact behavior. @@ -37407,16 +30551,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -37428,11 +30576,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -37452,11 +30602,13 @@ export declare namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight?: pulumi.Input; @@ -37467,27 +30619,25 @@ export declare namespace gateway { interface UDPRouteSpecRulesPatch { /** * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or a + * sent. If unspecified or invalid (refers to a non-existent resource or a * Service with no endpoints), the underlying implementation MUST actively * reject connection attempts to this backend. Packet drops must * respect weight; if an invalid backend is requested to have 80% of * the packets, then 80% of packets must be dropped instead. * + * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Extended */ backendRefs?: pulumi.Input[]>; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name?: pulumi.Input; } /** * Status defines the current state of UDPRoute. @@ -37501,11 +30651,13 @@ export declare namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -37521,19 +30673,23 @@ export declare namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -37543,12 +30699,15 @@ export declare namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -37558,6 +30717,22 @@ export declare namespace gateway { } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface UDPRouteStatusParentsConditions { /** @@ -37590,6 +30765,10 @@ export declare namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } @@ -37604,23 +30783,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -37628,6 +30812,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -37635,10 +30820,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -37646,6 +30833,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -37653,6 +30841,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -37662,15 +30851,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -37679,6 +30871,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -37686,6 +30879,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -37693,10 +30887,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -37706,6 +30902,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -37736,21 +30933,6 @@ export declare namespace gateway { * Spec defines the desired state of BackendTLSPolicy. */ interface BackendTLSPolicySpec { - /** - * Options are a list of key/value pairs to enable extended TLS - * configuration for each implementation. For example, configuring the - * minimum TLS version or supported cipher suites. - * - * A set of common keys MAY be defined by the API in the future. To avoid - * any ambiguity, implementation-specific definitions MUST use - * domain-prefixed names, such as `example.com/my-custom-option`. - * Un-prefixed names are reserved for key names defined by Gateway API. - * - * Support: Implementation-specific - */ - options?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; /** * TargetRefs identifies an API object to apply the policy to. * Only Services have Extended support. Implementations MAY support @@ -37759,32 +30941,10 @@ export declare namespace gateway { * by default, but this default may change in the future to provide * a more granular application of the policy. * - * TargetRefs must be _distinct_. This means either that: - * - * * They select different targets. If this is the case, then targetRef - * entries are distinct. In terms of fields, this means that the - * multi-part key defined by `group`, `kind`, and `name` must - * be unique across all targetRef entries in the BackendTLSPolicy. - * * They select different sectionNames in the same target. - * - * When more than one BackendTLSPolicy selects the same target and - * sectionName, implementations MUST determine precedence using the - * following criteria, continuing on ties: - * - * * The older policy by creation timestamp takes precedence. For - * example, a policy with a creation timestamp of "2021-07-15 - * 01:02:03" MUST be given precedence over a policy with a - * creation timestamp of "2021-07-15 01:02:04". - * * The policy appearing first in alphabetical order by {name}. - * For example, a policy named `bar` is given precedence over a - * policy named `baz`. - * - * For any BackendTLSPolicy that does not take precedence, the - * implementation MUST ensure the `Accepted` Condition is set to - * `status: False`, with Reason `Conflicted`. * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ targetRefs?: pulumi.Input[]>; @@ -37794,21 +30954,6 @@ export declare namespace gateway { * Spec defines the desired state of BackendTLSPolicy. */ interface BackendTLSPolicySpecPatch { - /** - * Options are a list of key/value pairs to enable extended TLS - * configuration for each implementation. For example, configuring the - * minimum TLS version or supported cipher suites. - * - * A set of common keys MAY be defined by the API in the future. To avoid - * any ambiguity, implementation-specific definitions MUST use - * domain-prefixed names, such as `example.com/my-custom-option`. - * Un-prefixed names are reserved for key names defined by Gateway API. - * - * Support: Implementation-specific - */ - options?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; /** * TargetRefs identifies an API object to apply the policy to. * Only Services have Extended support. Implementations MAY support @@ -37817,32 +30962,10 @@ export declare namespace gateway { * by default, but this default may change in the future to provide * a more granular application of the policy. * - * TargetRefs must be _distinct_. This means either that: - * - * * They select different targets. If this is the case, then targetRef - * entries are distinct. In terms of fields, this means that the - * multi-part key defined by `group`, `kind`, and `name` must - * be unique across all targetRef entries in the BackendTLSPolicy. - * * They select different sectionNames in the same target. - * - * When more than one BackendTLSPolicy selects the same target and - * sectionName, implementations MUST determine precedence using the - * following criteria, continuing on ties: - * - * * The older policy by creation timestamp takes precedence. For - * example, a policy with a creation timestamp of "2021-07-15 - * 01:02:03" MUST be given precedence over a policy with a - * creation timestamp of "2021-07-15 01:02:04". - * * The policy appearing first in alphabetical order by {name}. - * For example, a policy named `bar` is given precedence over a - * policy named `baz`. - * - * For any BackendTLSPolicy that does not take precedence, the - * implementation MUST ensure the `Accepted` Condition is set to - * `status: False`, with Reason `Conflicted`. * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ targetRefs?: pulumi.Input[]>; @@ -37855,6 +30978,7 @@ export declare namespace gateway { * mode works, and a sample Policy resource, refer to the policy attachment * documentation for Gateway API. * + * * Note: This should only be used for direct policy attachment when references * to SectionName are actually needed. In all other cases, * LocalPolicyTargetReference should be used. @@ -37877,10 +31001,12 @@ export declare namespace gateway { * unspecified, this targetRef targets the entire resource. In the following * resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name * * HTTPRoute: HTTPRouteRule name * * Service: Port name * + * * If a SectionName is specified, but does not exist on the targeted object, * the Policy must fail to attach, and the policy implementation should record * a `ResolvedRefs` or similar Condition in the Policy's status. @@ -37894,6 +31020,7 @@ export declare namespace gateway { * mode works, and a sample Policy resource, refer to the policy attachment * documentation for Gateway API. * + * * Note: This should only be used for direct policy attachment when references * to SectionName are actually needed. In all other cases, * LocalPolicyTargetReference should be used. @@ -37916,10 +31043,12 @@ export declare namespace gateway { * unspecified, this targetRef targets the entire resource. In the following * resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name * * HTTPRoute: HTTPRouteRule name * * Service: Port name * + * * If a SectionName is specified, but does not exist on the targeted object, * the Policy must fail to attach, and the policy implementation should record * a `ResolvedRefs` or similar Condition in the Policy's status. @@ -37935,81 +31064,55 @@ export declare namespace gateway { * contain a PEM-encoded TLS CA certificate bundle, which is used to * validate a TLS handshake between the Gateway and backend Pod. * + * * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, - * not both. If CACertificateRefs is empty or unspecified, the configuration for + * not both. If CACertifcateRefs is empty or unspecified, the configuration for * WellKnownCACertificates MUST be honored instead if supported by the implementation. * - * A CACertificateRef is invalid if: * - * * It refers to a resource that cannot be resolved (e.g., the referenced resource - * does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key - * named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef` - * and the Message of the Condition must indicate which reference is invalid and why. + * References to a resource in a different namespace are invalid for the + * moment, although we will revisit this in the future. * - * * It refers to an unknown or unsupported kind of resource. In this case, the Reason - * must be set to `InvalidKind` and the Message of the Condition must explain which - * kind of resource is unknown or unsupported. - * - * * It refers to a resource in another namespace. This may change in future - * spec updates. - * - * Implementations MAY choose to perform further validation of the certificate - * content (e.g., checking expiry or enforcing specific formats). In such cases, - * an implementation-specific Reason and Message must be set for the invalid reference. - * - * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on - * the BackendTLSPolicy is set to `status: False`, with a Reason and Message - * that indicate the cause of the error. Connections using an invalid - * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error - * response. If ALL CACertificateRefs are invalid, the implementation MUST also - * ensure the `Accepted` Condition on the BackendTLSPolicy is set to - * `status: False`, with a Reason `NoValidCACertificate`. * * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support. * Implementations MAY choose to support attaching multiple certificates to * a backend, but this behavior is implementation-specific. * + * * Support: Core - An optional single reference to a Kubernetes ConfigMap, * with the CA certificate in a key named `ca.crt`. * - * Support: Implementation-specific - More than one reference, other kinds - * of resources, or a single reference that includes multiple certificates. + * + * Support: Implementation-specific (More than one reference, or other kinds + * of resources). */ caCertificateRefs?: pulumi.Input[]>; /** * Hostname is used for two purposes in the connection between Gateways and * backends: * + * * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). * 2. Hostname MUST be used for authentication and MUST match the certificate - * served by the matching backend, unless SubjectAltNames is specified. - * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection - * but MUST NOT be used for authentication. If you want to use the value - * of the Hostname field for authentication, you MUST add it to the SubjectAltNames list. + * served by the matching backend. + * * * Support: Core */ hostname?: pulumi.Input; - /** - * SubjectAltNames contains one or more Subject Alternative Names. - * When specified the certificate served from the backend MUST - * have at least one Subject Alternate Name matching one of the specified SubjectAltNames. - * - * Support: Extended - */ - subjectAltNames?: pulumi.Input[]>; /** * WellKnownCACertificates specifies whether system CA certificates may be used in * the TLS handshake between the gateway and backend pod. * + * * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs * must be specified with at least one entry for a valid configuration. Only one of - * CACertificateRefs or WellKnownCACertificates may be specified, not both. - * If an implementation does not support the WellKnownCACertificates field, or - * the supplied value is not recognized, the implementation MUST ensure the - * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with - * a Reason `Invalid`. + * CACertificateRefs or WellKnownCACertificates may be specified, not both. If an + * implementation does not support the WellKnownCACertificates field or the value + * supplied is not supported, the Status Conditions on the Policy MUST be + * updated to include an Accepted: False Condition with Reason: Invalid. + * * * Support: Implementation-specific */ @@ -38021,6 +31124,7 @@ export declare namespace gateway { * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. * + * * References to objects with invalid Group and Kind are not valid, and must * be rejected by the implementation, with appropriate Conditions set * on the containing object. @@ -38046,6 +31150,7 @@ export declare namespace gateway { * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. * + * * References to objects with invalid Group and Kind are not valid, and must * be rejected by the implementation, with appropriate Conditions set * on the containing object. @@ -38074,140 +31179,60 @@ export declare namespace gateway { * contain a PEM-encoded TLS CA certificate bundle, which is used to * validate a TLS handshake between the Gateway and backend Pod. * + * * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, - * not both. If CACertificateRefs is empty or unspecified, the configuration for + * not both. If CACertifcateRefs is empty or unspecified, the configuration for * WellKnownCACertificates MUST be honored instead if supported by the implementation. * - * A CACertificateRef is invalid if: * - * * It refers to a resource that cannot be resolved (e.g., the referenced resource - * does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key - * named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef` - * and the Message of the Condition must indicate which reference is invalid and why. + * References to a resource in a different namespace are invalid for the + * moment, although we will revisit this in the future. * - * * It refers to an unknown or unsupported kind of resource. In this case, the Reason - * must be set to `InvalidKind` and the Message of the Condition must explain which - * kind of resource is unknown or unsupported. - * - * * It refers to a resource in another namespace. This may change in future - * spec updates. - * - * Implementations MAY choose to perform further validation of the certificate - * content (e.g., checking expiry or enforcing specific formats). In such cases, - * an implementation-specific Reason and Message must be set for the invalid reference. - * - * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on - * the BackendTLSPolicy is set to `status: False`, with a Reason and Message - * that indicate the cause of the error. Connections using an invalid - * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error - * response. If ALL CACertificateRefs are invalid, the implementation MUST also - * ensure the `Accepted` Condition on the BackendTLSPolicy is set to - * `status: False`, with a Reason `NoValidCACertificate`. * * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support. * Implementations MAY choose to support attaching multiple certificates to * a backend, but this behavior is implementation-specific. * + * * Support: Core - An optional single reference to a Kubernetes ConfigMap, * with the CA certificate in a key named `ca.crt`. * - * Support: Implementation-specific - More than one reference, other kinds - * of resources, or a single reference that includes multiple certificates. + * + * Support: Implementation-specific (More than one reference, or other kinds + * of resources). */ caCertificateRefs?: pulumi.Input[]>; /** * Hostname is used for two purposes in the connection between Gateways and * backends: * + * * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). * 2. Hostname MUST be used for authentication and MUST match the certificate - * served by the matching backend, unless SubjectAltNames is specified. - * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection - * but MUST NOT be used for authentication. If you want to use the value - * of the Hostname field for authentication, you MUST add it to the SubjectAltNames list. + * served by the matching backend. + * * * Support: Core */ hostname?: pulumi.Input; - /** - * SubjectAltNames contains one or more Subject Alternative Names. - * When specified the certificate served from the backend MUST - * have at least one Subject Alternate Name matching one of the specified SubjectAltNames. - * - * Support: Extended - */ - subjectAltNames?: pulumi.Input[]>; /** * WellKnownCACertificates specifies whether system CA certificates may be used in * the TLS handshake between the gateway and backend pod. * + * * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs * must be specified with at least one entry for a valid configuration. Only one of - * CACertificateRefs or WellKnownCACertificates may be specified, not both. - * If an implementation does not support the WellKnownCACertificates field, or - * the supplied value is not recognized, the implementation MUST ensure the - * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with - * a Reason `Invalid`. + * CACertificateRefs or WellKnownCACertificates may be specified, not both. If an + * implementation does not support the WellKnownCACertificates field or the value + * supplied is not supported, the Status Conditions on the Policy MUST be + * updated to include an Accepted: False Condition with Reason: Invalid. + * * * Support: Implementation-specific */ wellKnownCACertificates?: pulumi.Input; } - /** - * SubjectAltName represents Subject Alternative Name. - */ - interface BackendTLSPolicySpecValidationSubjectAltNames { - /** - * Hostname contains Subject Alternative Name specified in DNS name format. - * Required when Type is set to Hostname, ignored otherwise. - * - * Support: Core - */ - hostname?: pulumi.Input; - /** - * Type determines the format of the Subject Alternative Name. Always required. - * - * Support: Core - */ - type?: pulumi.Input; - /** - * URI contains Subject Alternative Name specified in a full URI format. - * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. - * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa". - * Required when Type is set to URI, ignored otherwise. - * - * Support: Core - */ - uri?: pulumi.Input; - } - /** - * SubjectAltName represents Subject Alternative Name. - */ - interface BackendTLSPolicySpecValidationSubjectAltNamesPatch { - /** - * Hostname contains Subject Alternative Name specified in DNS name format. - * Required when Type is set to Hostname, ignored otherwise. - * - * Support: Core - */ - hostname?: pulumi.Input; - /** - * Type determines the format of the Subject Alternative Name. Always required. - * - * Support: Core - */ - type?: pulumi.Input; - /** - * URI contains Subject Alternative Name specified in a full URI format. - * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. - * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa". - * Required when Type is set to URI, ignored otherwise. - * - * Support: Core - */ - uri?: pulumi.Input; - } /** * Status defines the current state of BackendTLSPolicy. */ @@ -38220,22 +31245,27 @@ export declare namespace gateway { * the controller first sees the policy and SHOULD update the entry as * appropriate when the relevant ancestor is modified. * + * * Note that choosing the relevant ancestor is left to the Policy designers; * an important part of Policy design is designing the right object level at * which to namespace this status. * + * * Note also that implementations MUST ONLY populate ancestor status for * the Ancestor resources they are responsible for. Implementations MUST * use the ControllerName field to uniquely identify the entries in this list * that they are responsible for. * + * * Note that to achieve this, the list of PolicyAncestorStatus structs * MUST be treated as a map with a composite key, made up of the AncestorRef * and ControllerName fields combined. * + * * A maximum of 16 ancestors will be represented in this list. An empty list * means the Policy is not relevant for any ancestors. * + * * If this slice is full, implementations MUST NOT add further entries. * Instead they MUST consider the policy unimplementable and signal that * on any related resources such as the ancestor that would be referenced @@ -38249,6 +31279,7 @@ export declare namespace gateway { * PolicyAncestorStatus describes the status of a route with respect to an * associated Ancestor. * + * * Ancestors refer to objects that are either the Target of a policy or above it * in terms of object hierarchy. For example, if a policy targets a Service, the * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and @@ -38257,23 +31288,28 @@ export declare namespace gateway { * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers * have a _very_ good reason otherwise. * + * * In the context of policy attachment, the Ancestor is used to distinguish which * resource results in a distinct application of this policy. For example, if a policy * targets a Service, it may have a distinct result per attached Gateway. * + * * Policies targeting the same resource may have different effects depending on the * ancestors of those resources. For example, different Gateways targeting the same * Service may have different capabilities, especially if they have different underlying * implementations. * + * * For example, in BackendTLSPolicy, the Policy attaches to a Service that is * used as a backend in a HTTPRoute that is itself attached to a Gateway. * In this case, the relevant object for status is the Gateway, and that is the * ancestor object referred to in this status. * + * * Note that a parent is also an ancestor, so for objects where the parent is the * relevant object for status, this struct SHOULD still be used. * + * * This struct is intended to be used in a slice that's effectively a map, * with a composite key made up of the AncestorRef and the ControllerName. */ @@ -38288,12 +31324,15 @@ export declare namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -38311,23 +31350,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -38335,6 +31379,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -38342,10 +31387,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -38353,6 +31400,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -38360,6 +31408,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -38369,15 +31418,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -38386,6 +31438,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -38393,6 +31446,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -38400,10 +31454,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -38413,12 +31469,29 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface BackendTLSPolicyStatusAncestorsConditions { /** @@ -38451,1004 +31524,13 @@ export declare namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } - /** - * The TLSRoute resource is similar to TCPRoute, but can be configured - * to match against TLS-specific metadata. This allows more flexibility - * in matching streams for a given TLS listener. - * - * If you need to forward traffic to a single target for a TLS listener, you - * could choose to use a TCPRoute with a TLS listener. - */ - interface TLSRoute { - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha3">; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - kind?: pulumi.Input<"TLSRoute">; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - metadata?: pulumi.Input; - spec?: pulumi.Input; - status?: pulumi.Input; - } - /** - * Spec defines the desired state of TLSRoute. - */ - interface TLSRouteSpec { - /** - * Hostnames defines a set of SNI hostnames that should match against the - * SNI attribute of TLS ClientHello message in TLS handshake. This matches - * the RFC 1123 definition of a hostname with 2 notable exceptions: - * - * 1. IPs are not allowed in SNI hostnames per RFC 6066. - * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - * label must appear by itself as the first label. - * - * If a hostname is specified by both the Listener and TLSRoute, there - * must be at least one intersecting hostname for the TLSRoute to be - * attached to the Listener. For example: - * - * * A Listener with `test.example.com` as the hostname matches TLSRoutes - * that have specified at least one of `test.example.com` or - * `*.example.com`. - * * A Listener with `*.example.com` as the hostname matches TLSRoutes - * that have specified at least one hostname that matches the Listener - * hostname. For example, `test.example.com` and `*.example.com` would both - * match. On the other hand, `example.com` and `test.example.net` would not - * match. - * - * If both the Listener and TLSRoute have specified hostnames, any - * TLSRoute hostnames that do not match the Listener hostname MUST be - * ignored. For example, if a Listener specified `*.example.com`, and the - * TLSRoute specified `test.example.com` and `test.example.net`, - * `test.example.net` must not be considered for a match. - * - * If both the Listener and TLSRoute have specified hostnames, and none - * match with the criteria above, then the TLSRoute is not accepted. The - * implementation must raise an 'Accepted' Condition with a status of - * `False` in the corresponding RouteParentStatus. - * - * Support: Core - */ - hostnames?: pulumi.Input[]>; - /** - * ParentRefs references the resources (usually Gateways) that a Route wants - * to be attached to. Note that the referenced parent resource needs to - * allow this for the attachment to be complete. For Gateways, that means - * the Gateway needs to allow attachment from Routes of this kind and - * namespace. For Services, that means the Service must either be in the same - * namespace for a "producer" route, or the mesh implementation must support - * and allow "consumer" routes for the referenced Service. ReferenceGrant is - * not applicable for governing ParentRefs to Services - it is not possible to - * create a "producer" route for a Service in a different namespace from the - * Route. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * This API may be extended in the future to support additional kinds of parent - * resources. - * - * ParentRefs must be _distinct_. This means either that: - * - * * They select different objects. If this is the case, then parentRef - * entries are distinct. In terms of fields, this means that the - * multi-part key defined by `group`, `kind`, `namespace`, and `name` must - * be unique across all parentRef entries in the Route. - * * They do not select different objects, but for each optional field used, - * each ParentRef that selects the same object must set the same set of - * optional fields to different values. If one ParentRef sets a - * combination of optional fields, all must set the same combination. - * - * Some examples: - * - * * If one ParentRef sets `sectionName`, all ParentRefs referencing the - * same object must also set `sectionName`. - * * If one ParentRef sets `port`, all ParentRefs referencing the same - * object must also set `port`. - * * If one ParentRef sets `sectionName` and `port`, all ParentRefs - * referencing the same object must also set `sectionName` and `port`. - * - * It is possible to separately reference multiple distinct objects that may - * be collapsed by an implementation. For example, some implementations may - * choose to merge compatible Gateway Listeners together. If that is the - * case, the list of routes attached to those resources should also be - * merged. - * - * Note that for ParentRefs that cross namespace boundaries, there are specific - * rules. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example, - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable other kinds of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - */ - parentRefs?: pulumi.Input[]>; - /** - * Rules are a list of actions. - */ - rules?: pulumi.Input[]>; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways?: pulumi.Input; - } - /** - * ParentReference identifies an API object (usually a Gateway) that can be considered - * a parent of this resource (usually a route). There are two kinds of parent resources - * with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * This API may be extended in the future to support additional kinds of parent - * resources. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - */ - interface TLSRouteSpecParentRefs { - /** - * Group is the group of the referent. - * When unspecified, "gateway.networking.k8s.io" is inferred. - * To set the core API group (such as for a "Service" kind referent), - * Group must be explicitly set to "" (empty string). - * - * Support: Core - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * Support for other resources is Implementation-Specific. - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - * - * Support: Core - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referent. When unspecified, this refers - * to the local namespace of the Route. - * - * Note that there are specific rules for ParentRefs which cross namespace - * boundaries. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example: - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable any other kind of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - * - * - * Support: Core - */ - namespace?: pulumi.Input; - /** - * Port is the network port this Route targets. It can be interpreted - * differently based on the type of parent resource. - * - * When the parent resource is a Gateway, this targets all listeners - * listening on the specified port that also support this kind of Route(and - * select this Route). It's not recommended to set `Port` unless the - * networking behaviors specified in a Route must apply to a specific port - * as opposed to a listener(s) whose port(s) may be changed. When both Port - * and SectionName are specified, the name and port of the selected listener - * must match both specified values. - * - * - * When the parent resource is a Service, this targets a specific port in the - * Service spec. When both Port (experimental) and SectionName are specified, - * the name and port of the selected port must match both specified values. - * - * - * Implementations MAY choose to support other parent resources. - * Implementations supporting other types of parent resources MUST clearly - * document how/if Port is interpreted. - * - * For the purpose of status, an attachment is considered successful as - * long as the parent resource accepts it partially. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - * from the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, - * the Route MUST be considered detached from the Gateway. - * - * Support: Extended - */ - port?: pulumi.Input; - /** - * SectionName is the name of a section within the target resource. In the - * following resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * * Service: Port name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * - * Implementations MAY choose to support attaching Routes to other resources. - * If that is the case, they MUST clearly document how SectionName is - * interpreted. - * - * When unspecified (empty string), this will reference the entire resource. - * For the purpose of status, an attachment is considered successful if at - * least one section in the parent resource accepts it. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - * the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, the - * Route MUST be considered detached from the Gateway. - * - * Support: Core - */ - sectionName?: pulumi.Input; - } - /** - * ParentReference identifies an API object (usually a Gateway) that can be considered - * a parent of this resource (usually a route). There are two kinds of parent resources - * with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * This API may be extended in the future to support additional kinds of parent - * resources. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - */ - interface TLSRouteSpecParentRefsPatch { - /** - * Group is the group of the referent. - * When unspecified, "gateway.networking.k8s.io" is inferred. - * To set the core API group (such as for a "Service" kind referent), - * Group must be explicitly set to "" (empty string). - * - * Support: Core - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * Support for other resources is Implementation-Specific. - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - * - * Support: Core - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referent. When unspecified, this refers - * to the local namespace of the Route. - * - * Note that there are specific rules for ParentRefs which cross namespace - * boundaries. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example: - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable any other kind of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - * - * - * Support: Core - */ - namespace?: pulumi.Input; - /** - * Port is the network port this Route targets. It can be interpreted - * differently based on the type of parent resource. - * - * When the parent resource is a Gateway, this targets all listeners - * listening on the specified port that also support this kind of Route(and - * select this Route). It's not recommended to set `Port` unless the - * networking behaviors specified in a Route must apply to a specific port - * as opposed to a listener(s) whose port(s) may be changed. When both Port - * and SectionName are specified, the name and port of the selected listener - * must match both specified values. - * - * - * When the parent resource is a Service, this targets a specific port in the - * Service spec. When both Port (experimental) and SectionName are specified, - * the name and port of the selected port must match both specified values. - * - * - * Implementations MAY choose to support other parent resources. - * Implementations supporting other types of parent resources MUST clearly - * document how/if Port is interpreted. - * - * For the purpose of status, an attachment is considered successful as - * long as the parent resource accepts it partially. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - * from the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, - * the Route MUST be considered detached from the Gateway. - * - * Support: Extended - */ - port?: pulumi.Input; - /** - * SectionName is the name of a section within the target resource. In the - * following resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * * Service: Port name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * - * Implementations MAY choose to support attaching Routes to other resources. - * If that is the case, they MUST clearly document how SectionName is - * interpreted. - * - * When unspecified (empty string), this will reference the entire resource. - * For the purpose of status, an attachment is considered successful if at - * least one section in the parent resource accepts it. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - * the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, the - * Route MUST be considered detached from the Gateway. - * - * Support: Core - */ - sectionName?: pulumi.Input; - } - /** - * Spec defines the desired state of TLSRoute. - */ - interface TLSRouteSpecPatch { - /** - * Hostnames defines a set of SNI hostnames that should match against the - * SNI attribute of TLS ClientHello message in TLS handshake. This matches - * the RFC 1123 definition of a hostname with 2 notable exceptions: - * - * 1. IPs are not allowed in SNI hostnames per RFC 6066. - * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - * label must appear by itself as the first label. - * - * If a hostname is specified by both the Listener and TLSRoute, there - * must be at least one intersecting hostname for the TLSRoute to be - * attached to the Listener. For example: - * - * * A Listener with `test.example.com` as the hostname matches TLSRoutes - * that have specified at least one of `test.example.com` or - * `*.example.com`. - * * A Listener with `*.example.com` as the hostname matches TLSRoutes - * that have specified at least one hostname that matches the Listener - * hostname. For example, `test.example.com` and `*.example.com` would both - * match. On the other hand, `example.com` and `test.example.net` would not - * match. - * - * If both the Listener and TLSRoute have specified hostnames, any - * TLSRoute hostnames that do not match the Listener hostname MUST be - * ignored. For example, if a Listener specified `*.example.com`, and the - * TLSRoute specified `test.example.com` and `test.example.net`, - * `test.example.net` must not be considered for a match. - * - * If both the Listener and TLSRoute have specified hostnames, and none - * match with the criteria above, then the TLSRoute is not accepted. The - * implementation must raise an 'Accepted' Condition with a status of - * `False` in the corresponding RouteParentStatus. - * - * Support: Core - */ - hostnames?: pulumi.Input[]>; - /** - * ParentRefs references the resources (usually Gateways) that a Route wants - * to be attached to. Note that the referenced parent resource needs to - * allow this for the attachment to be complete. For Gateways, that means - * the Gateway needs to allow attachment from Routes of this kind and - * namespace. For Services, that means the Service must either be in the same - * namespace for a "producer" route, or the mesh implementation must support - * and allow "consumer" routes for the referenced Service. ReferenceGrant is - * not applicable for governing ParentRefs to Services - it is not possible to - * create a "producer" route for a Service in a different namespace from the - * Route. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * This API may be extended in the future to support additional kinds of parent - * resources. - * - * ParentRefs must be _distinct_. This means either that: - * - * * They select different objects. If this is the case, then parentRef - * entries are distinct. In terms of fields, this means that the - * multi-part key defined by `group`, `kind`, `namespace`, and `name` must - * be unique across all parentRef entries in the Route. - * * They do not select different objects, but for each optional field used, - * each ParentRef that selects the same object must set the same set of - * optional fields to different values. If one ParentRef sets a - * combination of optional fields, all must set the same combination. - * - * Some examples: - * - * * If one ParentRef sets `sectionName`, all ParentRefs referencing the - * same object must also set `sectionName`. - * * If one ParentRef sets `port`, all ParentRefs referencing the same - * object must also set `port`. - * * If one ParentRef sets `sectionName` and `port`, all ParentRefs - * referencing the same object must also set `sectionName` and `port`. - * - * It is possible to separately reference multiple distinct objects that may - * be collapsed by an implementation. For example, some implementations may - * choose to merge compatible Gateway Listeners together. If that is the - * case, the list of routes attached to those resources should also be - * merged. - * - * Note that for ParentRefs that cross namespace boundaries, there are specific - * rules. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example, - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable other kinds of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - */ - parentRefs?: pulumi.Input[]>; - /** - * Rules are a list of actions. - */ - rules?: pulumi.Input[]>; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways?: pulumi.Input; - } - /** - * TLSRouteRule is the configuration for a given rule. - */ - interface TLSRouteSpecRules { - /** - * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or - * a Service with no endpoints), the rule performs no forwarding; if no - * filters are specified that would result in a response being sent, the - * underlying implementation must actively reject request attempts to this - * backend, by rejecting the connection or returning a 500 status code. - * Request rejections must respect weight; if an invalid backend is - * requested to have 80% of requests, then 80% of requests must be rejected - * instead. - * - * Support: Core for Kubernetes Service - * - * Support: Extended for Kubernetes ServiceImport - * - * Support: Implementation-specific for any other resource - * - * Support for weight: Extended - */ - backendRefs?: pulumi.Input[]>; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name?: pulumi.Input; - } - /** - * BackendRef defines how a Route should forward a request to a Kubernetes - * resource. - * - * Note that when a namespace different than the local namespace is specified, a - * ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * - * When the BackendRef points to a Kubernetes Service, implementations SHOULD - * honor the appProtocol field if it is set for the target Service Port. - * - * Implementations supporting appProtocol SHOULD recognize the Kubernetes - * Standard Application Protocols defined in KEP-3726. - * - * If a Service appProtocol isn't specified, an implementation MAY infer the - * backend protocol through its own means. Implementations MAY infer the - * protocol from the Route type referring to the backend Service. - * - * If a Route is not able to send traffic to the backend using the specified - * protocol then the backend is considered invalid. Implementations MUST set the - * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - * - * - * Note that when the BackendTLSPolicy object is enabled by the implementation, - * there are some extra rules about validity to consider here. See the fields - * where this struct is used for more information about the exact behavior. - */ - interface TLSRouteSpecRulesBackendRefs { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port?: pulumi.Input; - /** - * Weight specifies the proportion of requests forwarded to the referenced - * backend. This is computed as weight/(sum of all weights in this - * BackendRefs list). For non-zero values, there may be some epsilon from - * the exact proportion defined here depending on the precision an - * implementation supports. Weight is not a percentage and the sum of - * weights does not need to equal 100. - * - * If only one backend is specified and it has a weight greater than 0, 100% - * of the traffic is forwarded to that backend. If weight is set to 0, no - * traffic should be forwarded for this entry. If unspecified, weight - * defaults to 1. - * - * Support for this field varies based on the context where used. - */ - weight?: pulumi.Input; - } - /** - * BackendRef defines how a Route should forward a request to a Kubernetes - * resource. - * - * Note that when a namespace different than the local namespace is specified, a - * ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * - * When the BackendRef points to a Kubernetes Service, implementations SHOULD - * honor the appProtocol field if it is set for the target Service Port. - * - * Implementations supporting appProtocol SHOULD recognize the Kubernetes - * Standard Application Protocols defined in KEP-3726. - * - * If a Service appProtocol isn't specified, an implementation MAY infer the - * backend protocol through its own means. Implementations MAY infer the - * protocol from the Route type referring to the backend Service. - * - * If a Route is not able to send traffic to the backend using the specified - * protocol then the backend is considered invalid. Implementations MUST set the - * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - * - * - * Note that when the BackendTLSPolicy object is enabled by the implementation, - * there are some extra rules about validity to consider here. See the fields - * where this struct is used for more information about the exact behavior. - */ - interface TLSRouteSpecRulesBackendRefsPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port?: pulumi.Input; - /** - * Weight specifies the proportion of requests forwarded to the referenced - * backend. This is computed as weight/(sum of all weights in this - * BackendRefs list). For non-zero values, there may be some epsilon from - * the exact proportion defined here depending on the precision an - * implementation supports. Weight is not a percentage and the sum of - * weights does not need to equal 100. - * - * If only one backend is specified and it has a weight greater than 0, 100% - * of the traffic is forwarded to that backend. If weight is set to 0, no - * traffic should be forwarded for this entry. If unspecified, weight - * defaults to 1. - * - * Support for this field varies based on the context where used. - */ - weight?: pulumi.Input; - } - /** - * TLSRouteRule is the configuration for a given rule. - */ - interface TLSRouteSpecRulesPatch { - /** - * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or - * a Service with no endpoints), the rule performs no forwarding; if no - * filters are specified that would result in a response being sent, the - * underlying implementation must actively reject request attempts to this - * backend, by rejecting the connection or returning a 500 status code. - * Request rejections must respect weight; if an invalid backend is - * requested to have 80% of requests, then 80% of requests must be rejected - * instead. - * - * Support: Core for Kubernetes Service - * - * Support: Extended for Kubernetes ServiceImport - * - * Support: Implementation-specific for any other resource - * - * Support for weight: Extended - */ - backendRefs?: pulumi.Input[]>; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name?: pulumi.Input; - } - /** - * Status defines the current state of TLSRoute. - */ - interface TLSRouteStatus { - /** - * Parents is a list of parent resources (usually Gateways) that are - * associated with the route, and the status of the route with respect to - * each parent. When this route attaches to a parent, the controller that - * manages the parent must add an entry to this list when the controller - * first sees the route and should update the entry as appropriate when the - * route or gateway is modified. - * - * Note that parent references that cannot be resolved by an implementation - * of this API will not be added to this list. Implementations of this API - * can only populate Route status for the Gateways/parent resources they are - * responsible for. - * - * A maximum of 32 Gateways will be represented in this list. An empty list - * means the route has not been attached to any Gateway. - */ - parents?: pulumi.Input[]>; - } - /** - * RouteParentStatus describes the status of a route with respect to an - * associated Parent. - */ - interface TLSRouteStatusParents { - /** - * Conditions describes the status of the route with respect to the Gateway. - * Note that the route's availability is also subject to the Gateway's own - * status conditions and listener status. - * - * If the Route's ParentRef specifies an existing Gateway that supports - * Routes of this kind AND that Gateway's controller has sufficient access, - * then that Gateway's controller MUST set the "Accepted" condition on the - * Route, to indicate whether the route has been accepted or rejected by the - * Gateway, and why. - * - * A Route MUST be considered "Accepted" if at least one of the Route's - * rules is implemented by the Gateway. - * - * There are a number of cases where the "Accepted" condition may not be set - * due to lack of controller visibility, that includes when: - * - * * The Route refers to a nonexistent parent. - * * The Route is of a type that the controller does not support. - * * The Route is in a namespace the controller does not have access to. - */ - conditions?: pulumi.Input[]>; - /** - * ControllerName is a domain/path string that indicates the name of the - * controller that wrote this status. This corresponds with the - * controllerName field on GatewayClass. - * - * Example: "example.net/gateway-controller". - * - * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - * valid Kubernetes names - * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - * - * Controllers MUST populate this field when writing status. Controllers should ensure that - * entries to status populated with their ControllerName are cleaned up when they are no - * longer necessary. - */ - controllerName?: pulumi.Input; - parentRef?: pulumi.Input; - } - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - interface TLSRouteStatusParentsConditions { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime?: pulumi.Input; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message?: pulumi.Input; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration?: pulumi.Input; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason?: pulumi.Input; - /** - * status of the condition, one of True, False, Unknown. - */ - status?: pulumi.Input; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type?: pulumi.Input; - } - /** - * ParentRef corresponds with a ParentRef in the spec that this - * RouteParentStatus struct describes the status of. - */ - interface TLSRouteStatusParentsParentRef { - /** - * Group is the group of the referent. - * When unspecified, "gateway.networking.k8s.io" is inferred. - * To set the core API group (such as for a "Service" kind referent), - * Group must be explicitly set to "" (empty string). - * - * Support: Core - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * Support for other resources is Implementation-Specific. - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - * - * Support: Core - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referent. When unspecified, this refers - * to the local namespace of the Route. - * - * Note that there are specific rules for ParentRefs which cross namespace - * boundaries. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example: - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable any other kind of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - * - * - * Support: Core - */ - namespace?: pulumi.Input; - /** - * Port is the network port this Route targets. It can be interpreted - * differently based on the type of parent resource. - * - * When the parent resource is a Gateway, this targets all listeners - * listening on the specified port that also support this kind of Route(and - * select this Route). It's not recommended to set `Port` unless the - * networking behaviors specified in a Route must apply to a specific port - * as opposed to a listener(s) whose port(s) may be changed. When both Port - * and SectionName are specified, the name and port of the selected listener - * must match both specified values. - * - * - * When the parent resource is a Service, this targets a specific port in the - * Service spec. When both Port (experimental) and SectionName are specified, - * the name and port of the selected port must match both specified values. - * - * - * Implementations MAY choose to support other parent resources. - * Implementations supporting other types of parent resources MUST clearly - * document how/if Port is interpreted. - * - * For the purpose of status, an attachment is considered successful as - * long as the parent resource accepts it partially. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - * from the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, - * the Route MUST be considered detached from the Gateway. - * - * Support: Extended - */ - port?: pulumi.Input; - /** - * SectionName is the name of a section within the target resource. In the - * following resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * * Service: Port name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * - * Implementations MAY choose to support attaching Routes to other resources. - * If that is the case, they MUST clearly document how SectionName is - * interpreted. - * - * When unspecified (empty string), this will reference the entire resource. - * For the purpose of status, an attachment is considered successful if at - * least one section in the parent resource accepts it. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - * the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, the - * Route MUST be considered detached from the Gateway. - * - * Support: Core - */ - sectionName?: pulumi.Input; - } } namespace v1beta1 { /** @@ -39475,6 +31557,7 @@ export declare namespace gateway { * GatewayClass describes a class of Gateways available to the user for creating * Gateway resources. * + * * It is recommended that this resource be used as a template for Gateways. This * means that a Gateway is based on the state of the GatewayClass at the time it * was created and changes to the GatewayClass or associated parameters are not @@ -39483,11 +31566,13 @@ export declare namespace gateway { * If implementations choose to propagate GatewayClass changes to existing * Gateways, that MUST be clearly documented by the implementation. * + * * Whenever one or more Gateways are using a GatewayClass, implementations SHOULD * add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the * associated GatewayClass. This ensures that a GatewayClass associated with a * Gateway is not deleted while in use. * + * * GatewayClass is a Cluster level resource. */ interface GatewayClass { @@ -39514,10 +31599,13 @@ export declare namespace gateway { * ControllerName is the name of the controller that is managing Gateways of * this class. The value of this field MUST be a domain prefixed path. * + * * Example: "example.net/gateway-controller". * + * * This field is not mutable and cannot be empty. * + * * Support: Core */ controllerName?: pulumi.Input; @@ -39532,19 +31620,21 @@ export declare namespace gateway { * parameters corresponding to the GatewayClass. This is optional if the * controller does not require any additional configuration. * + * * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, * or an implementation-specific custom resource. The resource can be * cluster-scoped or namespace-scoped. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the GatewayClass SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. + * + * If the referent cannot be found, the GatewayClass's "InvalidParameters" + * status condition will be true. + * * * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * + * * Support: Implementation-specific */ interface GatewayClassSpecParametersRef { @@ -39572,19 +31662,21 @@ export declare namespace gateway { * parameters corresponding to the GatewayClass. This is optional if the * controller does not require any additional configuration. * + * * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, * or an implementation-specific custom resource. The resource can be * cluster-scoped or namespace-scoped. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the GatewayClass SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. + * + * If the referent cannot be found, the GatewayClass's "InvalidParameters" + * status condition will be true. + * * * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * + * * Support: Implementation-specific */ interface GatewayClassSpecParametersRefPatch { @@ -39615,10 +31707,13 @@ export declare namespace gateway { * ControllerName is the name of the controller that is managing Gateways of * this class. The value of this field MUST be a domain prefixed path. * + * * Example: "example.net/gateway-controller". * + * * This field is not mutable and cannot be empty. * + * * Support: Core */ controllerName?: pulumi.Input; @@ -39631,6 +31726,7 @@ export declare namespace gateway { /** * Status defines the current state of GatewayClass. * + * * Implementations MUST populate status on all GatewayClass resources which * specify their controller name. */ @@ -39639,18 +31735,35 @@ export declare namespace gateway { * Conditions is the current status from the controller for * this GatewayClass. * + * * Controllers should prefer to publish conditions using values * of GatewayClassConditionType for the type of each Condition. */ conditions?: pulumi.Input[]>; /** * SupportedFeatures is the set of features the GatewayClass support. - * It MUST be sorted in ascending alphabetical order by the Name key. + * It MUST be sorted in ascending alphabetical order. */ - supportedFeatures?: pulumi.Input[]>; + supportedFeatures?: pulumi.Input[]>; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface GatewayClassStatusConditions { /** @@ -39683,16 +31796,13 @@ export declare namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } - interface GatewayClassStatusSupportedFeatures { - /** - * FeatureName is used to describe distinct features that are covered by - * conformance tests. - */ - name?: pulumi.Input; - } /** * Spec defines the desired state of Gateway. */ @@ -39701,7 +31811,8 @@ export declare namespace gateway { * Addresses requested for this Gateway. This is optional and behavior can * depend on the implementation. If a value is set in the spec and the * requested address is invalid or unavailable, the implementation MUST - * indicate this in an associated entry in GatewayStatus.Conditions. + * indicate this in the associated entry in GatewayStatus.Addresses. + * * * The Addresses field represents a request for the address(es) on the * "outside of the Gateway", that traffic bound for this Gateway will use. @@ -39709,38 +31820,20 @@ export declare namespace gateway { * other networking infrastructure, or some other address that traffic will * be sent to. * + * * If no Addresses are specified, the implementation MAY schedule the * Gateway in an implementation-specific manner, assigning an appropriate * set of Addresses. * + * * The implementation MUST bind all Listeners to every GatewayAddress that * it assigns to the Gateway and add a corresponding entry in * GatewayStatus.Addresses. * + * * Support: Extended */ addresses?: pulumi.Input[]>; - allowedListeners?: pulumi.Input; - /** - * DefaultScope, when set, configures the Gateway as a default Gateway, - * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute) - * attached to it, according to the scope configured here. - * - * If unset (the default) or set to None, the Gateway will not act as a - * default Gateway; if set, the Gateway will claim any Route with a - * matching scope set in its UseDefaultGateway field, subject to the usual - * rules about which routes the Gateway can attach to. - * - * Think carefully before using this functionality! While the normal rules - * about which Route can apply are still enforced, it is simply easier for - * the wrong Route to be accidentally attached to this Gateway in this - * configuration. If the Gateway operator is not also the operator in - * control of the scope (e.g. namespace) with tight controls and checks on - * what kind of workloads and Routes get added in that scope, we strongly - * recommend not using this just because it seems convenient, and instead - * stick to direct Route attachment. - */ - defaultScope?: pulumi.Input; /** * GatewayClassName used for this Gateway. This is the name of a * GatewayClass resource. @@ -39752,7 +31845,6 @@ export declare namespace gateway { * logical endpoints that are bound on this Gateway's addresses. * At least one Listener MUST be specified. * - * ## Distinct Listeners * * Each Listener in a set of Listeners (for example, in a single Gateway) * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to @@ -39761,107 +31853,97 @@ export declare namespace gateway { * from multiple Gateways onto a single data plane, and these rules _also_ * apply in that case). * + * * Practically, this means that each listener in a set MUST have a unique * combination of Port, Protocol, and, if supported by the protocol, Hostname. * - * Some combinations of port, protocol, and TLS settings are considered - * Core support and MUST be supported by implementations based on the objects - * they support: * - * HTTPRoute + * Some combinations of port, protocol, and TLS settings are considered + * Core support and MUST be supported by implementations based on their + * targeted conformance profile: + * + * + * HTTP Profile + * * * 1. HTTPRoute, Port: 80, Protocol: HTTP * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided * - * TLSRoute + * + * TLS Profile + * * * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough * + * * "Distinct" Listeners have the following property: * - * **The implementation can match inbound requests to a single distinct - * Listener**. * - * When multiple Listeners share values for fields (for + * The implementation can match inbound requests to a single distinct + * Listener. When multiple Listeners share values for fields (for * example, two Listeners with the same Port value), the implementation * can match requests to only one of the Listeners using other * Listener fields. * - * When multiple listeners have the same value for the Protocol field, then - * each of the Listeners with matching Protocol values MUST have different - * values for other fields. * - * The set of fields that MUST be different for a Listener differs per protocol. - * The following rules define the rules for what fields MUST be considered for - * Listeners to be distinct with each protocol currently defined in the - * Gateway API spec. + * For example, the following Listener scenarios are distinct: * - * The set of listeners that all share a protocol value MUST have _different_ - * values for _at least one_ of these fields to be distinct: * - * * **HTTP, HTTPS, TLS**: Port, Hostname - * * **TCP, UDP**: Port + * 1. Multiple Listeners with the same Port that all use the "HTTP" + * Protocol that all have unique Hostname values. + * 2. Multiple Listeners with the same Port that use either the "HTTPS" or + * "TLS" Protocol that all have unique Hostname values. + * 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener + * with the same Protocol has the same Port value. * - * One **very** important rule to call out involves what happens when an - * implementation: * - * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol - * Listeners, and - * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP - * Protocol. + * Some fields in the Listener struct have possible values that affect + * whether the Listener is distinct. Hostname is particularly relevant + * for HTTP or HTTPS protocols. * - * In this case all the Listeners that share a port with the - * TCP Listener are not distinct and so MUST NOT be accepted. * - * If an implementation does not support TCP Protocol Listeners, then the - * previous rule does not apply, and the TCP Listeners SHOULD NOT be - * accepted. + * When using the Hostname value to select between same-Port, same-Protocol + * Listeners, the Hostname value must be different on each Listener for the + * Listener to be distinct. * - * Note that the `tls` field is not used for determining if a listener is distinct, because - * Listeners that _only_ differ on TLS config will still conflict in all cases. * - * ### Listeners that are distinct only by Hostname - * - * When the Listeners are distinct based only on Hostname, inbound request + * When the Listeners are distinct based on Hostname, inbound request * hostnames MUST match from the most specific to least specific Hostname * values to choose the correct Listener and its associated set of Routes. * - * Exact matches MUST be processed before wildcard matches, and wildcard - * matches MUST be processed before fallback (empty Hostname value) + * + * Exact matches must be processed before wildcard matches, and wildcard + * matches must be processed before fallback (empty Hostname value) * matches. For example, `"foo.example.com"` takes precedence over * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. * + * * Additionally, if there are multiple wildcard entries, more specific * wildcard entries must be processed before less specific wildcard entries. * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. - * * The precise definition here is that the higher the number of dots in the * hostname to the right of the wildcard character, the higher the precedence. * + * * The wildcard character will match any number of characters _and dots_ to * the left, however, so `"*.example.com"` will match both * `"foo.bar.example.com"` _and_ `"bar.example.com"`. * - * ## Handling indistinct Listeners * * If a set of Listeners contains Listeners that are not distinct, then those - * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted" + * Listeners are Conflicted, and the implementation MUST set the "Conflicted" * condition in the Listener Status to "True". * - * The words "indistinct" and "conflicted" are considered equivalent for the - * purpose of this documentation. * * Implementations MAY choose to accept a Gateway with some Conflicted * Listeners only if they only accept the partial Listener set that contains - * no Conflicted Listeners. + * no Conflicted Listeners. To put this another way, implementations may + * accept a partial Listener set only if they throw out *all* the conflicting + * Listeners. No picking one of the conflicting listeners as the winner. + * This also means that the Gateway must have at least one non-conflicting + * Listener in this case, otherwise it violates the requirement that at + * least one Listener must be present. * - * Specifically, an implementation MAY accept a partial Listener set subject to - * the following rules: - * - * * The implementation MUST NOT pick one conflicting Listener as the winner. - * ALL indistinct Listeners must not be accepted for processing. - * * At least one distinct Listener MUST be present, or else the Gateway effectively - * contains _no_ Listeners, and must be rejected from processing as a whole. * * The implementation MUST set a "ListenersNotValid" condition on the * Gateway Status when the Gateway contains Conflicted Listeners whether or @@ -39870,51 +31952,44 @@ export declare namespace gateway { * Accepted. Additionally, the Listener status for those listeners SHOULD * indicate which Listeners are conflicted and not Accepted. * - * ## General Listener behavior * - * Note that, for all distinct Listeners, requests SHOULD match at most one Listener. - * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a - * request to "foo.example.com" SHOULD only be routed using routes attached - * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * A Gateway's Listeners are considered "compatible" if: * - * This concept is known as "Listener Isolation", and it is an Extended feature - * of Gateway API. Implementations that do not support Listener Isolation MUST - * clearly document this, and MUST NOT claim support for the - * `GatewayHTTPListenerIsolation` feature. - * - * Implementations that _do_ support Listener Isolation SHOULD claim support - * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated - * conformance tests. - * - * ## Compatible Listeners - * - * A Gateway's Listeners are considered _compatible_ if: * * 1. They are distinct. * 2. The implementation can serve them in compliance with the Addresses * requirement that all Listeners are available on all assigned * addresses. * + * * Compatible combinations in Extended support are expected to vary across * implementations. A combination that is compatible for one implementation * may not be compatible for another. * + * * For example, an implementation that cannot serve both TCP and UDP listeners * on the same address, or cannot mix HTTPS and generic TLS listens on the same port * would not consider those cases compatible, even though they are distinct. * + * + * Note that requests SHOULD match at most one Listener. For example, if + * Listeners are defined for "foo.example.com" and "*.example.com", a + * request to "foo.example.com" SHOULD only be routed using routes attached + * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * This concept is known as "Listener Isolation". Implementations that do + * not support Listener Isolation MUST clearly document this. + * + * * Implementations MAY merge separate Gateways onto a single set of * Addresses if all Listeners across all Gateways are compatible. * - * In a future release the MinItems=1 requirement MAY be dropped. * * Support: Core */ listeners?: pulumi.Input[]>; - tls?: pulumi.Input; } /** - * GatewaySpecAddress describes an address that can be bound to a Gateway. + * GatewayAddress describes an address that can be bound to a Gateway. */ interface GatewaySpecAddresses { /** @@ -39922,18 +31997,16 @@ export declare namespace gateway { */ type?: pulumi.Input; /** - * When a value is unspecified, an implementation SHOULD automatically - * assign an address matching the requested type if possible. + * Value of the address. The validity of the values will depend + * on the type and support by the controller. * - * If an implementation does not support an empty value, they MUST set the - * "Programmed" condition in status to False with a reason of "AddressNotAssigned". * * Examples: `1.2.3.4`, `128::1`, `my-ip-address`. */ value?: pulumi.Input; } /** - * GatewaySpecAddress describes an address that can be bound to a Gateway. + * GatewayAddress describes an address that can be bound to a Gateway. */ interface GatewaySpecAddressesPatch { /** @@ -39941,164 +32014,32 @@ export declare namespace gateway { */ type?: pulumi.Input; /** - * When a value is unspecified, an implementation SHOULD automatically - * assign an address matching the requested type if possible. + * Value of the address. The validity of the values will depend + * on the type and support by the controller. * - * If an implementation does not support an empty value, they MUST set the - * "Programmed" condition in status to False with a reason of "AddressNotAssigned". * * Examples: `1.2.3.4`, `128::1`, `my-ip-address`. */ value?: pulumi.Input; } - /** - * AllowedListeners defines which ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - interface GatewaySpecAllowedListeners { - namespaces?: pulumi.Input; - } - /** - * Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - interface GatewaySpecAllowedListenersNamespaces { - /** - * From indicates where ListenerSets can attach to this Gateway. Possible - * values are: - * - * * Same: Only ListenerSets in the same namespace may be attached to this Gateway. - * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway. - * * All: ListenerSets in all namespaces may be attached to this Gateway. - * * None: Only listeners defined in the Gateway's spec are allowed - * - * While this feature is experimental, the default value None - */ - from?: pulumi.Input; - selector?: pulumi.Input; - } - /** - * Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - interface GatewaySpecAllowedListenersNamespacesPatch { - /** - * From indicates where ListenerSets can attach to this Gateway. Possible - * values are: - * - * * Same: Only ListenerSets in the same namespace may be attached to this Gateway. - * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway. - * * All: ListenerSets in all namespaces may be attached to this Gateway. - * * None: Only listeners defined in the Gateway's spec are allowed - * - * While this feature is experimental, the default value None - */ - from?: pulumi.Input; - selector?: pulumi.Input; - } - /** - * Selector must be specified when From is set to "Selector". In that case, - * only ListenerSets in Namespaces matching this Selector will be selected by this - * Gateway. This field is ignored for other values of "From". - */ - interface GatewaySpecAllowedListenersNamespacesSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - /** - * Selector must be specified when From is set to "Selector". In that case, - * only ListenerSets in Namespaces matching this Selector will be selected by this - * Gateway. This field is ignored for other values of "From". - */ - interface GatewaySpecAllowedListenersNamespacesSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{ - [key: string]: pulumi.Input; - }>; - } - /** - * AllowedListeners defines which ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - interface GatewaySpecAllowedListenersPatch { - namespaces?: pulumi.Input; - } /** * Infrastructure defines infrastructure level attributes about this Gateway instance. * - * Support: Extended + * + * Support: Core */ interface GatewaySpecInfrastructure { /** * Annotations that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. * + * * An implementation may chose to add additional implementation-specific annotations as they see fit. * + * * Support: Extended */ annotations?: pulumi.Input<{ @@ -40107,13 +32048,13 @@ export declare namespace gateway { /** * Labels that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. * For other implementations, this refers to any relevant (implementation specific) "labels" concepts. * + * * An implementation may chose to add additional implementation-specific labels as they see fit. * - * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels - * change, it SHOULD clearly warn about this behavior in documentation. * * Support: Extended */ @@ -40127,16 +32068,14 @@ export declare namespace gateway { * parameters corresponding to the Gateway. This is optional if the * controller does not require any additional configuration. * + * * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis * + * * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the Gateway SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. * * Support: Implementation-specific */ @@ -40159,16 +32098,14 @@ export declare namespace gateway { * parameters corresponding to the Gateway. This is optional if the * controller does not require any additional configuration. * + * * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis * + * * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the Gateway SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. * * Support: Implementation-specific */ @@ -40189,17 +32126,21 @@ export declare namespace gateway { /** * Infrastructure defines infrastructure level attributes about this Gateway instance. * - * Support: Extended + * + * Support: Core */ interface GatewaySpecInfrastructurePatch { /** * Annotations that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. * + * * An implementation may chose to add additional implementation-specific annotations as they see fit. * + * * Support: Extended */ annotations?: pulumi.Input<{ @@ -40208,13 +32149,13 @@ export declare namespace gateway { /** * Labels that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. * For other implementations, this refers to any relevant (implementation specific) "labels" concepts. * + * * An implementation may chose to add additional implementation-specific labels as they see fit. * - * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels - * change, it SHOULD clearly warn about this behavior in documentation. * * Support: Extended */ @@ -40235,36 +32176,18 @@ export declare namespace gateway { * field is ignored for protocols that don't require hostname based * matching. * + * * Implementations MUST apply Hostname matching appropriately for each of * the following protocols: * + * * * TLS: The Listener Hostname MUST match the SNI. * * HTTP: The Listener Hostname MUST match the Host header of the request. - * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header. - * Note that this does not require the SNI and Host header to be the same. - * The semantics of this are described in more detail below. + * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + * protocol layers as described above. If an implementation does not + * ensure that both the SNI and Host header match the Listener hostname, + * it MUST clearly document that. * - * To ensure security, Section 11.1 of RFC-6066 emphasizes that server - * implementations that rely on SNI hostname matching MUST also verify - * hostnames within the application protocol. - * - * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the - * reuse of a connection by responding with the HTTP 421 Misdirected Request - * status code. This indicates that the origin server has rejected the - * request because it appears to have been misdirected. - * - * To detect misdirected requests, Gateways SHOULD match the authority of - * the requests with all the SNI hostname(s) configured across all the - * Gateway Listeners on the same port and protocol: - * - * * If another Listener has an exact match or more specific wildcard entry, - * the Gateway SHOULD return a 421. - * * If the current Listener (selected by SNI matching during ClientHello) - * does not match the Host: - * * If another Listener does match the Host the Gateway SHOULD return a - * 421. - * * If no other Listener matches the Host, the Gateway MUST return a - * 404. * * For HTTPRoute and TLSRoute resources, there is an interaction with the * `spec.hostnames` array. When both listener and route specify hostnames, @@ -40272,10 +32195,12 @@ export declare namespace gateway { * accepted. For more information, refer to the Route specific Hostnames * documentation. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * Support: Core */ hostname?: pulumi.Input; @@ -40283,6 +32208,7 @@ export declare namespace gateway { * Name is the name of the Listener. This name MUST be unique within a * Gateway. * + * * Support: Core */ name?: pulumi.Input; @@ -40290,12 +32216,14 @@ export declare namespace gateway { * Port is the network port. Multiple listeners may use the * same port, subject to the Listener compatibility rules. * + * * Support: Core */ port?: pulumi.Input; /** * Protocol specifies the network protocol this listener expects to receive. * + * * Support: Core */ protocol?: pulumi.Input; @@ -40306,10 +32234,12 @@ export declare namespace gateway { * Listener and the trusted namespaces where those Route resources MAY be * present. * + * * Although a client request may match multiple route rules, only one rule * may ultimately receive the request. Matching precedence MUST be * determined in order of the following criteria: * + * * * The most specific match as defined by the Route type. * * The oldest Route based on creation timestamp. For example, a Route with * a creation timestamp of "2020-09-08 01:02:03" is given precedence over @@ -40318,6 +32248,7 @@ export declare namespace gateway { * alphabetical order (namespace/name) should be given precedence. For * example, foo/bar is given precedence over foo/baz. * + * * All valid rules within a Route attached to this Listener should be * implemented. Invalid Route rules can be ignored (sometimes that will mean * the full Route). If a Route rule transitions from valid to invalid, @@ -40325,6 +32256,7 @@ export declare namespace gateway { * example, even if a filter specified by a Route rule is invalid, the rest * of the rules within that Route should still be supported. * + * * Support: Core */ interface GatewaySpecListenersAllowedRoutes { @@ -40333,12 +32265,14 @@ export declare namespace gateway { * to this Gateway Listener. When unspecified or empty, the kinds of Routes * selected are determined using the Listener protocol. * + * * A RouteGroupKind MUST correspond to kinds of Routes that are compatible * with the application protocol specified in the Listener's Protocol field. * If an implementation does not support or recognize this resource type, it * MUST set the "ResolvedRefs" condition to False for this Listener with the * "InvalidRouteKinds" reason. * + * * Support: Core */ kinds?: pulumi.Input[]>; @@ -40374,6 +32308,7 @@ export declare namespace gateway { * Namespaces indicates namespaces from which Routes may be attached to this * Listener. This is restricted to the namespace of this Gateway by default. * + * * Support: Core */ interface GatewaySpecListenersAllowedRoutesNamespaces { @@ -40381,11 +32316,13 @@ export declare namespace gateway { * From indicates where Routes will be selected for this Gateway. Possible * values are: * + * * * All: Routes in all namespaces may be used by this Gateway. * * Selector: Routes in namespaces selected by the selector may be used by * this Gateway. * * Same: Only Routes in the same namespace may be used by this Gateway. * + * * Support: Core */ from?: pulumi.Input; @@ -40395,6 +32332,7 @@ export declare namespace gateway { * Namespaces indicates namespaces from which Routes may be attached to this * Listener. This is restricted to the namespace of this Gateway by default. * + * * Support: Core */ interface GatewaySpecListenersAllowedRoutesNamespacesPatch { @@ -40402,11 +32340,13 @@ export declare namespace gateway { * From indicates where Routes will be selected for this Gateway. Possible * values are: * + * * * All: Routes in all namespaces may be used by this Gateway. * * Selector: Routes in namespaces selected by the selector may be used by * this Gateway. * * Same: Only Routes in the same namespace may be used by this Gateway. * + * * Support: Core */ from?: pulumi.Input; @@ -40417,6 +32357,7 @@ export declare namespace gateway { * only Routes in Namespaces matching this Selector will be selected by this * Gateway. This field is ignored for other values of "From". * + * * Support: Core */ interface GatewaySpecListenersAllowedRoutesNamespacesSelector { @@ -40482,6 +32423,7 @@ export declare namespace gateway { * only Routes in Namespaces matching this Selector will be selected by this * Gateway. This field is ignored for other values of "From". * + * * Support: Core */ interface GatewaySpecListenersAllowedRoutesNamespacesSelectorPatch { @@ -40503,10 +32445,12 @@ export declare namespace gateway { * Listener and the trusted namespaces where those Route resources MAY be * present. * + * * Although a client request may match multiple route rules, only one rule * may ultimately receive the request. Matching precedence MUST be * determined in order of the following criteria: * + * * * The most specific match as defined by the Route type. * * The oldest Route based on creation timestamp. For example, a Route with * a creation timestamp of "2020-09-08 01:02:03" is given precedence over @@ -40515,6 +32459,7 @@ export declare namespace gateway { * alphabetical order (namespace/name) should be given precedence. For * example, foo/bar is given precedence over foo/baz. * + * * All valid rules within a Route attached to this Listener should be * implemented. Invalid Route rules can be ignored (sometimes that will mean * the full Route). If a Route rule transitions from valid to invalid, @@ -40522,6 +32467,7 @@ export declare namespace gateway { * example, even if a filter specified by a Route rule is invalid, the rest * of the rules within that Route should still be supported. * + * * Support: Core */ interface GatewaySpecListenersAllowedRoutesPatch { @@ -40530,12 +32476,14 @@ export declare namespace gateway { * to this Gateway Listener. When unspecified or empty, the kinds of Routes * selected are determined using the Listener protocol. * + * * A RouteGroupKind MUST correspond to kinds of Routes that are compatible * with the application protocol specified in the Listener's Protocol field. * If an implementation does not support or recognize this resource type, it * MUST set the "ResolvedRefs" condition to False for this Listener with the * "InvalidRouteKinds" reason. * + * * Support: Core */ kinds?: pulumi.Input[]>; @@ -40553,36 +32501,18 @@ export declare namespace gateway { * field is ignored for protocols that don't require hostname based * matching. * + * * Implementations MUST apply Hostname matching appropriately for each of * the following protocols: * + * * * TLS: The Listener Hostname MUST match the SNI. * * HTTP: The Listener Hostname MUST match the Host header of the request. - * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header. - * Note that this does not require the SNI and Host header to be the same. - * The semantics of this are described in more detail below. + * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + * protocol layers as described above. If an implementation does not + * ensure that both the SNI and Host header match the Listener hostname, + * it MUST clearly document that. * - * To ensure security, Section 11.1 of RFC-6066 emphasizes that server - * implementations that rely on SNI hostname matching MUST also verify - * hostnames within the application protocol. - * - * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the - * reuse of a connection by responding with the HTTP 421 Misdirected Request - * status code. This indicates that the origin server has rejected the - * request because it appears to have been misdirected. - * - * To detect misdirected requests, Gateways SHOULD match the authority of - * the requests with all the SNI hostname(s) configured across all the - * Gateway Listeners on the same port and protocol: - * - * * If another Listener has an exact match or more specific wildcard entry, - * the Gateway SHOULD return a 421. - * * If the current Listener (selected by SNI matching during ClientHello) - * does not match the Host: - * * If another Listener does match the Host the Gateway SHOULD return a - * 421. - * * If no other Listener matches the Host, the Gateway MUST return a - * 404. * * For HTTPRoute and TLSRoute resources, there is an interaction with the * `spec.hostnames` array. When both listener and route specify hostnames, @@ -40590,10 +32520,12 @@ export declare namespace gateway { * accepted. For more information, refer to the Route specific Hostnames * documentation. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * Support: Core */ hostname?: pulumi.Input; @@ -40601,6 +32533,7 @@ export declare namespace gateway { * Name is the name of the Listener. This name MUST be unique within a * Gateway. * + * * Support: Core */ name?: pulumi.Input; @@ -40608,12 +32541,14 @@ export declare namespace gateway { * Port is the network port. Multiple listeners may use the * same port, subject to the Listener compatibility rules. * + * * Support: Core */ port?: pulumi.Input; /** * Protocol specifies the network protocol this listener expects to receive. * + * * Support: Core */ protocol?: pulumi.Input; @@ -40624,12 +32559,15 @@ export declare namespace gateway { * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field * if the Protocol field is "HTTP", "TCP", or "UDP". * - * The association of SNIs to Certificate defined in ListenerTLSConfig is + * + * The association of SNIs to Certificate defined in GatewayTLSConfig is * defined based on the Hostname field for this listener. * + * * The GatewayClass MUST use the longest matching SNI out of all * available certificates for any TLS handshake. * + * * Support: Core */ interface GatewaySpecListenersTls { @@ -40639,31 +32577,39 @@ export declare namespace gateway { * establish a TLS handshake for requests that match the hostname of the * associated listener. * + * * A single CertificateRef to a Kubernetes Secret has "Core" support. * Implementations MAY choose to support attaching multiple certificates to * a Listener, but this behavior is implementation-specific. * + * * References to a resource in different namespace are invalid UNLESS there * is a ReferenceGrant in the target namespace that allows the certificate * to be attached. If a ReferenceGrant does not allow this reference, the * "ResolvedRefs" condition MUST be set to False for this listener with the * "RefNotPermitted" reason. * + * * This field is required to have at least one element when the mode is set * to "Terminate" (default) and is optional otherwise. * + * * CertificateRefs can reference to standard Kubernetes resources, i.e. * Secret, or implementation-specific custom resources. * + * * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls * + * * Support: Implementation-specific (More than one reference or other resource types) */ certificateRefs?: pulumi.Input[]>; + frontendValidation?: pulumi.Input; /** * Mode defines the TLS behavior for the TLS session initiated by the client. * There are two possible modes: * + * * - Terminate: The TLS session between the downstream client and the * Gateway is terminated at the Gateway. This mode requires certificates * to be specified in some way, such as populating the certificateRefs @@ -40673,6 +32619,7 @@ export declare namespace gateway { * the ClientHello message of the TLS protocol. The certificateRefs field * is ignored in this mode. * + * * Support: Core */ mode?: pulumi.Input; @@ -40681,11 +32628,13 @@ export declare namespace gateway { * configuration for each implementation. For example, configuring the * minimum TLS version or supported cipher suites. * + * * A set of common keys MAY be defined by the API in the future. To avoid * any ambiguity, implementation-specific definitions MUST use * domain-prefixed names, such as `example.com/my-custom-option`. * Un-prefixed names are reserved for key names defined by Gateway API. * + * * Support: Implementation-specific */ options?: pulumi.Input<{ @@ -40696,9 +32645,11 @@ export declare namespace gateway { * SecretObjectReference identifies an API object including its namespace, * defaulting to Secret. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. * + * * References to objects with invalid Group and Kind are not valid, and must * be rejected by the implementation, with appropriate Conditions set * on the containing object. @@ -40721,11 +32672,13 @@ export declare namespace gateway { * Namespace is the namespace of the referenced object. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -40734,9 +32687,11 @@ export declare namespace gateway { * SecretObjectReference identifies an API object including its namespace, * defaulting to Secret. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. * + * * References to objects with invalid Group and Kind are not valid, and must * be rejected by the implementation, with appropriate Conditions set * on the containing object. @@ -40759,26 +32714,193 @@ export declare namespace gateway { * Namespace is the namespace of the referenced object. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; } + /** + * FrontendValidation holds configuration information for validating the frontend (client). + * Setting this field will require clients to send a client certificate + * required for validation during the TLS handshake. In browsers this may result in a dialog appearing + * that requests a user to specify the client certificate. + * The maximum depth of a certificate chain accepted in verification is Implementation specific. + * + * + * Support: Extended + */ + interface GatewaySpecListenersTlsFrontendValidation { + /** + * CACertificateRefs contains one or more references to + * Kubernetes objects that contain TLS certificates of + * the Certificate Authorities that can be used + * as a trust anchor to validate the certificates presented by the client. + * + * + * A single CA certificate reference to a Kubernetes ConfigMap + * has "Core" support. + * Implementations MAY choose to support attaching multiple CA certificates to + * a Listener, but this behavior is implementation-specific. + * + * + * Support: Core - A single reference to a Kubernetes ConfigMap + * with the CA certificate in a key named `ca.crt`. + * + * + * Support: Implementation-specific (More than one reference, or other kinds + * of resources). + * + * + * References to a resource in a different namespace are invalid UNLESS there + * is a ReferenceGrant in the target namespace that allows the certificate + * to be attached. If a ReferenceGrant does not allow this reference, the + * "ResolvedRefs" condition MUST be set to False for this listener with the + * "RefNotPermitted" reason. + */ + caCertificateRefs?: pulumi.Input[]>; + } + /** + * ObjectReference identifies an API object including its namespace. + * + * + * The API object must be valid in the cluster; the Group and Kind must + * be registered in the cluster for this reference to be valid. + * + * + * References to objects with invalid Group and Kind are not valid, and must + * be rejected by the implementation, with appropriate Conditions set + * on the containing object. + */ + interface GatewaySpecListenersTlsFrontendValidationCaCertificateRefs { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group?: pulumi.Input; + /** + * Kind is kind of the referent. For example "ConfigMap" or "Service". + */ + kind?: pulumi.Input; + /** + * Name is the name of the referent. + */ + name?: pulumi.Input; + /** + * Namespace is the namespace of the referenced object. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace?: pulumi.Input; + } + /** + * ObjectReference identifies an API object including its namespace. + * + * + * The API object must be valid in the cluster; the Group and Kind must + * be registered in the cluster for this reference to be valid. + * + * + * References to objects with invalid Group and Kind are not valid, and must + * be rejected by the implementation, with appropriate Conditions set + * on the containing object. + */ + interface GatewaySpecListenersTlsFrontendValidationCaCertificateRefsPatch { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group?: pulumi.Input; + /** + * Kind is kind of the referent. For example "ConfigMap" or "Service". + */ + kind?: pulumi.Input; + /** + * Name is the name of the referent. + */ + name?: pulumi.Input; + /** + * Namespace is the namespace of the referenced object. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace?: pulumi.Input; + } + /** + * FrontendValidation holds configuration information for validating the frontend (client). + * Setting this field will require clients to send a client certificate + * required for validation during the TLS handshake. In browsers this may result in a dialog appearing + * that requests a user to specify the client certificate. + * The maximum depth of a certificate chain accepted in verification is Implementation specific. + * + * + * Support: Extended + */ + interface GatewaySpecListenersTlsFrontendValidationPatch { + /** + * CACertificateRefs contains one or more references to + * Kubernetes objects that contain TLS certificates of + * the Certificate Authorities that can be used + * as a trust anchor to validate the certificates presented by the client. + * + * + * A single CA certificate reference to a Kubernetes ConfigMap + * has "Core" support. + * Implementations MAY choose to support attaching multiple CA certificates to + * a Listener, but this behavior is implementation-specific. + * + * + * Support: Core - A single reference to a Kubernetes ConfigMap + * with the CA certificate in a key named `ca.crt`. + * + * + * Support: Implementation-specific (More than one reference, or other kinds + * of resources). + * + * + * References to a resource in a different namespace are invalid UNLESS there + * is a ReferenceGrant in the target namespace that allows the certificate + * to be attached. If a ReferenceGrant does not allow this reference, the + * "ResolvedRefs" condition MUST be set to False for this listener with the + * "RefNotPermitted" reason. + */ + caCertificateRefs?: pulumi.Input[]>; + } /** * TLS is the TLS configuration for the Listener. This field is required if * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field * if the Protocol field is "HTTP", "TCP", or "UDP". * - * The association of SNIs to Certificate defined in ListenerTLSConfig is + * + * The association of SNIs to Certificate defined in GatewayTLSConfig is * defined based on the Hostname field for this listener. * + * * The GatewayClass MUST use the longest matching SNI out of all * available certificates for any TLS handshake. * + * * Support: Core */ interface GatewaySpecListenersTlsPatch { @@ -40788,31 +32910,39 @@ export declare namespace gateway { * establish a TLS handshake for requests that match the hostname of the * associated listener. * + * * A single CertificateRef to a Kubernetes Secret has "Core" support. * Implementations MAY choose to support attaching multiple certificates to * a Listener, but this behavior is implementation-specific. * + * * References to a resource in different namespace are invalid UNLESS there * is a ReferenceGrant in the target namespace that allows the certificate * to be attached. If a ReferenceGrant does not allow this reference, the * "ResolvedRefs" condition MUST be set to False for this listener with the * "RefNotPermitted" reason. * + * * This field is required to have at least one element when the mode is set * to "Terminate" (default) and is optional otherwise. * + * * CertificateRefs can reference to standard Kubernetes resources, i.e. * Secret, or implementation-specific custom resources. * + * * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls * + * * Support: Implementation-specific (More than one reference or other resource types) */ certificateRefs?: pulumi.Input[]>; + frontendValidation?: pulumi.Input; /** * Mode defines the TLS behavior for the TLS session initiated by the client. * There are two possible modes: * + * * - Terminate: The TLS session between the downstream client and the * Gateway is terminated at the Gateway. This mode requires certificates * to be specified in some way, such as populating the certificateRefs @@ -40822,6 +32952,7 @@ export declare namespace gateway { * the ClientHello message of the TLS protocol. The certificateRefs field * is ignored in this mode. * + * * Support: Core */ mode?: pulumi.Input; @@ -40830,11 +32961,13 @@ export declare namespace gateway { * configuration for each implementation. For example, configuring the * minimum TLS version or supported cipher suites. * + * * A set of common keys MAY be defined by the API in the future. To avoid * any ambiguity, implementation-specific definitions MUST use * domain-prefixed names, such as `example.com/my-custom-option`. * Un-prefixed names are reserved for key names defined by Gateway API. * + * * Support: Implementation-specific */ options?: pulumi.Input<{ @@ -40849,7 +32982,8 @@ export declare namespace gateway { * Addresses requested for this Gateway. This is optional and behavior can * depend on the implementation. If a value is set in the spec and the * requested address is invalid or unavailable, the implementation MUST - * indicate this in an associated entry in GatewayStatus.Conditions. + * indicate this in the associated entry in GatewayStatus.Addresses. + * * * The Addresses field represents a request for the address(es) on the * "outside of the Gateway", that traffic bound for this Gateway will use. @@ -40857,38 +32991,20 @@ export declare namespace gateway { * other networking infrastructure, or some other address that traffic will * be sent to. * + * * If no Addresses are specified, the implementation MAY schedule the * Gateway in an implementation-specific manner, assigning an appropriate * set of Addresses. * + * * The implementation MUST bind all Listeners to every GatewayAddress that * it assigns to the Gateway and add a corresponding entry in * GatewayStatus.Addresses. * + * * Support: Extended */ addresses?: pulumi.Input[]>; - allowedListeners?: pulumi.Input; - /** - * DefaultScope, when set, configures the Gateway as a default Gateway, - * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute) - * attached to it, according to the scope configured here. - * - * If unset (the default) or set to None, the Gateway will not act as a - * default Gateway; if set, the Gateway will claim any Route with a - * matching scope set in its UseDefaultGateway field, subject to the usual - * rules about which routes the Gateway can attach to. - * - * Think carefully before using this functionality! While the normal rules - * about which Route can apply are still enforced, it is simply easier for - * the wrong Route to be accidentally attached to this Gateway in this - * configuration. If the Gateway operator is not also the operator in - * control of the scope (e.g. namespace) with tight controls and checks on - * what kind of workloads and Routes get added in that scope, we strongly - * recommend not using this just because it seems convenient, and instead - * stick to direct Route attachment. - */ - defaultScope?: pulumi.Input; /** * GatewayClassName used for this Gateway. This is the name of a * GatewayClass resource. @@ -40900,7 +33016,6 @@ export declare namespace gateway { * logical endpoints that are bound on this Gateway's addresses. * At least one Listener MUST be specified. * - * ## Distinct Listeners * * Each Listener in a set of Listeners (for example, in a single Gateway) * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to @@ -40909,107 +33024,97 @@ export declare namespace gateway { * from multiple Gateways onto a single data plane, and these rules _also_ * apply in that case). * + * * Practically, this means that each listener in a set MUST have a unique * combination of Port, Protocol, and, if supported by the protocol, Hostname. * - * Some combinations of port, protocol, and TLS settings are considered - * Core support and MUST be supported by implementations based on the objects - * they support: * - * HTTPRoute + * Some combinations of port, protocol, and TLS settings are considered + * Core support and MUST be supported by implementations based on their + * targeted conformance profile: + * + * + * HTTP Profile + * * * 1. HTTPRoute, Port: 80, Protocol: HTTP * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided * - * TLSRoute + * + * TLS Profile + * * * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough * + * * "Distinct" Listeners have the following property: * - * **The implementation can match inbound requests to a single distinct - * Listener**. * - * When multiple Listeners share values for fields (for + * The implementation can match inbound requests to a single distinct + * Listener. When multiple Listeners share values for fields (for * example, two Listeners with the same Port value), the implementation * can match requests to only one of the Listeners using other * Listener fields. * - * When multiple listeners have the same value for the Protocol field, then - * each of the Listeners with matching Protocol values MUST have different - * values for other fields. * - * The set of fields that MUST be different for a Listener differs per protocol. - * The following rules define the rules for what fields MUST be considered for - * Listeners to be distinct with each protocol currently defined in the - * Gateway API spec. + * For example, the following Listener scenarios are distinct: * - * The set of listeners that all share a protocol value MUST have _different_ - * values for _at least one_ of these fields to be distinct: * - * * **HTTP, HTTPS, TLS**: Port, Hostname - * * **TCP, UDP**: Port + * 1. Multiple Listeners with the same Port that all use the "HTTP" + * Protocol that all have unique Hostname values. + * 2. Multiple Listeners with the same Port that use either the "HTTPS" or + * "TLS" Protocol that all have unique Hostname values. + * 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener + * with the same Protocol has the same Port value. * - * One **very** important rule to call out involves what happens when an - * implementation: * - * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol - * Listeners, and - * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP - * Protocol. + * Some fields in the Listener struct have possible values that affect + * whether the Listener is distinct. Hostname is particularly relevant + * for HTTP or HTTPS protocols. * - * In this case all the Listeners that share a port with the - * TCP Listener are not distinct and so MUST NOT be accepted. * - * If an implementation does not support TCP Protocol Listeners, then the - * previous rule does not apply, and the TCP Listeners SHOULD NOT be - * accepted. + * When using the Hostname value to select between same-Port, same-Protocol + * Listeners, the Hostname value must be different on each Listener for the + * Listener to be distinct. * - * Note that the `tls` field is not used for determining if a listener is distinct, because - * Listeners that _only_ differ on TLS config will still conflict in all cases. * - * ### Listeners that are distinct only by Hostname - * - * When the Listeners are distinct based only on Hostname, inbound request + * When the Listeners are distinct based on Hostname, inbound request * hostnames MUST match from the most specific to least specific Hostname * values to choose the correct Listener and its associated set of Routes. * - * Exact matches MUST be processed before wildcard matches, and wildcard - * matches MUST be processed before fallback (empty Hostname value) + * + * Exact matches must be processed before wildcard matches, and wildcard + * matches must be processed before fallback (empty Hostname value) * matches. For example, `"foo.example.com"` takes precedence over * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. * + * * Additionally, if there are multiple wildcard entries, more specific * wildcard entries must be processed before less specific wildcard entries. * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. - * * The precise definition here is that the higher the number of dots in the * hostname to the right of the wildcard character, the higher the precedence. * + * * The wildcard character will match any number of characters _and dots_ to * the left, however, so `"*.example.com"` will match both * `"foo.bar.example.com"` _and_ `"bar.example.com"`. * - * ## Handling indistinct Listeners * * If a set of Listeners contains Listeners that are not distinct, then those - * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted" + * Listeners are Conflicted, and the implementation MUST set the "Conflicted" * condition in the Listener Status to "True". * - * The words "indistinct" and "conflicted" are considered equivalent for the - * purpose of this documentation. * * Implementations MAY choose to accept a Gateway with some Conflicted * Listeners only if they only accept the partial Listener set that contains - * no Conflicted Listeners. + * no Conflicted Listeners. To put this another way, implementations may + * accept a partial Listener set only if they throw out *all* the conflicting + * Listeners. No picking one of the conflicting listeners as the winner. + * This also means that the Gateway must have at least one non-conflicting + * Listener in this case, otherwise it violates the requirement that at + * least one Listener must be present. * - * Specifically, an implementation MAY accept a partial Listener set subject to - * the following rules: - * - * * The implementation MUST NOT pick one conflicting Listener as the winner. - * ALL indistinct Listeners must not be accepted for processing. - * * At least one distinct Listener MUST be present, or else the Gateway effectively - * contains _no_ Listeners, and must be rejected from processing as a whole. * * The implementation MUST set a "ListenersNotValid" condition on the * Gateway Status when the Gateway contains Conflicted Listeners whether or @@ -41018,634 +33123,41 @@ export declare namespace gateway { * Accepted. Additionally, the Listener status for those listeners SHOULD * indicate which Listeners are conflicted and not Accepted. * - * ## General Listener behavior * - * Note that, for all distinct Listeners, requests SHOULD match at most one Listener. - * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a - * request to "foo.example.com" SHOULD only be routed using routes attached - * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * A Gateway's Listeners are considered "compatible" if: * - * This concept is known as "Listener Isolation", and it is an Extended feature - * of Gateway API. Implementations that do not support Listener Isolation MUST - * clearly document this, and MUST NOT claim support for the - * `GatewayHTTPListenerIsolation` feature. - * - * Implementations that _do_ support Listener Isolation SHOULD claim support - * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated - * conformance tests. - * - * ## Compatible Listeners - * - * A Gateway's Listeners are considered _compatible_ if: * * 1. They are distinct. * 2. The implementation can serve them in compliance with the Addresses * requirement that all Listeners are available on all assigned * addresses. * + * * Compatible combinations in Extended support are expected to vary across * implementations. A combination that is compatible for one implementation * may not be compatible for another. * + * * For example, an implementation that cannot serve both TCP and UDP listeners * on the same address, or cannot mix HTTPS and generic TLS listens on the same port * would not consider those cases compatible, even though they are distinct. * + * + * Note that requests SHOULD match at most one Listener. For example, if + * Listeners are defined for "foo.example.com" and "*.example.com", a + * request to "foo.example.com" SHOULD only be routed using routes attached + * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * This concept is known as "Listener Isolation". Implementations that do + * not support Listener Isolation MUST clearly document this. + * + * * Implementations MAY merge separate Gateways onto a single set of * Addresses if all Listeners across all Gateways are compatible. * - * In a future release the MinItems=1 requirement MAY be dropped. * * Support: Core */ listeners?: pulumi.Input[]>; - tls?: pulumi.Input; - } - /** - * TLS specifies frontend and backend tls configuration for entire gateway. - * - * Support: Extended - */ - interface GatewaySpecTls { - backend?: pulumi.Input; - frontend?: pulumi.Input; - } - /** - * Backend describes TLS configuration for gateway when connecting - * to backends. - * - * Note that this contains only details for the Gateway as a TLS client, - * and does _not_ imply behavior about how to choose which backend should - * get a TLS connection. That is determined by the presence of a BackendTLSPolicy. - * - * Support: Core - */ - interface GatewaySpecTlsBackend { - clientCertificateRef?: pulumi.Input; - } - /** - * ClientCertificateRef is a reference to an object that contains a Client - * Certificate and the associated private key. - * - * References to a resource in different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - * - * ClientCertificateRef can reference to standard Kubernetes resources, i.e. - * Secret, or implementation-specific custom resources. - * - * Support: Core - */ - interface GatewaySpecTlsBackendClientCertificateRef { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. For example "Secret". - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - } - /** - * ClientCertificateRef is a reference to an object that contains a Client - * Certificate and the associated private key. - * - * References to a resource in different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - * - * ClientCertificateRef can reference to standard Kubernetes resources, i.e. - * Secret, or implementation-specific custom resources. - * - * Support: Core - */ - interface GatewaySpecTlsBackendClientCertificateRefPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. For example "Secret". - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - } - /** - * Backend describes TLS configuration for gateway when connecting - * to backends. - * - * Note that this contains only details for the Gateway as a TLS client, - * and does _not_ imply behavior about how to choose which backend should - * get a TLS connection. That is determined by the presence of a BackendTLSPolicy. - * - * Support: Core - */ - interface GatewaySpecTlsBackendPatch { - clientCertificateRef?: pulumi.Input; - } - /** - * Frontend describes TLS config when client connects to Gateway. - * Support: Core - */ - interface GatewaySpecTlsFrontend { - default?: pulumi.Input; - /** - * PerPort specifies tls configuration assigned per port. - * Per port configuration is optional. Once set this configuration overrides - * the default configuration for all Listeners handling HTTPS traffic - * that match this port. - * Each override port requires a unique TLS configuration. - * - * support: Core - */ - perPort?: pulumi.Input[]>; - } - /** - * Default specifies the default client certificate validation configuration - * for all Listeners handling HTTPS traffic, unless a per-port configuration - * is defined. - * - * support: Core - */ - interface GatewaySpecTlsFrontendDefault { - validation?: pulumi.Input; - } - /** - * Default specifies the default client certificate validation configuration - * for all Listeners handling HTTPS traffic, unless a per-port configuration - * is defined. - * - * support: Core - */ - interface GatewaySpecTlsFrontendDefaultPatch { - validation?: pulumi.Input; - } - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - interface GatewaySpecTlsFrontendDefaultValidation { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs?: pulumi.Input[]>; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode?: pulumi.Input; - } - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefs { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - } - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefsPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - } - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - interface GatewaySpecTlsFrontendDefaultValidationPatch { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs?: pulumi.Input[]>; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode?: pulumi.Input; - } - /** - * Frontend describes TLS config when client connects to Gateway. - * Support: Core - */ - interface GatewaySpecTlsFrontendPatch { - default?: pulumi.Input; - /** - * PerPort specifies tls configuration assigned per port. - * Per port configuration is optional. Once set this configuration overrides - * the default configuration for all Listeners handling HTTPS traffic - * that match this port. - * Each override port requires a unique TLS configuration. - * - * support: Core - */ - perPort?: pulumi.Input[]>; - } - interface GatewaySpecTlsFrontendPerPort { - /** - * The Port indicates the Port Number to which the TLS configuration will be - * applied. This configuration will be applied to all Listeners handling HTTPS - * traffic that match this port. - * - * Support: Core - */ - port?: pulumi.Input; - tls?: pulumi.Input; - } - interface GatewaySpecTlsFrontendPerPortPatch { - /** - * The Port indicates the Port Number to which the TLS configuration will be - * applied. This configuration will be applied to all Listeners handling HTTPS - * traffic that match this port. - * - * Support: Core - */ - port?: pulumi.Input; - tls?: pulumi.Input; - } - /** - * TLS store the configuration that will be applied to all Listeners handling - * HTTPS traffic and matching given port. - * - * Support: Core - */ - interface GatewaySpecTlsFrontendPerPortTls { - validation?: pulumi.Input; - } - /** - * TLS store the configuration that will be applied to all Listeners handling - * HTTPS traffic and matching given port. - * - * Support: Core - */ - interface GatewaySpecTlsFrontendPerPortTlsPatch { - validation?: pulumi.Input; - } - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - interface GatewaySpecTlsFrontendPerPortTlsValidation { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs?: pulumi.Input[]>; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode?: pulumi.Input; - } - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefs { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - } - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefsPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - } - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - interface GatewaySpecTlsFrontendPerPortTlsValidationPatch { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs?: pulumi.Input[]>; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode?: pulumi.Input; - } - /** - * TLS specifies frontend and backend tls configuration for entire gateway. - * - * Support: Extended - */ - interface GatewaySpecTlsPatch { - backend?: pulumi.Input; - frontend?: pulumi.Input; } /** * Status defines the current state of Gateway. @@ -41655,9 +33167,11 @@ export declare namespace gateway { * Addresses lists the network addresses that have been bound to the * Gateway. * + * * This list may differ from the addresses provided in the spec under some * conditions: * + * * * no addresses are specified, all addresses are dynamically assigned * * a combination of specified and dynamic addresses are assigned * * a specified address was unusable (e.g. already in use) @@ -41666,13 +33180,16 @@ export declare namespace gateway { /** * Conditions describe the current conditions of the Gateway. * + * * Implementations should prefer to express Gateway conditions * using the `GatewayConditionType` and `GatewayConditionReason` * constants so that operators and tools can converge on a common * vocabulary to describe Gateway state. * + * * Known condition types are: * + * * * "Accepted" * * "Programmed" * * "Ready" @@ -41695,12 +33212,29 @@ export declare namespace gateway { * Value of the address. The validity of the values will depend * on the type and support by the controller. * + * * Examples: `1.2.3.4`, `128::1`, `my-ip-address`. */ value?: pulumi.Input; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface GatewayStatusConditions { /** @@ -41733,6 +33267,10 @@ export declare namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } @@ -41744,6 +33282,7 @@ export declare namespace gateway { * AttachedRoutes represents the total number of Routes that have been * successfully attached to this Listener. * + * * Successful attachment of a Route to a Listener is based solely on the * combination of the AllowedRoutes field on the corresponding Listener * and the Route's ParentRefs field. A Route is successfully attached to @@ -41756,6 +33295,7 @@ export declare namespace gateway { * for Listeners with condition Accepted: false and MUST count successfully * attached Routes that may themselves have Accepted: false conditions. * + * * Uses for this field include troubleshooting Route attachment and * measuring blast radius/impact of changes to a Listener. */ @@ -41773,6 +33313,7 @@ export declare namespace gateway { * listener. This MUST represent the kinds an implementation supports for * that Listener configuration. * + * * If kinds are specified in Spec that are not supported, they MUST NOT * appear in this list and an implementation MUST set the "ResolvedRefs" * condition to "False" with the "InvalidRouteKinds" reason. If both valid @@ -41783,6 +33324,22 @@ export declare namespace gateway { } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface GatewayStatusListenersConditions { /** @@ -41815,6 +33372,10 @@ export declare namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } @@ -41864,17 +33425,21 @@ export declare namespace gateway { * performing a match and (absent of any applicable header modification * configuration) MUST forward this header unmodified to the backend. * + * * Valid values for Hostnames are determined by RFC 1123 definition of a * hostname with 2 notable exceptions: * + * * 1. IPs are not allowed. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label must appear by itself as the first label. * + * * If a hostname is specified by both the Listener and HTTPRoute, there * must be at least one intersecting hostname for the HTTPRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches HTTPRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -41885,31 +33450,38 @@ export declare namespace gateway { * all match. On the other hand, `example.com` and `test.example.net` would * not match. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * If both the Listener and HTTPRoute have specified hostnames, any * HTTPRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * HTTPRoute specified `test.example.com` and `test.example.net`, * `test.example.net` must not be considered for a match. * + * * If both the Listener and HTTPRoute have specified hostnames, and none * match with the criteria above, then the HTTPRoute is not accepted. The * implementation must raise an 'Accepted' Condition with a status of * `False` in the corresponding RouteParentStatus. * + * * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. * overlapping wildcard matching and exact matching hostnames), precedence must * be given to rules from the HTTPRoute with the largest number of: * + * * * Characters in a matching non-wildcard hostname. * * Characters in a matching hostname. * + * * If ties exist across multiple Routes, the matching precedence rules for * HTTPRouteMatches takes over. * + * * Support: Core */ hostnames?: pulumi.Input[]>; @@ -41925,16 +33497,21 @@ export declare namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -41944,8 +33521,10 @@ export declare namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -41953,12 +33532,14 @@ export declare namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -41966,10 +33547,12 @@ export declare namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -41981,33 +33564,21 @@ export declare namespace gateway { * Rules are a list of HTTP matchers, filters and actions. */ rules?: pulumi.Input[]>; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways?: pulumi.Input; } /** * ParentReference identifies an API object (usually a Gateway) that can be considered * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -42018,23 +33589,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -42042,6 +33618,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -42049,10 +33626,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -42060,6 +33639,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -42067,6 +33647,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -42076,15 +33657,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -42093,6 +33677,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -42100,6 +33685,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -42107,10 +33693,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -42120,6 +33708,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -42129,12 +33718,15 @@ export declare namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -42145,23 +33737,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -42169,6 +33766,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -42176,10 +33774,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -42187,6 +33787,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -42194,6 +33795,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -42203,15 +33805,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -42220,6 +33825,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -42227,6 +33833,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -42234,10 +33841,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -42247,6 +33856,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -42262,17 +33872,21 @@ export declare namespace gateway { * performing a match and (absent of any applicable header modification * configuration) MUST forward this header unmodified to the backend. * + * * Valid values for Hostnames are determined by RFC 1123 definition of a * hostname with 2 notable exceptions: * + * * 1. IPs are not allowed. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label must appear by itself as the first label. * + * * If a hostname is specified by both the Listener and HTTPRoute, there * must be at least one intersecting hostname for the HTTPRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches HTTPRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -42283,31 +33897,38 @@ export declare namespace gateway { * all match. On the other hand, `example.com` and `test.example.net` would * not match. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * If both the Listener and HTTPRoute have specified hostnames, any * HTTPRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * HTTPRoute specified `test.example.com` and `test.example.net`, * `test.example.net` must not be considered for a match. * + * * If both the Listener and HTTPRoute have specified hostnames, and none * match with the criteria above, then the HTTPRoute is not accepted. The * implementation must raise an 'Accepted' Condition with a status of * `False` in the corresponding RouteParentStatus. * + * * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. * overlapping wildcard matching and exact matching hostnames), precedence must * be given to rules from the HTTPRoute with the largest number of: * + * * * Characters in a matching non-wildcard hostname. * * Characters in a matching hostname. * + * * If ties exist across multiple Routes, the matching precedence rules for * HTTPRouteMatches takes over. * + * * Support: Core */ hostnames?: pulumi.Input[]>; @@ -42323,16 +33944,21 @@ export declare namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -42342,8 +33968,10 @@ export declare namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -42351,12 +33979,14 @@ export declare namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -42364,10 +33994,12 @@ export declare namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -42379,21 +34011,6 @@ export declare namespace gateway { * Rules are a list of HTTP matchers, filters and actions. */ rules?: pulumi.Input[]>; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways?: pulumi.Input; } /** * HTTPRouteRule defines semantics for matching an HTTP request based on @@ -42405,37 +34022,41 @@ export declare namespace gateway { * BackendRefs defines the backend(s) where matching requests should be * sent. * + * * Failure behavior here depends on how many BackendRefs are specified and * how many are invalid. * + * * If *all* entries in BackendRefs are invalid, and there are also no filters * specified in this route rule, *all* traffic which matches this rule MUST * receive a 500 status code. * + * * See the HTTPBackendRef definition for the rules about what makes a single * HTTPBackendRef invalid. * + * * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for * requests that would have otherwise been routed to an invalid backend. If * multiple backends are specified, and some are invalid, the proportion of * requests that would otherwise have been routed to an invalid backend * MUST receive a 500 status code. * + * * For example, if two backends are specified with equal weights, and one is * invalid, 50 percent of traffic must receive a 500. Implementations may * choose how that 50 percent is determined. * - * When a HTTPBackendRef refers to a Service that has no ready endpoints, - * implementations SHOULD return a 503 for requests to that backend instead. - * If an implementation chooses to do this, all of the above rules for 500 responses - * MUST also apply for responses that return a 503. * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Core */ backendRefs?: pulumi.Input[]>; @@ -42443,38 +34064,46 @@ export declare namespace gateway { * Filters define the filters that are applied to requests that match * this rule. * + * * Wherever possible, implementations SHOULD implement filters in the order * they are specified. * + * * Implementations MAY choose to implement this ordering strictly, rejecting - * any combination or order of filters that cannot be supported. If implementations + * any combination or order of filters that can not be supported. If implementations * choose a strict interpretation of filter ordering, they MUST clearly document * that behavior. * + * * To reject an invalid combination or order of filters, implementations SHOULD * consider the Route Rules with this configuration invalid. If all Route Rules * in a Route are invalid, the entire Route would be considered invalid. If only * a portion of Route Rules are invalid, implementations MUST set the * "PartiallyInvalid" condition for the Route. * + * * Conformance-levels at this level are defined based on the type of filter: * + * * - ALL core filters MUST be supported by all implementations. * - Implementers are encouraged to support extended filters. * - Implementation-specific custom filters have no API guarantees across * implementations. * + * * Specifying the same filter multiple times is not supported unless explicitly * indicated in the filter. * + * * All filters are expected to be compatible with each other except for the * URLRewrite and RequestRedirect filters, which may not be combined. If an - * implementation cannot support other combinations of filters, they must clearly + * implementation can not support other combinations of filters, they must clearly * document that limitation. In cases where incompatible or unsupported * filters are specified and cause the `Accepted` condition to be set to status * `False`, implementations may use the `IncompatibleFilters` reason to specify * this configuration error. * + * * Support: Core */ filters?: pulumi.Input[]>; @@ -42483,8 +34112,10 @@ export declare namespace gateway { * HTTP requests. Each match is independent, i.e. this rule will be matched * if **any** one of the matches is satisfied. * + * * For example, take the following matches configuration: * + * * ``` * matches: * - path: @@ -42496,85 +34127,100 @@ export declare namespace gateway { * value: "/v2/foo" * ``` * + * * For a request to match against this rule, a request must satisfy * EITHER of the two conditions: * + * * - path prefixed with `/foo` AND contains the header `version: v2` * - path prefix of `/v2/foo` * + * * See the documentation for HTTPRouteMatch on how to specify multiple * match conditions that should be ANDed together. * + * * If no matches are specified, the default is a prefix * path match on "/", which has the effect of matching every * HTTP request. * + * * Proxy or Load Balancer routing configuration generated from HTTPRoutes * MUST prioritize matches based on the following criteria, continuing on * ties. Across all rules specified on applicable Routes, precedence must be * given to the match having: * + * * * "Exact" path match. * * "Prefix" path match with largest number of characters. * * Method match. * * Largest number of header matches. * * Largest number of query param matches. * + * * Note: The precedence of RegularExpression path matches are implementation-specific. * + * * If ties still exist across multiple Routes, matching precedence MUST be * determined in order of the following criteria, continuing on ties: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * If ties still exist within an HTTPRoute, matching precedence MUST be granted * to the FIRST matching rule (in list order) with a match meeting the above * criteria. * + * * When no rules matching a request have been successfully attached to the * parent a request is coming from, a HTTP 404 status code MUST be returned. */ matches?: pulumi.Input[]>; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name?: pulumi.Input; - retry?: pulumi.Input; sessionPersistence?: pulumi.Input; timeouts?: pulumi.Input; } /** * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * */ interface HTTPRouteSpecRulesBackendRefs { /** * Filters defined at this level should be executed if and only if the * request is being forwarded to the backend defined here. * + * * Support: Implementation-specific (For broader support of filters, use the * Filters field in HTTPRouteRule.) */ @@ -42588,16 +34234,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -42609,11 +34259,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -42633,11 +34285,13 @@ export declare namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight?: pulumi.Input; @@ -42651,9 +34305,7 @@ export declare namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ interface HTTPRouteSpecRulesBackendRefsFilters { - cors?: pulumi.Input; extensionRef?: pulumi.Input; - externalAuth?: pulumi.Input; requestHeaderModifier?: pulumi.Input; requestMirror?: pulumi.Input; requestRedirect?: pulumi.Input; @@ -42662,14 +34314,17 @@ export declare namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -42678,16 +34333,20 @@ export declare namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -42695,424 +34354,16 @@ export declare namespace gateway { type?: pulumi.Input; urlRewrite?: pulumi.Input; } - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesBackendRefsFiltersCors { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials?: pulumi.Input; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders?: pulumi.Input[]>; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods?: pulumi.Input[]>; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins?: pulumi.Input[]>; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders?: pulumi.Input[]>; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge?: pulumi.Input; - } - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesBackendRefsFiltersCorsPatch { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials?: pulumi.Input; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders?: pulumi.Input[]>; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods?: pulumi.Input[]>; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins?: pulumi.Input[]>; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders?: pulumi.Input[]>; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge?: pulumi.Input; - } /** * ExtensionRef is an optional, implementation-specific extension to the * "filter" behavior. For example, resource "myroutefilter" in group * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRef { @@ -43136,8 +34387,10 @@ export declare namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRefPatch { @@ -43155,400 +34408,6 @@ export declare namespace gateway { */ name?: pulumi.Input; } - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuth { - backendRef?: pulumi.Input; - forwardBody?: pulumi.Input; - grpc?: pulumi.Input; - http?: pulumi.Input; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol?: pulumi.Input; - } - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRef { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port?: pulumi.Input; - } - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRefPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port?: pulumi.Input; - } - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBody { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize?: pulumi.Input; - } - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBodyPatch { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize?: pulumi.Input; - } - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpc { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders?: pulumi.Input[]>; - } - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpcPatch { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders?: pulumi.Input[]>; - } - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttp { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders?: pulumi.Input[]>; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders?: pulumi.Input[]>; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path?: pulumi.Input; - } - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttpPatch { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders?: pulumi.Input[]>; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders?: pulumi.Input[]>; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path?: pulumi.Input; - } - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthPatch { - backendRef?: pulumi.Input; - forwardBody?: pulumi.Input; - grpc?: pulumi.Input; - http?: pulumi.Input; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol?: pulumi.Input; - } /** * HTTPRouteFilter defines processing steps that must be completed during the * request or response lifecycle. HTTPRouteFilters are meant as an extension @@ -43558,9 +34417,7 @@ export declare namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ interface HTTPRouteSpecRulesBackendRefsFiltersPatch { - cors?: pulumi.Input; extensionRef?: pulumi.Input; - externalAuth?: pulumi.Input; requestHeaderModifier?: pulumi.Input; requestMirror?: pulumi.Input; requestRedirect?: pulumi.Input; @@ -43569,14 +34426,17 @@ export declare namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -43585,16 +34445,20 @@ export declare namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -43606,6 +34470,7 @@ export declare namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifier { @@ -43614,15 +34479,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -43634,15 +34502,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -43652,15 +34523,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -43673,7 +34547,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -43693,7 +34568,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -43711,6 +34587,7 @@ export declare namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch { @@ -43719,15 +34596,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -43739,15 +34619,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -43757,15 +34640,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -43778,7 +34664,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -43798,7 +34685,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -43817,48 +34705,46 @@ export declare namespace gateway { * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirror { backendRef?: pulumi.Input; - fraction?: pulumi.Input; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent?: pulumi.Input; } /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef { @@ -43871,16 +34757,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -43892,11 +34782,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -43912,26 +34804,32 @@ export declare namespace gateway { /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch { @@ -43944,16 +34842,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -43965,11 +34867,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -43982,56 +34886,27 @@ export declare namespace gateway { */ port?: pulumi.Input; } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFraction { - denominator?: pulumi.Input; - numerator?: pulumi.Input; - } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch { - denominator?: pulumi.Input; - numerator?: pulumi.Input; - } /** * RequestMirror defines a schema for a filter that mirrors requests. * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorPatch { backendRef?: pulumi.Input; - fraction?: pulumi.Input; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent?: pulumi.Input; } /** * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirect { @@ -44040,6 +34915,7 @@ export declare namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname?: pulumi.Input; @@ -44048,9 +34924,11 @@ export declare namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -44058,14 +34936,17 @@ export declare namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port?: pulumi.Input; @@ -44073,29 +34954,36 @@ export declare namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme?: pulumi.Input; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode?: pulumi.Input; @@ -44104,6 +34992,7 @@ export declare namespace gateway { * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPatch { @@ -44112,6 +35001,7 @@ export declare namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname?: pulumi.Input; @@ -44120,9 +35010,11 @@ export declare namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -44130,14 +35022,17 @@ export declare namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port?: pulumi.Input; @@ -44145,29 +35040,36 @@ export declare namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme?: pulumi.Input; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode?: pulumi.Input; @@ -44177,6 +35079,7 @@ export declare namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPath { @@ -44191,26 +35094,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -44222,6 +35142,7 @@ export declare namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPathPatch { @@ -44236,26 +35157,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -44266,6 +35204,7 @@ export declare namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifier { @@ -44274,15 +35213,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -44294,15 +35236,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -44312,15 +35257,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -44333,7 +35281,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -44353,7 +35302,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -44371,6 +35321,7 @@ export declare namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch { @@ -44379,15 +35330,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -44399,15 +35353,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -44417,15 +35374,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -44438,7 +35398,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -44458,7 +35419,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -44475,6 +35437,7 @@ export declare namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewrite { @@ -44482,6 +35445,7 @@ export declare namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname?: pulumi.Input; @@ -44490,6 +35454,7 @@ export declare namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePatch { @@ -44497,6 +35462,7 @@ export declare namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname?: pulumi.Input; @@ -44505,6 +35471,7 @@ export declare namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePath { @@ -44519,26 +35486,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -44548,6 +35532,7 @@ export declare namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePathPatch { @@ -44562,26 +35547,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -44591,31 +35593,42 @@ export declare namespace gateway { /** * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * */ interface HTTPRouteSpecRulesBackendRefsPatch { /** * Filters defined at this level should be executed if and only if the * request is being forwarded to the backend defined here. * + * * Support: Implementation-specific (For broader support of filters, use the * Filters field in HTTPRouteRule.) */ @@ -44629,16 +35642,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -44650,11 +35667,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -44674,11 +35693,13 @@ export declare namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight?: pulumi.Input; @@ -44692,9 +35713,7 @@ export declare namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ interface HTTPRouteSpecRulesFilters { - cors?: pulumi.Input; extensionRef?: pulumi.Input; - externalAuth?: pulumi.Input; requestHeaderModifier?: pulumi.Input; requestMirror?: pulumi.Input; requestRedirect?: pulumi.Input; @@ -44703,14 +35722,17 @@ export declare namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -44719,16 +35741,20 @@ export declare namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -44736,424 +35762,16 @@ export declare namespace gateway { type?: pulumi.Input; urlRewrite?: pulumi.Input; } - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesFiltersCors { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials?: pulumi.Input; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders?: pulumi.Input[]>; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods?: pulumi.Input[]>; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins?: pulumi.Input[]>; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders?: pulumi.Input[]>; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge?: pulumi.Input; - } - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesFiltersCorsPatch { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials?: pulumi.Input; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders?: pulumi.Input[]>; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods?: pulumi.Input[]>; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins?: pulumi.Input[]>; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders?: pulumi.Input[]>; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge?: pulumi.Input; - } /** * ExtensionRef is an optional, implementation-specific extension to the * "filter" behavior. For example, resource "myroutefilter" in group * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ interface HTTPRouteSpecRulesFiltersExtensionRef { @@ -45177,8 +35795,10 @@ export declare namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ interface HTTPRouteSpecRulesFiltersExtensionRefPatch { @@ -45196,400 +35816,6 @@ export declare namespace gateway { */ name?: pulumi.Input; } - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesFiltersExternalAuth { - backendRef?: pulumi.Input; - forwardBody?: pulumi.Input; - grpc?: pulumi.Input; - http?: pulumi.Input; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol?: pulumi.Input; - } - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - interface HTTPRouteSpecRulesFiltersExternalAuthBackendRef { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port?: pulumi.Input; - } - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - interface HTTPRouteSpecRulesFiltersExternalAuthBackendRefPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port?: pulumi.Input; - } - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - interface HTTPRouteSpecRulesFiltersExternalAuthForwardBody { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize?: pulumi.Input; - } - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - interface HTTPRouteSpecRulesFiltersExternalAuthForwardBodyPatch { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize?: pulumi.Input; - } - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesFiltersExternalAuthGrpc { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders?: pulumi.Input[]>; - } - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesFiltersExternalAuthGrpcPatch { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders?: pulumi.Input[]>; - } - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesFiltersExternalAuthHttp { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders?: pulumi.Input[]>; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders?: pulumi.Input[]>; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path?: pulumi.Input; - } - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesFiltersExternalAuthHttpPatch { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders?: pulumi.Input[]>; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders?: pulumi.Input[]>; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path?: pulumi.Input; - } - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesFiltersExternalAuthPatch { - backendRef?: pulumi.Input; - forwardBody?: pulumi.Input; - grpc?: pulumi.Input; - http?: pulumi.Input; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol?: pulumi.Input; - } /** * HTTPRouteFilter defines processing steps that must be completed during the * request or response lifecycle. HTTPRouteFilters are meant as an extension @@ -45599,9 +35825,7 @@ export declare namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ interface HTTPRouteSpecRulesFiltersPatch { - cors?: pulumi.Input; extensionRef?: pulumi.Input; - externalAuth?: pulumi.Input; requestHeaderModifier?: pulumi.Input; requestMirror?: pulumi.Input; requestRedirect?: pulumi.Input; @@ -45610,14 +35834,17 @@ export declare namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -45626,16 +35853,20 @@ export declare namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -45647,6 +35878,7 @@ export declare namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ interface HTTPRouteSpecRulesFiltersRequestHeaderModifier { @@ -45655,15 +35887,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -45675,15 +35910,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -45693,15 +35931,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -45714,7 +35955,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -45734,7 +35976,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -45752,6 +35995,7 @@ export declare namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ interface HTTPRouteSpecRulesFiltersRequestHeaderModifierPatch { @@ -45760,15 +36004,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -45780,15 +36027,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -45798,15 +36048,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -45819,7 +36072,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -45839,7 +36093,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -45858,48 +36113,46 @@ export declare namespace gateway { * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersRequestMirror { backendRef?: pulumi.Input; - fraction?: pulumi.Input; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent?: pulumi.Input; } /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRef { @@ -45912,16 +36165,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -45933,11 +36190,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -45953,26 +36212,32 @@ export declare namespace gateway { /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRefPatch { @@ -45985,16 +36250,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -46006,11 +36275,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -46023,56 +36294,27 @@ export declare namespace gateway { */ port?: pulumi.Input; } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - interface HTTPRouteSpecRulesFiltersRequestMirrorFraction { - denominator?: pulumi.Input; - numerator?: pulumi.Input; - } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - interface HTTPRouteSpecRulesFiltersRequestMirrorFractionPatch { - denominator?: pulumi.Input; - numerator?: pulumi.Input; - } /** * RequestMirror defines a schema for a filter that mirrors requests. * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersRequestMirrorPatch { backendRef?: pulumi.Input; - fraction?: pulumi.Input; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent?: pulumi.Input; } /** * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ interface HTTPRouteSpecRulesFiltersRequestRedirect { @@ -46081,6 +36323,7 @@ export declare namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname?: pulumi.Input; @@ -46089,9 +36332,11 @@ export declare namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -46099,14 +36344,17 @@ export declare namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port?: pulumi.Input; @@ -46114,29 +36362,36 @@ export declare namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme?: pulumi.Input; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode?: pulumi.Input; @@ -46145,6 +36400,7 @@ export declare namespace gateway { * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ interface HTTPRouteSpecRulesFiltersRequestRedirectPatch { @@ -46153,6 +36409,7 @@ export declare namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname?: pulumi.Input; @@ -46161,9 +36418,11 @@ export declare namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -46171,14 +36430,17 @@ export declare namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port?: pulumi.Input; @@ -46186,29 +36448,36 @@ export declare namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme?: pulumi.Input; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode?: pulumi.Input; @@ -46218,6 +36487,7 @@ export declare namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersRequestRedirectPath { @@ -46232,26 +36502,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -46263,6 +36550,7 @@ export declare namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersRequestRedirectPathPatch { @@ -46277,26 +36565,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -46307,6 +36612,7 @@ export declare namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersResponseHeaderModifier { @@ -46315,15 +36621,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -46335,15 +36644,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -46353,15 +36665,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -46374,7 +36689,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -46394,7 +36710,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -46412,6 +36729,7 @@ export declare namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersResponseHeaderModifierPatch { @@ -46420,15 +36738,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -46440,15 +36761,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -46458,15 +36782,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -46479,7 +36806,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -46499,7 +36827,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -46516,6 +36845,7 @@ export declare namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersUrlRewrite { @@ -46523,6 +36853,7 @@ export declare namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname?: pulumi.Input; @@ -46531,6 +36862,7 @@ export declare namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersUrlRewritePatch { @@ -46538,6 +36870,7 @@ export declare namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname?: pulumi.Input; @@ -46546,6 +36879,7 @@ export declare namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersUrlRewritePath { @@ -46560,26 +36894,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -46589,6 +36940,7 @@ export declare namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersUrlRewritePathPatch { @@ -46603,26 +36955,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -46634,18 +37003,22 @@ export declare namespace gateway { * action. Multiple match types are ANDed together, i.e. the match will * evaluate to true only if all conditions are satisfied. * + * * For example, the match below will match a HTTP request only if its path * starts with `/foo` AND it contains the `version: v1` header: * + * * ``` * match: * + * * path: * value: "/foo" * headers: * - name: "version" * value "v1" * + * * ``` */ interface HTTPRouteSpecRulesMatches { @@ -46660,6 +37033,7 @@ export declare namespace gateway { * When specified, this route will be matched only if the request has the * specified method. * + * * Support: Extended */ method?: pulumi.Input; @@ -46669,6 +37043,7 @@ export declare namespace gateway { * values are ANDed together, meaning, a request must match all the * specified query parameters to select the route. * + * * Support: Extended */ queryParams?: pulumi.Input[]>; @@ -46680,7 +37055,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesMatchesHeaders { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent @@ -46688,6 +37064,7 @@ export declare namespace gateway { * case-insensitivity of header names, "foo" and "Foo" are considered * equivalent. * + * * When a header is repeated in an HTTP request, it is * implementation-specific behavior as to how this is represented. * Generally, proxies should follow the guidance from the RFC: @@ -46698,10 +37075,13 @@ export declare namespace gateway { /** * Type specifies how to match against the value of the header. * + * * Support: Core (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression HeaderMatchType has implementation-specific * conformance, implementations can support POSIX, PCRE or any other dialects * of regular expressions. Please read the implementation's documentation to @@ -46720,7 +37100,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesMatchesHeadersPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent @@ -46728,6 +37109,7 @@ export declare namespace gateway { * case-insensitivity of header names, "foo" and "Foo" are considered * equivalent. * + * * When a header is repeated in an HTTP request, it is * implementation-specific behavior as to how this is represented. * Generally, proxies should follow the guidance from the RFC: @@ -46738,10 +37120,13 @@ export declare namespace gateway { /** * Type specifies how to match against the value of the header. * + * * Support: Core (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression HeaderMatchType has implementation-specific * conformance, implementations can support POSIX, PCRE or any other dialects * of regular expressions. Please read the implementation's documentation to @@ -46758,18 +37143,22 @@ export declare namespace gateway { * action. Multiple match types are ANDed together, i.e. the match will * evaluate to true only if all conditions are satisfied. * + * * For example, the match below will match a HTTP request only if its path * starts with `/foo` AND it contains the `version: v1` header: * + * * ``` * match: * + * * path: * value: "/foo" * headers: * - name: "version" * value "v1" * + * * ``` */ interface HTTPRouteSpecRulesMatchesPatch { @@ -46784,6 +37173,7 @@ export declare namespace gateway { * When specified, this route will be matched only if the request has the * specified method. * + * * Support: Extended */ method?: pulumi.Input; @@ -46793,6 +37183,7 @@ export declare namespace gateway { * values are ANDed together, meaning, a request must match all the * specified query parameters to select the route. * + * * Support: Extended */ queryParams?: pulumi.Input[]>; @@ -46805,8 +37196,10 @@ export declare namespace gateway { /** * Type specifies how to match against the path Value. * + * * Support: Core (Exact, PathPrefix) * + * * Support: Implementation-specific (RegularExpression) */ type?: pulumi.Input; @@ -46823,8 +37216,10 @@ export declare namespace gateway { /** * Type specifies how to match against the path Value. * + * * Support: Core (Exact, PathPrefix) * + * * Support: Implementation-specific (RegularExpression) */ type?: pulumi.Input; @@ -46843,10 +37238,12 @@ export declare namespace gateway { * exact string match. (See * https://tools.ietf.org/html/rfc7230#section-2.7.3). * + * * If multiple entries specify equivalent query param names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent * entries with an equivalent query param name MUST be ignored. * + * * If a query param is repeated in an HTTP request, the behavior is * purposely left undefined, since different data planes have different * capabilities. However, it is *recommended* that implementations should @@ -46854,6 +37251,7 @@ export declare namespace gateway { * as this behavior is expected in other load balancing contexts outside of * the Gateway API. * + * * Users SHOULD NOT route traffic based on repeated query params to guard * themselves against potential differences in the implementations. */ @@ -46861,10 +37259,13 @@ export declare namespace gateway { /** * Type specifies how to match against the value of the query parameter. * + * * Support: Extended (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression QueryParamMatchType has Implementation-specific * conformance, implementations can support POSIX, PCRE or any other * dialects of regular expressions. Please read the implementation's @@ -46886,10 +37287,12 @@ export declare namespace gateway { * exact string match. (See * https://tools.ietf.org/html/rfc7230#section-2.7.3). * + * * If multiple entries specify equivalent query param names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent * entries with an equivalent query param name MUST be ignored. * + * * If a query param is repeated in an HTTP request, the behavior is * purposely left undefined, since different data planes have different * capabilities. However, it is *recommended* that implementations should @@ -46897,6 +37300,7 @@ export declare namespace gateway { * as this behavior is expected in other load balancing contexts outside of * the Gateway API. * + * * Users SHOULD NOT route traffic based on repeated query params to guard * themselves against potential differences in the implementations. */ @@ -46904,10 +37308,13 @@ export declare namespace gateway { /** * Type specifies how to match against the value of the query parameter. * + * * Support: Extended (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression QueryParamMatchType has Implementation-specific * conformance, implementations can support POSIX, PCRE or any other * dialects of regular expressions. Please read the implementation's @@ -46929,37 +37336,41 @@ export declare namespace gateway { * BackendRefs defines the backend(s) where matching requests should be * sent. * + * * Failure behavior here depends on how many BackendRefs are specified and * how many are invalid. * + * * If *all* entries in BackendRefs are invalid, and there are also no filters * specified in this route rule, *all* traffic which matches this rule MUST * receive a 500 status code. * + * * See the HTTPBackendRef definition for the rules about what makes a single * HTTPBackendRef invalid. * + * * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for * requests that would have otherwise been routed to an invalid backend. If * multiple backends are specified, and some are invalid, the proportion of * requests that would otherwise have been routed to an invalid backend * MUST receive a 500 status code. * + * * For example, if two backends are specified with equal weights, and one is * invalid, 50 percent of traffic must receive a 500. Implementations may * choose how that 50 percent is determined. * - * When a HTTPBackendRef refers to a Service that has no ready endpoints, - * implementations SHOULD return a 503 for requests to that backend instead. - * If an implementation chooses to do this, all of the above rules for 500 responses - * MUST also apply for responses that return a 503. * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Core */ backendRefs?: pulumi.Input[]>; @@ -46967,38 +37378,46 @@ export declare namespace gateway { * Filters define the filters that are applied to requests that match * this rule. * + * * Wherever possible, implementations SHOULD implement filters in the order * they are specified. * + * * Implementations MAY choose to implement this ordering strictly, rejecting - * any combination or order of filters that cannot be supported. If implementations + * any combination or order of filters that can not be supported. If implementations * choose a strict interpretation of filter ordering, they MUST clearly document * that behavior. * + * * To reject an invalid combination or order of filters, implementations SHOULD * consider the Route Rules with this configuration invalid. If all Route Rules * in a Route are invalid, the entire Route would be considered invalid. If only * a portion of Route Rules are invalid, implementations MUST set the * "PartiallyInvalid" condition for the Route. * + * * Conformance-levels at this level are defined based on the type of filter: * + * * - ALL core filters MUST be supported by all implementations. * - Implementers are encouraged to support extended filters. * - Implementation-specific custom filters have no API guarantees across * implementations. * + * * Specifying the same filter multiple times is not supported unless explicitly * indicated in the filter. * + * * All filters are expected to be compatible with each other except for the * URLRewrite and RequestRedirect filters, which may not be combined. If an - * implementation cannot support other combinations of filters, they must clearly + * implementation can not support other combinations of filters, they must clearly * document that limitation. In cases where incompatible or unsupported * filters are specified and cause the `Accepted` condition to be set to status * `False`, implementations may use the `IncompatibleFilters` reason to specify * this configuration error. * + * * Support: Core */ filters?: pulumi.Input[]>; @@ -47007,8 +37426,10 @@ export declare namespace gateway { * HTTP requests. Each match is independent, i.e. this rule will be matched * if **any** one of the matches is satisfied. * + * * For example, take the following matches configuration: * + * * ``` * matches: * - path: @@ -47020,193 +37441,66 @@ export declare namespace gateway { * value: "/v2/foo" * ``` * + * * For a request to match against this rule, a request must satisfy * EITHER of the two conditions: * + * * - path prefixed with `/foo` AND contains the header `version: v2` * - path prefix of `/v2/foo` * + * * See the documentation for HTTPRouteMatch on how to specify multiple * match conditions that should be ANDed together. * + * * If no matches are specified, the default is a prefix * path match on "/", which has the effect of matching every * HTTP request. * + * * Proxy or Load Balancer routing configuration generated from HTTPRoutes * MUST prioritize matches based on the following criteria, continuing on * ties. Across all rules specified on applicable Routes, precedence must be * given to the match having: * + * * * "Exact" path match. * * "Prefix" path match with largest number of characters. * * Method match. * * Largest number of header matches. * * Largest number of query param matches. * + * * Note: The precedence of RegularExpression path matches are implementation-specific. * + * * If ties still exist across multiple Routes, matching precedence MUST be * determined in order of the following criteria, continuing on ties: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * If ties still exist within an HTTPRoute, matching precedence MUST be granted * to the FIRST matching rule (in list order) with a match meeting the above * criteria. * + * * When no rules matching a request have been successfully attached to the * parent a request is coming from, a HTTP 404 status code MUST be returned. */ matches?: pulumi.Input[]>; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name?: pulumi.Input; - retry?: pulumi.Input; sessionPersistence?: pulumi.Input; timeouts?: pulumi.Input; } - /** - * Retry defines the configuration for when to retry an HTTP request. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesRetry { - /** - * Attempts specifies the maximum number of times an individual request - * from the gateway to a backend should be retried. - * - * If the maximum number of retries has been attempted without a successful - * response from the backend, the Gateway MUST return an error. - * - * When this field is unspecified, the number of times to attempt to retry - * a backend request is implementation-specific. - * - * Support: Extended - */ - attempts?: pulumi.Input; - /** - * Backoff specifies the minimum duration a Gateway should wait between - * retry attempts and is represented in Gateway API Duration formatting. - * - * For example, setting the `rules[].retry.backoff` field to the value - * `100ms` will cause a backend request to first be retried approximately - * 100 milliseconds after timing out or receiving a response code configured - * to be retryable. - * - * An implementation MAY use an exponential or alternative backoff strategy - * for subsequent retry attempts, MAY cap the maximum backoff duration to - * some amount greater than the specified minimum, and MAY add arbitrary - * jitter to stagger requests, as long as unsuccessful backend requests are - * not retried before the configured minimum duration. - * - * If a Request timeout (`rules[].timeouts.request`) is configured on the - * route, the entire duration of the initial request and any retry attempts - * MUST not exceed the Request timeout duration. If any retry attempts are - * still in progress when the Request timeout duration has been reached, - * these SHOULD be canceled if possible and the Gateway MUST immediately - * return a timeout error. - * - * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is - * configured on the route, any retry attempts which reach the configured - * BackendRequest timeout duration without a response SHOULD be canceled if - * possible and the Gateway should wait for at least the specified backoff - * duration before attempting to retry the backend request again. - * - * If a BackendRequest timeout is _not_ configured on the route, retry - * attempts MAY time out after an implementation default duration, or MAY - * remain pending until a configured Request timeout or implementation - * default duration for total request time is reached. - * - * When this field is unspecified, the time to wait between retry attempts - * is implementation-specific. - * - * Support: Extended - */ - backoff?: pulumi.Input; - /** - * Codes defines the HTTP response status codes for which a backend request - * should be retried. - * - * Support: Extended - */ - codes?: pulumi.Input[]>; - } - /** - * Retry defines the configuration for when to retry an HTTP request. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesRetryPatch { - /** - * Attempts specifies the maximum number of times an individual request - * from the gateway to a backend should be retried. - * - * If the maximum number of retries has been attempted without a successful - * response from the backend, the Gateway MUST return an error. - * - * When this field is unspecified, the number of times to attempt to retry - * a backend request is implementation-specific. - * - * Support: Extended - */ - attempts?: pulumi.Input; - /** - * Backoff specifies the minimum duration a Gateway should wait between - * retry attempts and is represented in Gateway API Duration formatting. - * - * For example, setting the `rules[].retry.backoff` field to the value - * `100ms` will cause a backend request to first be retried approximately - * 100 milliseconds after timing out or receiving a response code configured - * to be retryable. - * - * An implementation MAY use an exponential or alternative backoff strategy - * for subsequent retry attempts, MAY cap the maximum backoff duration to - * some amount greater than the specified minimum, and MAY add arbitrary - * jitter to stagger requests, as long as unsuccessful backend requests are - * not retried before the configured minimum duration. - * - * If a Request timeout (`rules[].timeouts.request`) is configured on the - * route, the entire duration of the initial request and any retry attempts - * MUST not exceed the Request timeout duration. If any retry attempts are - * still in progress when the Request timeout duration has been reached, - * these SHOULD be canceled if possible and the Gateway MUST immediately - * return a timeout error. - * - * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is - * configured on the route, any retry attempts which reach the configured - * BackendRequest timeout duration without a response SHOULD be canceled if - * possible and the Gateway should wait for at least the specified backoff - * duration before attempting to retry the backend request again. - * - * If a BackendRequest timeout is _not_ configured on the route, retry - * attempts MAY time out after an implementation default duration, or MAY - * remain pending until a configured Request timeout or implementation - * default duration for total request time is reached. - * - * When this field is unspecified, the time to wait between retry attempts - * is implementation-specific. - * - * Support: Extended - */ - backoff?: pulumi.Input; - /** - * Codes defines the HTTP response status codes for which a backend request - * should be retried. - * - * Support: Extended - */ - codes?: pulumi.Input[]>; - } /** * SessionPersistence defines and configures session persistence * for the route rule. * + * * Support: Extended */ interface HTTPRouteSpecRulesSessionPersistence { @@ -47215,6 +37509,7 @@ export declare namespace gateway { * session. Once the AbsoluteTimeout duration has elapsed, the * session becomes invalid. * + * * Support: Extended */ absoluteTimeout?: pulumi.Input; @@ -47224,6 +37519,7 @@ export declare namespace gateway { * Once the session has been idle for more than the specified * IdleTimeout duration, the session becomes invalid. * + * * Support: Extended */ idleTimeout?: pulumi.Input; @@ -47233,6 +37529,7 @@ export declare namespace gateway { * should avoid reusing session names to prevent unintended * consequences, such as rejection or unpredictable behavior. * + * * Support: Implementation-specific */ sessionName?: pulumi.Input; @@ -47241,8 +37538,10 @@ export declare namespace gateway { * the use a header or cookie. Defaults to cookie based session * persistence. * + * * Support: Core for "Cookie" type * + * * Support: Extended for "Header" type */ type?: pulumi.Input; @@ -47251,6 +37550,7 @@ export declare namespace gateway { * CookieConfig provides configuration settings that are specific * to cookie-based session persistence. * + * * Support: Core */ interface HTTPRouteSpecRulesSessionPersistenceCookieConfig { @@ -47261,18 +37561,20 @@ export declare namespace gateway { * attributes, while a session cookie is deleted when the current * session ends. * + * * When set to "Permanent", AbsoluteTimeout indicates the * cookie's lifetime via the Expires or Max-Age cookie attributes * and is required. * + * * When set to "Session", AbsoluteTimeout indicates the * absolute lifetime of the cookie tracked by the gateway and * is optional. * - * Defaults to "Session". * * Support: Core for "Session" type * + * * Support: Extended for "Permanent" type */ lifetimeType?: pulumi.Input; @@ -47281,6 +37583,7 @@ export declare namespace gateway { * CookieConfig provides configuration settings that are specific * to cookie-based session persistence. * + * * Support: Core */ interface HTTPRouteSpecRulesSessionPersistenceCookieConfigPatch { @@ -47291,18 +37594,20 @@ export declare namespace gateway { * attributes, while a session cookie is deleted when the current * session ends. * + * * When set to "Permanent", AbsoluteTimeout indicates the * cookie's lifetime via the Expires or Max-Age cookie attributes * and is required. * + * * When set to "Session", AbsoluteTimeout indicates the * absolute lifetime of the cookie tracked by the gateway and * is optional. * - * Defaults to "Session". * * Support: Core for "Session" type * + * * Support: Extended for "Permanent" type */ lifetimeType?: pulumi.Input; @@ -47311,6 +37616,7 @@ export declare namespace gateway { * SessionPersistence defines and configures session persistence * for the route rule. * + * * Support: Extended */ interface HTTPRouteSpecRulesSessionPersistencePatch { @@ -47319,6 +37625,7 @@ export declare namespace gateway { * session. Once the AbsoluteTimeout duration has elapsed, the * session becomes invalid. * + * * Support: Extended */ absoluteTimeout?: pulumi.Input; @@ -47328,6 +37635,7 @@ export declare namespace gateway { * Once the session has been idle for more than the specified * IdleTimeout duration, the session becomes invalid. * + * * Support: Extended */ idleTimeout?: pulumi.Input; @@ -47337,6 +37645,7 @@ export declare namespace gateway { * should avoid reusing session names to prevent unintended * consequences, such as rejection or unpredictable behavior. * + * * Support: Implementation-specific */ sessionName?: pulumi.Input; @@ -47345,8 +37654,10 @@ export declare namespace gateway { * the use a header or cookie. Defaults to cookie based session * persistence. * + * * Support: Core for "Cookie" type * + * * Support: Extended for "Header" type */ type?: pulumi.Input; @@ -47354,6 +37665,7 @@ export declare namespace gateway { /** * Timeouts defines the timeouts that can be configured for an HTTP request. * + * * Support: Extended */ interface HTTPRouteSpecRulesTimeouts { @@ -47362,19 +37674,21 @@ export declare namespace gateway { * to a backend. This covers the time from when the request first starts being * sent from the gateway to when the full response has been received from the backend. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * An entire client HTTP transaction with a gateway, covered by the Request timeout, * may result in more than one call from the gateway to the destination backend, * for example, if automatic retries are supported. * - * The value of BackendRequest must be a Gateway API Duration string as defined by - * GEP-2257. When this field is unspecified, its behavior is implementation-specific; - * when specified, the value of BackendRequest must be no more than the value of the - * Request timeout (since the Request timeout encompasses the BackendRequest timeout). + * + * Because the Request timeout encompasses the BackendRequest timeout, the value of + * BackendRequest must be <= the value of Request timeout. + * * * Support: Extended */ @@ -47384,22 +37698,26 @@ export declare namespace gateway { * If the gateway has not been able to respond before this deadline is met, the gateway * MUST return a timeout error. * + * * For example, setting the `rules.timeouts.request` field to the value `10s` in an * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds * to complete. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * This timeout is intended to cover as close to the whole request-response transaction * as possible although an implementation MAY choose to start the timeout after the entire * request stream has been received instead of immediately after the transaction is * initiated by the client. * - * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this - * field is unspecified, request timeout behavior is implementation-specific. + * + * When this field is unspecified, request timeout behavior is implementation-specific. + * * * Support: Extended */ @@ -47408,6 +37726,7 @@ export declare namespace gateway { /** * Timeouts defines the timeouts that can be configured for an HTTP request. * + * * Support: Extended */ interface HTTPRouteSpecRulesTimeoutsPatch { @@ -47416,19 +37735,21 @@ export declare namespace gateway { * to a backend. This covers the time from when the request first starts being * sent from the gateway to when the full response has been received from the backend. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * An entire client HTTP transaction with a gateway, covered by the Request timeout, * may result in more than one call from the gateway to the destination backend, * for example, if automatic retries are supported. * - * The value of BackendRequest must be a Gateway API Duration string as defined by - * GEP-2257. When this field is unspecified, its behavior is implementation-specific; - * when specified, the value of BackendRequest must be no more than the value of the - * Request timeout (since the Request timeout encompasses the BackendRequest timeout). + * + * Because the Request timeout encompasses the BackendRequest timeout, the value of + * BackendRequest must be <= the value of Request timeout. + * * * Support: Extended */ @@ -47438,22 +37759,26 @@ export declare namespace gateway { * If the gateway has not been able to respond before this deadline is met, the gateway * MUST return a timeout error. * + * * For example, setting the `rules.timeouts.request` field to the value `10s` in an * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds * to complete. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * This timeout is intended to cover as close to the whole request-response transaction * as possible although an implementation MAY choose to start the timeout after the entire * request stream has been received instead of immediately after the transaction is * initiated by the client. * - * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this - * field is unspecified, request timeout behavior is implementation-specific. + * + * When this field is unspecified, request timeout behavior is implementation-specific. + * * * Support: Extended */ @@ -47471,11 +37796,13 @@ export declare namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -47491,19 +37818,23 @@ export declare namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -47513,12 +37844,15 @@ export declare namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -47528,6 +37862,22 @@ export declare namespace gateway { } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface HTTPRouteStatusParentsConditions { /** @@ -47560,6 +37910,10 @@ export declare namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } @@ -47574,23 +37928,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -47598,6 +37957,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -47605,10 +37965,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -47616,6 +37978,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -47623,6 +37986,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -47632,15 +37996,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -47649,6 +38016,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -47656,6 +38024,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -47663,10 +38032,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -47676,6 +38047,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -47685,13 +38057,16 @@ export declare namespace gateway { * trusted to reference the specified kinds of resources in the same namespace * as the policy. * + * * Each ReferenceGrant can be used to represent a unique trust relationship. * Additional Reference Grants can be used to add to the set of trusted * sources of inbound references for the namespace they are defined within. * + * * All cross-namespace references in Gateway API (with the exception of cross-namespace * Gateway-route attachment) require a ReferenceGrant. * + * * ReferenceGrant is a form of runtime verification allowing users to assert * which cross-namespace object references are permitted. Implementations that * support ReferenceGrant MUST NOT permit cross-namespace references which have @@ -47723,6 +38098,7 @@ export declare namespace gateway { * to be an additional place that references can be valid from, or to put * this another way, entries MUST be combined using OR. * + * * Support: Core */ from?: pulumi.Input[]>; @@ -47732,6 +38108,7 @@ export declare namespace gateway { * additional place that references can be valid to, or to put this another * way, entries MUST be combined using OR. * + * * Support: Core */ to?: pulumi.Input[]>; @@ -47744,6 +38121,7 @@ export declare namespace gateway { * Group is the group of the referent. * When empty, the Kubernetes core API group is inferred. * + * * Support: Core */ group?: pulumi.Input; @@ -47752,12 +38130,16 @@ export declare namespace gateway { * additional resources, the following types are part of the "Core" * support level for this field. * + * * When used to permit a SecretObjectReference: * + * * * Gateway * + * * When used to permit a BackendObjectReference: * + * * * GRPCRoute * * HTTPRoute * * TCPRoute @@ -47768,6 +38150,7 @@ export declare namespace gateway { /** * Namespace is the namespace of the referent. * + * * Support: Core */ namespace?: pulumi.Input; @@ -47780,6 +38163,7 @@ export declare namespace gateway { * Group is the group of the referent. * When empty, the Kubernetes core API group is inferred. * + * * Support: Core */ group?: pulumi.Input; @@ -47788,12 +38172,16 @@ export declare namespace gateway { * additional resources, the following types are part of the "Core" * support level for this field. * + * * When used to permit a SecretObjectReference: * + * * * Gateway * + * * When used to permit a BackendObjectReference: * + * * * GRPCRoute * * HTTPRoute * * TCPRoute @@ -47804,6 +38192,7 @@ export declare namespace gateway { /** * Namespace is the namespace of the referent. * + * * Support: Core */ namespace?: pulumi.Input; @@ -47818,6 +38207,7 @@ export declare namespace gateway { * to be an additional place that references can be valid from, or to put * this another way, entries MUST be combined using OR. * + * * Support: Core */ from?: pulumi.Input[]>; @@ -47827,6 +38217,7 @@ export declare namespace gateway { * additional place that references can be valid to, or to put this another * way, entries MUST be combined using OR. * + * * Support: Core */ to?: pulumi.Input[]>; @@ -47840,6 +38231,7 @@ export declare namespace gateway { * Group is the group of the referent. * When empty, the Kubernetes core API group is inferred. * + * * Support: Core */ group?: pulumi.Input; @@ -47848,6 +38240,7 @@ export declare namespace gateway { * additional resources, the following types are part of the "Core" * support level for this field: * + * * * Secret when used to permit a SecretObjectReference * * Service when used to permit a BackendObjectReference */ @@ -47868,6 +38261,7 @@ export declare namespace gateway { * Group is the group of the referent. * When empty, the Kubernetes core API group is inferred. * + * * Support: Core */ group?: pulumi.Input; @@ -47876,6 +38270,7 @@ export declare namespace gateway { * additional resources, the following types are part of the "Core" * support level for this field: * + * * * Secret when used to permit a SecretObjectReference * * Service when used to permit a BackendObjectReference */ diff --git a/generated/crds/types/input.ts b/generated/crds/types/input.ts index 5f9c5c8..0e3f01e 100644 --- a/generated/crds/types/input.ts +++ b/generated/crds/types/input.ts @@ -34,9 +34,9 @@ export namespace acme { */ authorizationURL?: pulumi.Input; /** - * dnsName is the identifier that this challenge is for, e.g., example.com. + * dnsName is the identifier that this challenge is for, e.g. example.com. * If the requested DNSName is a 'wildcard', this field MUST be set to the - * non-wildcard domain, e.g., for `*.example.com`, it must be `example.com`. + * non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`. */ dnsName?: pulumi.Input; issuerRef?: pulumi.Input; @@ -82,17 +82,15 @@ export namespace acme { */ export interface ChallengeSpecIssuerRef { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group?: pulumi.Input; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind?: pulumi.Input; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name?: pulumi.Input; } @@ -106,17 +104,15 @@ export namespace acme { */ export interface ChallengeSpecIssuerRefPatch { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group?: pulumi.Input; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind?: pulumi.Input; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name?: pulumi.Input; } @@ -128,9 +124,9 @@ export namespace acme { */ authorizationURL?: pulumi.Input; /** - * dnsName is the identifier that this challenge is for, e.g., example.com. + * dnsName is the identifier that this challenge is for, e.g. example.com. * If the requested DNSName is a 'wildcard', this field MUST be set to the - * non-wildcard domain, e.g., for `*.example.com`, it must be `example.com`. + * non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`. */ dnsName?: pulumi.Input; issuerRef?: pulumi.Input; @@ -461,18 +457,14 @@ export namespace acme { */ export interface ChallengeSpecSolverDns01AzureDNSManagedIdentity { /** - * client ID of the managed identity, cannot be used at the same time as resourceID + * client ID of the managed identity, can not be used at the same time as resourceID */ clientID?: pulumi.Input; /** - * resource ID of the managed identity, cannot be used at the same time as clientID + * resource ID of the managed identity, can not be used at the same time as clientID * Cannot be used for Azure Managed Service Identity */ resourceID?: pulumi.Input; - /** - * tenant ID of the managed identity, cannot be used at the same time as resourceID - */ - tenantID?: pulumi.Input; } /** @@ -482,18 +474,14 @@ export namespace acme { */ export interface ChallengeSpecSolverDns01AzureDNSManagedIdentityPatch { /** - * client ID of the managed identity, cannot be used at the same time as resourceID + * client ID of the managed identity, can not be used at the same time as resourceID */ clientID?: pulumi.Input; /** - * resource ID of the managed identity, cannot be used at the same time as clientID + * resource ID of the managed identity, can not be used at the same time as clientID * Cannot be used for Azure Managed Service Identity */ resourceID?: pulumi.Input; - /** - * tenant ID of the managed identity, cannot be used at the same time as resourceID - */ - tenantID?: pulumi.Input; } /** @@ -775,10 +763,6 @@ export namespace acme { * This field is required. */ nameserver?: pulumi.Input; - /** - * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default). - */ - protocol?: pulumi.Input; /** * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. @@ -806,10 +790,6 @@ export namespace acme { * This field is required. */ nameserver?: pulumi.Input; - /** - * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default). - */ - protocol?: pulumi.Input; /** * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. @@ -876,32 +856,11 @@ export namespace acme { accessKeyIDSecretRef?: pulumi.Input; auth?: pulumi.Input; /** - * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. + * If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. */ hostedZoneID?: pulumi.Input; /** - * Override the AWS region. - * - * Route53 is a global service and does not have regional endpoints but the - * region specified here (or via environment variables) is used as a hint to - * help compute the correct AWS credential scope and partition when it - * connects to Route53. See: - * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) - * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) - * - * If you omit this region field, cert-manager will use the region from - * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set - * in the cert-manager controller Pod. - * - * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). - * In this case this `region` field value is ignored. - * - * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), - * In this case this `region` field value is ignored. + * Always set the region when using AccessKeyID and SecretAccessKey */ region?: pulumi.Input; /** @@ -1039,32 +998,11 @@ export namespace acme { accessKeyIDSecretRef?: pulumi.Input; auth?: pulumi.Input; /** - * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. + * If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. */ hostedZoneID?: pulumi.Input; /** - * Override the AWS region. - * - * Route53 is a global service and does not have regional endpoints but the - * region specified here (or via environment variables) is used as a hint to - * help compute the correct AWS credential scope and partition when it - * connects to Route53. See: - * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) - * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) - * - * If you omit this region field, cert-manager will use the region from - * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set - * in the cert-manager controller Pod. - * - * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). - * In this case this `region` field value is ignored. - * - * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), - * In this case this `region` field value is ignored. + * Always set the region when using AccessKeyID and SecretAccessKey */ region?: pulumi.Input; /** @@ -1125,7 +1063,7 @@ export namespace acme { * when challenges are processed. * This can contain arbitrary JSON data. * Secret values should not be specified in this stanza. - * If secret values are needed (e.g., credentials for a DNS service), you + * If secret values are needed (e.g. credentials for a DNS service), you * should use a SecretKeySelector to reference a Secret resource. * For details on the schema of this field, consult the webhook provider * implementation's documentation. @@ -1141,7 +1079,7 @@ export namespace acme { /** * The name of the solver to use, as defined in the webhook provider * implementation. - * This will typically be the name of the provider, e.g., 'cloudflare'. + * This will typically be the name of the provider, e.g. 'cloudflare'. */ solverName?: pulumi.Input; } @@ -1156,7 +1094,7 @@ export namespace acme { * when challenges are processed. * This can contain arbitrary JSON data. * Secret values should not be specified in this stanza. - * If secret values are needed (e.g., credentials for a DNS service), you + * If secret values are needed (e.g. credentials for a DNS service), you * should use a SecretKeySelector to reference a Secret resource. * For details on the schema of this field, consult the webhook provider * implementation's documentation. @@ -1172,7 +1110,7 @@ export namespace acme { /** * The name of the solver to use, as defined in the webhook provider * implementation. - * This will typically be the name of the provider, e.g., 'cloudflare'. + * This will typically be the name of the provider, e.g. 'cloudflare'. */ solverName?: pulumi.Input; } @@ -1181,7 +1119,7 @@ export namespace acme { * Configures cert-manager to attempt to complete authorizations by * performing the HTTP01 challenge flow. * It is not possible to obtain certificates for wildcard domain names - * (e.g., `*.example.com`) using the HTTP01 challenge mechanism. + * (e.g. `*.example.com`) using the HTTP01 challenge mechanism. */ export interface ChallengeSpecSolverHttp01 { gatewayHTTPRoute?: pulumi.Input; @@ -1207,7 +1145,6 @@ export namespace acme { * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways */ parentRefs?: pulumi.Input[]>; - podTemplate?: pulumi.Input; /** * Optional service type for Kubernetes solver service. Supported values * are NodePort or ClusterIP. If unset, defaults to NodePort. @@ -1220,12 +1157,15 @@ export namespace acme { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -1236,23 +1176,28 @@ export namespace acme { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -1260,17 +1205,20 @@ export namespace acme { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: * Gateway has the AllowedRoutes field, and ReferenceGrant provides a * generic way to enable any other kind of cross-namespace reference. * + * * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -1278,6 +1226,7 @@ export namespace acme { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -1285,6 +1234,7 @@ export namespace acme { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -1293,16 +1243,19 @@ export namespace acme { * and SectionName are specified, the name and port of the selected listener * must match both specified values. * + * * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -1311,6 +1264,7 @@ export namespace acme { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -1318,6 +1272,7 @@ export namespace acme { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -1325,10 +1280,12 @@ export namespace acme { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -1338,6 +1295,7 @@ export namespace acme { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -1348,12 +1306,15 @@ export namespace acme { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -1364,23 +1325,28 @@ export namespace acme { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -1388,17 +1354,20 @@ export namespace acme { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: * Gateway has the AllowedRoutes field, and ReferenceGrant provides a * generic way to enable any other kind of cross-namespace reference. * + * * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -1406,6 +1375,7 @@ export namespace acme { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -1413,6 +1383,7 @@ export namespace acme { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -1421,16 +1392,19 @@ export namespace acme { * and SectionName are specified, the name and port of the selected listener * must match both specified values. * + * * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -1439,6 +1413,7 @@ export namespace acme { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -1446,6 +1421,7 @@ export namespace acme { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -1453,10 +1429,12 @@ export namespace acme { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -1466,6 +1444,7 @@ export namespace acme { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -1490,7 +1469,6 @@ export namespace acme { * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways */ parentRefs?: pulumi.Input[]>; - podTemplate?: pulumi.Input; /** * Optional service type for Kubernetes solver service. Supported values * are NodePort or ClusterIP. If unset, defaults to NodePort. @@ -1498,2112 +1476,6 @@ export namespace acme { serviceType?: pulumi.Input; } - /** - * Optional pod template used to configure the ACME challenge solver pods - * used for HTTP01 challenges. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplate { - metadata?: pulumi.Input; - spec?: pulumi.Input; - } - - /** - * ObjectMeta overrides for the pod used to solve HTTP01 challenges. - * Only the 'labels' and 'annotations' fields may be set. - * If labels or annotations overlap with in-built values, the values here - * will override the in-built values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateMetadata { - /** - * Annotations that should be added to the created ACME HTTP01 solver pods. - */ - annotations?: pulumi.Input<{[key: string]: pulumi.Input}>; - /** - * Labels that should be added to the created ACME HTTP01 solver pods. - */ - labels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * ObjectMeta overrides for the pod used to solve HTTP01 challenges. - * Only the 'labels' and 'annotations' fields may be set. - * If labels or annotations overlap with in-built values, the values here - * will override the in-built values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateMetadataPatch { - /** - * Annotations that should be added to the created ACME HTTP01 solver pods. - */ - annotations?: pulumi.Input<{[key: string]: pulumi.Input}>; - /** - * Labels that should be added to the created ACME HTTP01 solver pods. - */ - labels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * Optional pod template used to configure the ACME challenge solver pods - * used for HTTP01 challenges. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplatePatch { - metadata?: pulumi.Input; - spec?: pulumi.Input; - } - - /** - * PodSpec defines overrides for the HTTP01 challenge solver pod. - * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - * All other fields will be ignored. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpec { - affinity?: pulumi.Input; - /** - * If specified, the pod's imagePullSecrets - */ - imagePullSecrets?: pulumi.Input[]>; - /** - * NodeSelector is a selector which must be true for the pod to fit on a node. - * Selector which must match a node's labels for the pod to be scheduled on that node. - * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - */ - nodeSelector?: pulumi.Input<{[key: string]: pulumi.Input}>; - /** - * If specified, the pod's priorityClassName. - */ - priorityClassName?: pulumi.Input; - resources?: pulumi.Input; - securityContext?: pulumi.Input; - /** - * If specified, the pod's service account - */ - serviceAccountName?: pulumi.Input; - /** - * If specified, the pod's tolerations. - */ - tolerations?: pulumi.Input[]>; - } - - /** - * If specified, the pod's scheduling constraints - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinity { - nodeAffinity?: pulumi.Input; - podAffinity?: pulumi.Input; - podAntiAffinity?: pulumi.Input; - } - - /** - * Describes node affinity scheduling rules for the pod. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node matches the corresponding matchExpressions; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input; - } - - /** - * Describes node affinity scheduling rules for the pod. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node matches the corresponding matchExpressions; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input; - } - - /** - * An empty preferred scheduling term matches all objects with implicit weight 0 - * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution { - preference?: pulumi.Input; - /** - * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - */ - weight?: pulumi.Input; - } - - /** - * An empty preferred scheduling term matches all objects with implicit weight 0 - * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - preference?: pulumi.Input; - /** - * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - */ - weight?: pulumi.Input; - } - - /** - * A node selector term, associated with the corresponding weight. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions?: pulumi.Input[]>; - /** - * A list of node selector requirements by node's fields. - */ - matchFields?: pulumi.Input[]>; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A node selector term, associated with the corresponding weight. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions?: pulumi.Input[]>; - /** - * A list of node selector requirements by node's fields. - */ - matchFields?: pulumi.Input[]>; - } - - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to an update), the system - * may or may not try to eventually evict the pod from its node. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution { - /** - * Required. A list of node selector terms. The terms are ORed. - */ - nodeSelectorTerms?: pulumi.Input[]>; - } - - /** - * A null or empty node selector term matches no objects. The requirements of - * them are ANDed. - * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions?: pulumi.Input[]>; - /** - * A list of node selector requirements by node's fields. - */ - matchFields?: pulumi.Input[]>; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A null or empty node selector term matches no objects. The requirements of - * them are ANDed. - * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions?: pulumi.Input[]>; - /** - * A list of node selector requirements by node's fields. - */ - matchFields?: pulumi.Input[]>; - } - - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to an update), the system - * may or may not try to eventually evict the pod from its node. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - /** - * Required. A list of node selector terms. The terms are ORed. - */ - nodeSelectorTerms?: pulumi.Input[]>; - } - - /** - * If specified, the pod's scheduling constraints - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch { - nodeAffinity?: pulumi.Input; - podAffinity?: pulumi.Input; - podAntiAffinity?: pulumi.Input; - } - - /** - * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - } - - /** - * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - } - - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution { - podAffinityTerm?: pulumi.Input; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight?: pulumi.Input; - } - - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - podAffinityTerm?: pulumi.Input; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight?: pulumi.Input; - } - - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - - /** - * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the anti-affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - /** - * If the anti-affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the anti-affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - } - - /** - * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the anti-affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - /** - * If the anti-affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the anti-affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - } - - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution { - podAffinityTerm?: pulumi.Input; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight?: pulumi.Input; - } - - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - podAffinityTerm?: pulumi.Input; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight?: pulumi.Input; - } - - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - - /** - * LocalObjectReference contains enough information to let you locate the - * referenced object inside the same namespace. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets { - /** - * Name of the referent. - * This field is effectively required, but due to backwards compatibility is - * allowed to be empty. Instances of this type with an empty value here are - * almost certainly wrong. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name?: pulumi.Input; - } - - /** - * LocalObjectReference contains enough information to let you locate the - * referenced object inside the same namespace. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch { - /** - * Name of the referent. - * This field is effectively required, but due to backwards compatibility is - * allowed to be empty. Instances of this type with an empty value here are - * almost certainly wrong. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name?: pulumi.Input; - } - - /** - * PodSpec defines overrides for the HTTP01 challenge solver pod. - * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - * All other fields will be ignored. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecPatch { - affinity?: pulumi.Input; - /** - * If specified, the pod's imagePullSecrets - */ - imagePullSecrets?: pulumi.Input[]>; - /** - * NodeSelector is a selector which must be true for the pod to fit on a node. - * Selector which must match a node's labels for the pod to be scheduled on that node. - * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - */ - nodeSelector?: pulumi.Input<{[key: string]: pulumi.Input}>; - /** - * If specified, the pod's priorityClassName. - */ - priorityClassName?: pulumi.Input; - resources?: pulumi.Input; - securityContext?: pulumi.Input; - /** - * If specified, the pod's service account - */ - serviceAccountName?: pulumi.Input; - /** - * If specified, the pod's tolerations. - */ - tolerations?: pulumi.Input[]>; - } - - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecResources { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits?: pulumi.Input<{[key: string]: pulumi.Input}>; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits?: pulumi.Input<{[key: string]: pulumi.Input}>; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * If specified, the pod's security context - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup?: pulumi.Input; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy?: pulumi.Input; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup?: pulumi.Input; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot?: pulumi.Input; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser?: pulumi.Input; - seLinuxOptions?: pulumi.Input; - seccompProfile?: pulumi.Input; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups?: pulumi.Input[]>; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls?: pulumi.Input[]>; - } - - /** - * If specified, the pod's security context - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup?: pulumi.Input; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy?: pulumi.Input; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup?: pulumi.Input; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot?: pulumi.Input; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser?: pulumi.Input; - seLinuxOptions?: pulumi.Input; - seccompProfile?: pulumi.Input; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups?: pulumi.Input[]>; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls?: pulumi.Input[]>; - } - - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions { - /** - * Level is SELinux level label that applies to the container. - */ - level?: pulumi.Input; - /** - * Role is a SELinux role label that applies to the container. - */ - role?: pulumi.Input; - /** - * Type is a SELinux type label that applies to the container. - */ - type?: pulumi.Input; - /** - * User is a SELinux user label that applies to the container. - */ - user?: pulumi.Input; - } - - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch { - /** - * Level is SELinux level label that applies to the container. - */ - level?: pulumi.Input; - /** - * Role is a SELinux role label that applies to the container. - */ - role?: pulumi.Input; - /** - * Type is a SELinux type label that applies to the container. - */ - type?: pulumi.Input; - /** - * User is a SELinux user label that applies to the container. - */ - user?: pulumi.Input; - } - - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile?: pulumi.Input; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type?: pulumi.Input; - } - - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile?: pulumi.Input; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type?: pulumi.Input; - } - - /** - * Sysctl defines a kernel parameter to be set - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls { - /** - * Name of a property to set - */ - name?: pulumi.Input; - /** - * Value of a property to set - */ - value?: pulumi.Input; - } - - /** - * Sysctl defines a kernel parameter to be set - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch { - /** - * Name of a property to set - */ - name?: pulumi.Input; - /** - * Value of a property to set - */ - value?: pulumi.Input; - } - - /** - * The pod this Toleration is attached to tolerates any taint that matches - * the triple using the matching operator . - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecTolerations { - /** - * Effect indicates the taint effect to match. Empty means match all taint effects. - * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - */ - effect?: pulumi.Input; - /** - * Key is the taint key that the toleration applies to. Empty means match all taint keys. - * If the key is empty, operator must be Exists; this combination means to match all values and all keys. - */ - key?: pulumi.Input; - /** - * Operator represents a key's relationship to the value. - * Valid operators are Exists and Equal. Defaults to Equal. - * Exists is equivalent to wildcard for value, so that a pod can - * tolerate all taints of a particular category. - */ - operator?: pulumi.Input; - /** - * TolerationSeconds represents the period of time the toleration (which must be - * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - * it is not set, which means tolerate the taint forever (do not evict). Zero and - * negative values will be treated as 0 (evict immediately) by the system. - */ - tolerationSeconds?: pulumi.Input; - /** - * Value is the taint value the toleration matches to. - * If the operator is Exists, the value should be empty, otherwise just a regular string. - */ - value?: pulumi.Input; - } - - /** - * The pod this Toleration is attached to tolerates any taint that matches - * the triple using the matching operator . - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch { - /** - * Effect indicates the taint effect to match. Empty means match all taint effects. - * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - */ - effect?: pulumi.Input; - /** - * Key is the taint key that the toleration applies to. Empty means match all taint keys. - * If the key is empty, operator must be Exists; this combination means to match all values and all keys. - */ - key?: pulumi.Input; - /** - * Operator represents a key's relationship to the value. - * Valid operators are Exists and Equal. Defaults to Equal. - * Exists is equivalent to wildcard for value, so that a pod can - * tolerate all taints of a particular category. - */ - operator?: pulumi.Input; - /** - * TolerationSeconds represents the period of time the toleration (which must be - * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - * it is not set, which means tolerate the taint forever (do not evict). Zero and - * negative values will be treated as 0 (evict immediately) by the system. - */ - tolerationSeconds?: pulumi.Input; - /** - * Value is the taint value the toleration matches to. - * If the operator is Exists, the value should be empty, otherwise just a regular string. - */ - value?: pulumi.Input; - } - /** * The ingress based HTTP01 challenge solver will solve challenges by * creating or modifying Ingress resources in order to route requests for @@ -3749,7 +1621,7 @@ export namespace acme { */ export interface ChallengeSpecSolverHttp01IngressPodTemplateMetadata { /** - * Annotations that should be added to the created ACME HTTP01 solver pods. + * Annotations that should be added to the create ACME HTTP01 solver pods. */ annotations?: pulumi.Input<{[key: string]: pulumi.Input}>; /** @@ -3766,7 +1638,7 @@ export namespace acme { */ export interface ChallengeSpecSolverHttp01IngressPodTemplateMetadataPatch { /** - * Annotations that should be added to the created ACME HTTP01 solver pods. + * Annotations that should be added to the create ACME HTTP01 solver pods. */ annotations?: pulumi.Input<{[key: string]: pulumi.Input}>; /** @@ -3805,8 +1677,6 @@ export namespace acme { * If specified, the pod's priorityClassName. */ priorityClassName?: pulumi.Input; - resources?: pulumi.Input; - securityContext?: pulumi.Input; /** * If specified, the pod's service account */ @@ -4271,6 +2141,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -4282,6 +2153,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -4482,6 +2354,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -4493,6 +2366,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -4532,6 +2406,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -4543,6 +2418,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -4748,6 +2624,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -4759,6 +2636,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -4790,8 +2668,8 @@ export namespace acme { * most preferred is the one with the greatest sum of weights, i.e. * for each node that meets all of the scheduling requirements (resource * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + * compute a sum by iterating through the elements of this field and adding + * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the * node(s) with the highest sum are the most preferred. */ preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; @@ -4818,8 +2696,8 @@ export namespace acme { * most preferred is the one with the greatest sum of weights, i.e. * for each node that meets all of the scheduling requirements (resource * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + * compute a sum by iterating through the elements of this field and adding + * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the * node(s) with the highest sum are the most preferred. */ preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; @@ -4873,6 +2751,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -4884,6 +2763,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -5084,6 +2964,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -5095,6 +2976,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -5134,6 +3016,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -5145,6 +3028,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -5350,6 +3234,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -5361,6 +3246,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -5391,7 +3277,9 @@ export namespace acme { * This field is effectively required, but due to backwards compatibility is * allowed to be empty. Instances of this type with an empty value here are * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name?: pulumi.Input; } @@ -5406,7 +3294,9 @@ export namespace acme { * This field is effectively required, but due to backwards compatibility is * allowed to be empty. Instances of this type with an empty value here are * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name?: pulumi.Input; } @@ -5432,8 +3322,6 @@ export namespace acme { * If specified, the pod's priorityClassName. */ priorityClassName?: pulumi.Input; - resources?: pulumi.Input; - securityContext?: pulumi.Input; /** * If specified, the pod's service account */ @@ -5444,328 +3332,6 @@ export namespace acme { tolerations?: pulumi.Input[]>; } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecResources { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits?: pulumi.Input<{[key: string]: pulumi.Input}>; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecResourcesPatch { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits?: pulumi.Input<{[key: string]: pulumi.Input}>; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * If specified, the pod's security context - */ - export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContext { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup?: pulumi.Input; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy?: pulumi.Input; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup?: pulumi.Input; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot?: pulumi.Input; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser?: pulumi.Input; - seLinuxOptions?: pulumi.Input; - seccompProfile?: pulumi.Input; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups?: pulumi.Input[]>; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls?: pulumi.Input[]>; - } - - /** - * If specified, the pod's security context - */ - export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextPatch { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup?: pulumi.Input; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy?: pulumi.Input; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup?: pulumi.Input; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot?: pulumi.Input; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser?: pulumi.Input; - seLinuxOptions?: pulumi.Input; - seccompProfile?: pulumi.Input; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups?: pulumi.Input[]>; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls?: pulumi.Input[]>; - } - - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions { - /** - * Level is SELinux level label that applies to the container. - */ - level?: pulumi.Input; - /** - * Role is a SELinux role label that applies to the container. - */ - role?: pulumi.Input; - /** - * Type is a SELinux type label that applies to the container. - */ - type?: pulumi.Input; - /** - * User is a SELinux user label that applies to the container. - */ - user?: pulumi.Input; - } - - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch { - /** - * Level is SELinux level label that applies to the container. - */ - level?: pulumi.Input; - /** - * Role is a SELinux role label that applies to the container. - */ - role?: pulumi.Input; - /** - * Type is a SELinux type label that applies to the container. - */ - type?: pulumi.Input; - /** - * User is a SELinux user label that applies to the container. - */ - user?: pulumi.Input; - } - - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeccompProfile { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile?: pulumi.Input; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type?: pulumi.Input; - } - - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile?: pulumi.Input; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type?: pulumi.Input; - } - - /** - * Sysctl defines a kernel parameter to be set - */ - export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSysctls { - /** - * Name of a property to set - */ - name?: pulumi.Input; - /** - * Value of a property to set - */ - value?: pulumi.Input; - } - - /** - * Sysctl defines a kernel parameter to be set - */ - export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch { - /** - * Name of a property to set - */ - name?: pulumi.Input; - /** - * Value of a property to set - */ - value?: pulumi.Input; - } - /** * The pod this Toleration is attached to tolerates any taint that matches * the triple using the matching operator . @@ -5842,7 +3408,7 @@ export namespace acme { * Configures cert-manager to attempt to complete authorizations by * performing the HTTP01 challenge flow. * It is not possible to obtain certificates for wildcard domain names - * (e.g., `*.example.com`) using the HTTP01 challenge mechanism. + * (e.g. `*.example.com`) using the HTTP01 challenge mechanism. */ export interface ChallengeSpecSolverHttp01Patch { gatewayHTTPRoute?: pulumi.Input; @@ -6009,11 +3575,6 @@ export namespace acme { */ ipAddresses?: pulumi.Input[]>; issuerRef?: pulumi.Input; - /** - * Profile allows requesting a certificate profile from the ACME server. - * Supported profiles are listed by the server's ACME directory URL. - */ - profile?: pulumi.Input; /** * Certificate signing request bytes in DER encoding. * This will be used when finalizing the order. @@ -6031,17 +3592,15 @@ export namespace acme { */ export interface OrderSpecIssuerRef { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group?: pulumi.Input; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind?: pulumi.Input; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name?: pulumi.Input; } @@ -6055,17 +3614,15 @@ export namespace acme { */ export interface OrderSpecIssuerRefPatch { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group?: pulumi.Input; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind?: pulumi.Input; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name?: pulumi.Input; } @@ -6095,11 +3652,6 @@ export namespace acme { */ ipAddresses?: pulumi.Input[]>; issuerRef?: pulumi.Input; - /** - * Profile allows requesting a certificate profile from the ACME server. - * Supported profiles are listed by the server's ACME directory URL. - */ - profile?: pulumi.Input; /** * Certificate signing request bytes in DER encoding. * This will be used when finalizing the order. @@ -6205,7 +3757,7 @@ export namespace acme { */ token?: pulumi.Input; /** - * Type is the type of challenge being offered, e.g., 'http-01', 'dns-01', + * Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', * 'tls-sni-01', etc. * This is the raw value retrieved from the ACME server. * Only 'http-01' and 'dns-01' are supported by cert-manager, other values @@ -6228,6 +3780,7 @@ export namespace cert_manager { * A Certificate resource should be created to ensure an up to date and signed * X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. * + * * The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`). */ export interface Certificate { @@ -6251,10 +3804,12 @@ export namespace cert_manager { * A CertificateRequest is used to request a signed certificate from one of the * configured issuers. * + * * All fields within the CertificateRequest's `spec` are immutable after creation. * A CertificateRequest will either succeed or fail, as denoted by its `Ready` status * condition and its `status.failureTime` field. * + * * A CertificateRequest is a one-shot resource, meaning it represents a single * point in time request for a certificate and cannot be re-used. */ @@ -6300,9 +3855,11 @@ export namespace cert_manager { * Requested basic constraints isCA value. Note that the issuer may choose * to ignore the requested isCA value, just like any other requested attribute. * + * * NOTE: If the CSR in the `Request` field has a BasicConstraints extension, * it must have the same isCA value as specified here. * + * * If true, this will automatically add the `cert sign` usage to the list * of requested `usages`. */ @@ -6312,6 +3869,7 @@ export namespace cert_manager { * The PEM-encoded X.509 certificate signing request to be submitted to the * issuer for signing. * + * * If the CSR has a BasicConstraints extension, its isCA attribute must * match the `isCA` value of this CertificateRequest. * If the CSR has a KeyUsage extension, its key usages must match the @@ -6329,10 +3887,12 @@ export namespace cert_manager { /** * Requested key usages and extended key usages. * + * * NOTE: If the CSR in the `Request` field has uses the KeyUsage or * ExtKeyUsage extension, these extensions must have the same values * as specified here without any additional values. * + * * If unset, defaults to `digital signature` and `key encipherment`. */ usages?: pulumi.Input[]>; @@ -6349,21 +3909,20 @@ export namespace cert_manager { * as the Certificate. If the issuer is cluster-scoped, it can be used * from any namespace. * + * * The `name` field of the reference must always be specified. */ export interface CertificateRequestSpecIssuerRef { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group?: pulumi.Input; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind?: pulumi.Input; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name?: pulumi.Input; } @@ -6374,21 +3933,20 @@ export namespace cert_manager { * as the Certificate. If the issuer is cluster-scoped, it can be used * from any namespace. * + * * The `name` field of the reference must always be specified. */ export interface CertificateRequestSpecIssuerRefPatch { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group?: pulumi.Input; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind?: pulumi.Input; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name?: pulumi.Input; } @@ -6418,9 +3976,11 @@ export namespace cert_manager { * Requested basic constraints isCA value. Note that the issuer may choose * to ignore the requested isCA value, just like any other requested attribute. * + * * NOTE: If the CSR in the `Request` field has a BasicConstraints extension, * it must have the same isCA value as specified here. * + * * If true, this will automatically add the `cert sign` usage to the list * of requested `usages`. */ @@ -6430,6 +3990,7 @@ export namespace cert_manager { * The PEM-encoded X.509 certificate signing request to be submitted to the * issuer for signing. * + * * If the CSR has a BasicConstraints extension, its isCA attribute must * match the `isCA` value of this CertificateRequest. * If the CSR has a KeyUsage extension, its key usages must match the @@ -6447,10 +4008,12 @@ export namespace cert_manager { /** * Requested key usages and extended key usages. * + * * NOTE: If the CSR in the `Request` field has uses the KeyUsage or * ExtKeyUsage extension, these extensions must have the same values * as specified here without any additional values. * + * * If unset, defaults to `digital signature` and `key encipherment`. */ usages?: pulumi.Input[]>; @@ -6533,6 +4096,11 @@ export namespace cert_manager { /** * Defines extra output formats of the private key and signed certificate chain * to be written to this Certificate's target Secret. + * + * + * This is a Beta Feature enabled by default. It can be disabled with the + * `--feature-gates=AdditionalCertificateOutputFormats=false` option set on both + * the controller and webhook components. */ additionalOutputFormats?: pulumi.Input[]>; /** @@ -6541,6 +4109,7 @@ export namespace cert_manager { * NOTE: TLS clients will ignore this value when any subject alternative name is * set (see https://tools.ietf.org/html/rfc6125#section-6.4.4). * + * * Should have a length of 64 characters or fewer to avoid generating invalid CSRs. * Cannot be set if the `literalSubject` field is set. */ @@ -6554,6 +4123,7 @@ export namespace cert_manager { * issuer may choose to ignore the requested duration, just like any other * requested attribute. * + * * If unset, this defaults to 90 days. * Minimum accepted duration is 1 hour. * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration. @@ -6566,6 +4136,7 @@ export namespace cert_manager { /** * Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR. * + * * This option defaults to true, and should only be disabled if the target * issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions. */ @@ -6580,6 +4151,7 @@ export namespace cert_manager { * resources. Note that the issuer may choose to ignore the requested isCA value, just * like any other requested attribute. * + * * If true, this will automatically add the `cert sign` usage to the list * of requested `usages`. */ @@ -6596,6 +4168,7 @@ export namespace cert_manager { * More info: https://github.com/cert-manager/cert-manager/issues/3203 * More info: https://github.com/cert-manager/cert-manager/issues/4424 * + * * Cannot be set if the `subject` or `commonName` field is set. */ literalSubject?: pulumi.Input; @@ -6615,33 +4188,17 @@ export namespace cert_manager { * 50 minutes after it was issued (i.e. when there are 10 minutes remaining until * the certificate is no longer valid). * + * * NOTE: The actual lifetime of the issued certificate is used to determine the * renewal time. If an issuer returns a certificate with a different lifetime than * the one requested, cert-manager will use the lifetime of the issued certificate. * + * * If unset, this defaults to 1/3 of the issued certificate's lifetime. * Minimum accepted value is 5 minutes. * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration. - * Cannot be set if the `renewBeforePercentage` field is set. */ renewBefore?: pulumi.Input; - /** - * `renewBeforePercentage` is like `renewBefore`, except it is a relative percentage - * rather than an absolute duration. For example, if a certificate is valid for 60 - * minutes, and `renewBeforePercentage=25`, cert-manager will begin to attempt to - * renew the certificate 45 minutes after it was issued (i.e. when there are 15 - * minutes (25%) remaining until the certificate is no longer valid). - * - * NOTE: The actual lifetime of the issued certificate is used to determine the - * renewal time. If an issuer returns a certificate with a different lifetime than - * the one requested, cert-manager will use the lifetime of the issued certificate. - * - * Value must be an integer in the range (0,100). The minimum effective - * `renewBefore` derived from the `renewBeforePercentage` and `duration` fields is 5 - * minutes. - * Cannot be set if the `renewBefore` field is set. - */ - renewBeforePercentage?: pulumi.Input; /** * The maximum number of CertificateRequest revisions that are maintained in * the Certificate's history. Each revision represents a single `CertificateRequest` @@ -6649,8 +4206,10 @@ export namespace cert_manager { * was changed. Revisions will be removed by oldest first if the number of * revisions exceeds this number. * + * * If set, revisionHistoryLimit must be a value of `1` or greater. - * Default value is `1`. + * If unset (`nil`), revisions will not be garbage collected. + * Default value is `nil`. */ revisionHistoryLimit?: pulumi.Input; /** @@ -6661,13 +4220,6 @@ export namespace cert_manager { */ secretName?: pulumi.Input; secretTemplate?: pulumi.Input; - /** - * Signature algorithm to use. - * Allowed values for RSA keys: SHA256WithRSA, SHA384WithRSA, SHA512WithRSA. - * Allowed values for ECDSA keys: ECDSAWithSHA256, ECDSAWithSHA384, ECDSAWithSHA512. - * Allowed values for Ed25519 keys: PureEd25519. - */ - signatureAlgorithm?: pulumi.Input; subject?: pulumi.Input; /** * Requested URI subject alternative names. @@ -6679,6 +4231,7 @@ export namespace cert_manager { * resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages * will additionally be encoded in the `request` field which contains the CSR blob. * + * * If unset, defaults to `digital signature` and `key encipherment`. */ usages?: pulumi.Input[]>; @@ -6716,21 +4269,20 @@ export namespace cert_manager { * as the Certificate. If the issuer is cluster-scoped, it can be used * from any namespace. * + * * The `name` field of the reference must always be specified. */ export interface CertificateSpecIssuerRef { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group?: pulumi.Input; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind?: pulumi.Input; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name?: pulumi.Input; } @@ -6741,21 +4293,20 @@ export namespace cert_manager { * as the Certificate. If the issuer is cluster-scoped, it can be used * from any namespace. * + * * The `name` field of the reference must always be specified. */ export interface CertificateSpecIssuerRefPatch { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group?: pulumi.Input; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind?: pulumi.Input; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name?: pulumi.Input; } @@ -6782,7 +4333,7 @@ export namespace cert_manager { * Create enables JKS keystore creation for the Certificate. * If true, a file named `keystore.jks` will be created in the target * Secret resource, encrypted using the password stored in - * `passwordSecretRef` or `password`. + * `passwordSecretRef`. * The keystore file will be updated immediately. * If the issuer provided a CA certificate, a file named `truststore.jks` * will also be created in the target Secret resource, encrypted using the @@ -6790,20 +4341,12 @@ export namespace cert_manager { * containing the issuing Certificate Authority */ create?: pulumi.Input; - /** - * Password provides a literal password used to encrypt the JKS keystore. - * Mutually exclusive with passwordSecretRef. - * One of password or passwordSecretRef must provide a password with a non-zero length. - */ - password?: pulumi.Input; passwordSecretRef?: pulumi.Input; } /** - * PasswordSecretRef is a reference to a non-empty key in a Secret resource + * PasswordSecretRef is a reference to a key in a Secret resource * containing the password used to encrypt the JKS keystore. - * Mutually exclusive with password. - * One of password or passwordSecretRef must provide a password with a non-zero length. */ export interface CertificateSpecKeystoresJksPasswordSecretRef { /** @@ -6820,10 +4363,8 @@ export namespace cert_manager { } /** - * PasswordSecretRef is a reference to a non-empty key in a Secret resource + * PasswordSecretRef is a reference to a key in a Secret resource * containing the password used to encrypt the JKS keystore. - * Mutually exclusive with password. - * One of password or passwordSecretRef must provide a password with a non-zero length. */ export interface CertificateSpecKeystoresJksPasswordSecretRefPatch { /** @@ -6853,7 +4394,7 @@ export namespace cert_manager { * Create enables JKS keystore creation for the Certificate. * If true, a file named `keystore.jks` will be created in the target * Secret resource, encrypted using the password stored in - * `passwordSecretRef` or `password`. + * `passwordSecretRef`. * The keystore file will be updated immediately. * If the issuer provided a CA certificate, a file named `truststore.jks` * will also be created in the target Secret resource, encrypted using the @@ -6861,12 +4402,6 @@ export namespace cert_manager { * containing the issuing Certificate Authority */ create?: pulumi.Input; - /** - * Password provides a literal password used to encrypt the JKS keystore. - * Mutually exclusive with passwordSecretRef. - * One of password or passwordSecretRef must provide a password with a non-zero length. - */ - password?: pulumi.Input; passwordSecretRef?: pulumi.Input; } @@ -6887,7 +4422,7 @@ export namespace cert_manager { * Create enables PKCS12 keystore creation for the Certificate. * If true, a file named `keystore.p12` will be created in the target * Secret resource, encrypted using the password stored in - * `passwordSecretRef` or in `password`. + * `passwordSecretRef`. * The keystore file will be updated immediately. * If the issuer provided a CA certificate, a file named `truststore.p12` will * also be created in the target Secret resource, encrypted using the @@ -6895,32 +4430,25 @@ export namespace cert_manager { * Authority */ create?: pulumi.Input; - /** - * Password provides a literal password used to encrypt the PKCS#12 keystore. - * Mutually exclusive with passwordSecretRef. - * One of password or passwordSecretRef must provide a password with a non-zero length. - */ - password?: pulumi.Input; passwordSecretRef?: pulumi.Input; /** * Profile specifies the key and certificate encryption algorithms and the HMAC algorithm * used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. * + * * If provided, allowed values are: * `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. * `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility. * `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms - * (e.g., because of company policy). Please note that the security of the algorithm is not that important + * (eg. because of company policy). Please note that the security of the algorithm is not that important * in reality, because the unencrypted certificate and private key are also stored in the Secret. */ profile?: pulumi.Input; } /** - * PasswordSecretRef is a reference to a non-empty key in a Secret resource - * containing the password used to encrypt the PKCS#12 keystore. - * Mutually exclusive with password. - * One of password or passwordSecretRef must provide a password with a non-zero length. + * PasswordSecretRef is a reference to a key in a Secret resource + * containing the password used to encrypt the PKCS12 keystore. */ export interface CertificateSpecKeystoresPkcs12PasswordSecretRef { /** @@ -6937,10 +4465,8 @@ export namespace cert_manager { } /** - * PasswordSecretRef is a reference to a non-empty key in a Secret resource - * containing the password used to encrypt the PKCS#12 keystore. - * Mutually exclusive with password. - * One of password or passwordSecretRef must provide a password with a non-zero length. + * PasswordSecretRef is a reference to a key in a Secret resource + * containing the password used to encrypt the PKCS12 keystore. */ export interface CertificateSpecKeystoresPkcs12PasswordSecretRefPatch { /** @@ -6965,7 +4491,7 @@ export namespace cert_manager { * Create enables PKCS12 keystore creation for the Certificate. * If true, a file named `keystore.p12` will be created in the target * Secret resource, encrypted using the password stored in - * `passwordSecretRef` or in `password`. + * `passwordSecretRef`. * The keystore file will be updated immediately. * If the issuer provided a CA certificate, a file named `truststore.p12` will * also be created in the target Secret resource, encrypted using the @@ -6973,22 +4499,17 @@ export namespace cert_manager { * Authority */ create?: pulumi.Input; - /** - * Password provides a literal password used to encrypt the PKCS#12 keystore. - * Mutually exclusive with passwordSecretRef. - * One of password or passwordSecretRef must provide a password with a non-zero length. - */ - password?: pulumi.Input; passwordSecretRef?: pulumi.Input; /** * Profile specifies the key and certificate encryption algorithms and the HMAC algorithm * used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. * + * * If provided, allowed values are: * `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. * `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility. * `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms - * (e.g., because of company policy). Please note that the security of the algorithm is not that important + * (eg. because of company policy). Please note that the security of the algorithm is not that important * in reality, because the unencrypted certificate and private key are also stored in the Secret. */ profile?: pulumi.Input; @@ -6998,6 +4519,7 @@ export namespace cert_manager { * x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. * More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 * + * * This is an Alpha Feature and is only enabled with the * `--feature-gates=NameConstraints=true` option set on both * the controller and webhook components. @@ -7065,6 +4587,7 @@ export namespace cert_manager { * x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. * More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 * + * * This is an Alpha Feature and is only enabled with the * `--feature-gates=NameConstraints=true` option set on both * the controller and webhook components. @@ -7160,6 +4683,11 @@ export namespace cert_manager { /** * Defines extra output formats of the private key and signed certificate chain * to be written to this Certificate's target Secret. + * + * + * This is a Beta Feature enabled by default. It can be disabled with the + * `--feature-gates=AdditionalCertificateOutputFormats=false` option set on both + * the controller and webhook components. */ additionalOutputFormats?: pulumi.Input[]>; /** @@ -7168,6 +4696,7 @@ export namespace cert_manager { * NOTE: TLS clients will ignore this value when any subject alternative name is * set (see https://tools.ietf.org/html/rfc6125#section-6.4.4). * + * * Should have a length of 64 characters or fewer to avoid generating invalid CSRs. * Cannot be set if the `literalSubject` field is set. */ @@ -7181,6 +4710,7 @@ export namespace cert_manager { * issuer may choose to ignore the requested duration, just like any other * requested attribute. * + * * If unset, this defaults to 90 days. * Minimum accepted duration is 1 hour. * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration. @@ -7193,6 +4723,7 @@ export namespace cert_manager { /** * Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR. * + * * This option defaults to true, and should only be disabled if the target * issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions. */ @@ -7207,6 +4738,7 @@ export namespace cert_manager { * resources. Note that the issuer may choose to ignore the requested isCA value, just * like any other requested attribute. * + * * If true, this will automatically add the `cert sign` usage to the list * of requested `usages`. */ @@ -7223,6 +4755,7 @@ export namespace cert_manager { * More info: https://github.com/cert-manager/cert-manager/issues/3203 * More info: https://github.com/cert-manager/cert-manager/issues/4424 * + * * Cannot be set if the `subject` or `commonName` field is set. */ literalSubject?: pulumi.Input; @@ -7242,33 +4775,17 @@ export namespace cert_manager { * 50 minutes after it was issued (i.e. when there are 10 minutes remaining until * the certificate is no longer valid). * + * * NOTE: The actual lifetime of the issued certificate is used to determine the * renewal time. If an issuer returns a certificate with a different lifetime than * the one requested, cert-manager will use the lifetime of the issued certificate. * + * * If unset, this defaults to 1/3 of the issued certificate's lifetime. * Minimum accepted value is 5 minutes. * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration. - * Cannot be set if the `renewBeforePercentage` field is set. */ renewBefore?: pulumi.Input; - /** - * `renewBeforePercentage` is like `renewBefore`, except it is a relative percentage - * rather than an absolute duration. For example, if a certificate is valid for 60 - * minutes, and `renewBeforePercentage=25`, cert-manager will begin to attempt to - * renew the certificate 45 minutes after it was issued (i.e. when there are 15 - * minutes (25%) remaining until the certificate is no longer valid). - * - * NOTE: The actual lifetime of the issued certificate is used to determine the - * renewal time. If an issuer returns a certificate with a different lifetime than - * the one requested, cert-manager will use the lifetime of the issued certificate. - * - * Value must be an integer in the range (0,100). The minimum effective - * `renewBefore` derived from the `renewBeforePercentage` and `duration` fields is 5 - * minutes. - * Cannot be set if the `renewBefore` field is set. - */ - renewBeforePercentage?: pulumi.Input; /** * The maximum number of CertificateRequest revisions that are maintained in * the Certificate's history. Each revision represents a single `CertificateRequest` @@ -7276,8 +4793,10 @@ export namespace cert_manager { * was changed. Revisions will be removed by oldest first if the number of * revisions exceeds this number. * + * * If set, revisionHistoryLimit must be a value of `1` or greater. - * Default value is `1`. + * If unset (`nil`), revisions will not be garbage collected. + * Default value is `nil`. */ revisionHistoryLimit?: pulumi.Input; /** @@ -7288,13 +4807,6 @@ export namespace cert_manager { */ secretName?: pulumi.Input; secretTemplate?: pulumi.Input; - /** - * Signature algorithm to use. - * Allowed values for RSA keys: SHA256WithRSA, SHA384WithRSA, SHA512WithRSA. - * Allowed values for ECDSA keys: ECDSAWithSHA256, ECDSAWithSHA384, ECDSAWithSHA512. - * Allowed values for Ed25519 keys: PureEd25519. - */ - signatureAlgorithm?: pulumi.Input; subject?: pulumi.Input; /** * Requested URI subject alternative names. @@ -7306,6 +4818,7 @@ export namespace cert_manager { * resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages * will additionally be encoded in the `request` field which contains the CSR blob. * + * * If unset, defaults to `digital signature` and `key encipherment`. */ usages?: pulumi.Input[]>; @@ -7320,6 +4833,7 @@ export namespace cert_manager { * Algorithm is the private key algorithm of the corresponding private key * for this certificate. * + * * If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`. * If `algorithm` is specified and `size` is not provided, * key size of 2048 will be used for `RSA` key algorithm and @@ -7331,6 +4845,7 @@ export namespace cert_manager { * The private key cryptography standards (PKCS) encoding for this * certificate's private key to be encoded in. * + * * If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 * and PKCS#8, respectively. * Defaults to `PKCS1` if not specified. @@ -7340,22 +4855,20 @@ export namespace cert_manager { * RotationPolicy controls how private keys should be regenerated when a * re-issuance is being processed. * + * * If set to `Never`, a private key will only be generated if one does not - * already exist in the target `spec.secretName`. If one does exist but it + * already exist in the target `spec.secretName`. If one does exists but it * does not have the correct algorithm or size, a warning will be raised * to await user intervention. * If set to `Always`, a private key matching the specified requirements * will be generated whenever a re-issuance occurs. - * Default is `Always`. - * The default was changed from `Never` to `Always` in cert-manager >=v1.18.0. - * The new default can be disabled by setting the - * `--feature-gates=DefaultPrivateKeyRotationPolicyAlways=false` option on - * the controller component. + * Default is `Never` for backward compatibility. */ rotationPolicy?: pulumi.Input; /** * Size is the key bit size of the corresponding private key for this certificate. * + * * If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, * and will default to `2048` if not specified. * If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, @@ -7375,6 +4888,7 @@ export namespace cert_manager { * Algorithm is the private key algorithm of the corresponding private key * for this certificate. * + * * If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`. * If `algorithm` is specified and `size` is not provided, * key size of 2048 will be used for `RSA` key algorithm and @@ -7386,6 +4900,7 @@ export namespace cert_manager { * The private key cryptography standards (PKCS) encoding for this * certificate's private key to be encoded in. * + * * If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 * and PKCS#8, respectively. * Defaults to `PKCS1` if not specified. @@ -7395,22 +4910,20 @@ export namespace cert_manager { * RotationPolicy controls how private keys should be regenerated when a * re-issuance is being processed. * + * * If set to `Never`, a private key will only be generated if one does not - * already exist in the target `spec.secretName`. If one does exist but it + * already exist in the target `spec.secretName`. If one does exists but it * does not have the correct algorithm or size, a warning will be raised * to await user intervention. * If set to `Always`, a private key matching the specified requirements * will be generated whenever a re-issuance occurs. - * Default is `Always`. - * The default was changed from `Never` to `Always` in cert-manager >=v1.18.0. - * The new default can be disabled by setting the - * `--feature-gates=DefaultPrivateKeyRotationPolicyAlways=false` option on - * the controller component. + * Default is `Never` for backward compatibility. */ rotationPolicy?: pulumi.Input; /** * Size is the key bit size of the corresponding private key for this certificate. * + * * If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, * and will default to `2048` if not specified. * If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, @@ -7461,6 +4974,7 @@ export namespace cert_manager { * Requested set of X509 certificate subject attributes. * More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 * + * * The common name attribute is specified separately in the `commonName` field. * Cannot be set if the `literalSubject` field is set. */ @@ -7503,6 +5017,7 @@ export namespace cert_manager { * Requested set of X509 certificate subject attributes. * More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 * + * * The common name attribute is specified separately in the `commonName` field. * Cannot be set if the `literalSubject` field is set. */ @@ -7562,7 +5077,7 @@ export namespace cert_manager { */ failedIssuanceAttempts?: pulumi.Input; /** - * LastFailureTime is set only if the latest issuance for this + * LastFailureTime is set only if the lastest issuance for this * Certificate failed and contains the time of the failure. If an * issuance has failed, the delay till the next issuance will be * calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - @@ -7597,13 +5112,16 @@ export namespace cert_manager { /** * The current 'revision' of the certificate as issued. * + * * When a CertificateRequest resource is created, it will have the * `cert-manager.io/certificate-revision` set to one greater than the * current value of this field. * + * * Upon issuance, this field will be set to the value of the annotation * on the CertificateRequest resource used to issue the certificate. * + * * Persisting the value on the CertificateRequest resource allows the * certificates controller to know whether a request is part of an old * issuance or if it is part of the ongoing revision's issuance by @@ -7614,7 +5132,7 @@ export namespace cert_manager { } /** - * CertificateCondition contains condition information for a Certificate. + * CertificateCondition contains condition information for an Certificate. */ export interface CertificateStatusConditions { /** @@ -7729,7 +5247,7 @@ export namespace cert_manager { * PreferredChain is the chain to use if the ACME server outputs multiple. * PreferredChain is no guarantee that this one gets delivered by the ACME * endpoint. - * For example, for Let's Encrypt's DST cross-sign you would use: + * For example, for Let's Encrypt's DST crosssign you would use: * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA. * This value picks the first certificate bundle in the combined set of * ACME default and alternative chains that has a root-most certificate with @@ -7737,11 +5255,6 @@ export namespace cert_manager { */ preferredChain?: pulumi.Input; privateKeySecretRef?: pulumi.Input; - /** - * Profile allows requesting a certificate profile from the ACME server. - * Supported profiles are listed by the server's ACME directory URL. - */ - profile?: pulumi.Input; /** * Server is the URL used to access the ACME server's 'directory' endpoint. * For example, for Let's Encrypt's staging endpoint, you would use: @@ -7901,7 +5414,7 @@ export namespace cert_manager { * PreferredChain is the chain to use if the ACME server outputs multiple. * PreferredChain is no guarantee that this one gets delivered by the ACME * endpoint. - * For example, for Let's Encrypt's DST cross-sign you would use: + * For example, for Let's Encrypt's DST crosssign you would use: * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA. * This value picks the first certificate bundle in the combined set of * ACME default and alternative chains that has a root-most certificate with @@ -7909,11 +5422,6 @@ export namespace cert_manager { */ preferredChain?: pulumi.Input; privateKeySecretRef?: pulumi.Input; - /** - * Profile allows requesting a certificate profile from the ACME server. - * Supported profiles are listed by the server's ACME directory URL. - */ - profile?: pulumi.Input; /** * Server is the URL used to access the ACME server's 'directory' endpoint. * For example, for Let's Encrypt's staging endpoint, you would use: @@ -8280,18 +5788,14 @@ export namespace cert_manager { */ export interface ClusterIssuerSpecAcmeSolversDns01AzureDNSManagedIdentity { /** - * client ID of the managed identity, cannot be used at the same time as resourceID + * client ID of the managed identity, can not be used at the same time as resourceID */ clientID?: pulumi.Input; /** - * resource ID of the managed identity, cannot be used at the same time as clientID + * resource ID of the managed identity, can not be used at the same time as clientID * Cannot be used for Azure Managed Service Identity */ resourceID?: pulumi.Input; - /** - * tenant ID of the managed identity, cannot be used at the same time as resourceID - */ - tenantID?: pulumi.Input; } /** @@ -8301,18 +5805,14 @@ export namespace cert_manager { */ export interface ClusterIssuerSpecAcmeSolversDns01AzureDNSManagedIdentityPatch { /** - * client ID of the managed identity, cannot be used at the same time as resourceID + * client ID of the managed identity, can not be used at the same time as resourceID */ clientID?: pulumi.Input; /** - * resource ID of the managed identity, cannot be used at the same time as clientID + * resource ID of the managed identity, can not be used at the same time as clientID * Cannot be used for Azure Managed Service Identity */ resourceID?: pulumi.Input; - /** - * tenant ID of the managed identity, cannot be used at the same time as resourceID - */ - tenantID?: pulumi.Input; } /** @@ -8594,10 +6094,6 @@ export namespace cert_manager { * This field is required. */ nameserver?: pulumi.Input; - /** - * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default). - */ - protocol?: pulumi.Input; /** * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. @@ -8625,10 +6121,6 @@ export namespace cert_manager { * This field is required. */ nameserver?: pulumi.Input; - /** - * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default). - */ - protocol?: pulumi.Input; /** * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. @@ -8695,32 +6187,11 @@ export namespace cert_manager { accessKeyIDSecretRef?: pulumi.Input; auth?: pulumi.Input; /** - * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. + * If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. */ hostedZoneID?: pulumi.Input; /** - * Override the AWS region. - * - * Route53 is a global service and does not have regional endpoints but the - * region specified here (or via environment variables) is used as a hint to - * help compute the correct AWS credential scope and partition when it - * connects to Route53. See: - * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) - * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) - * - * If you omit this region field, cert-manager will use the region from - * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set - * in the cert-manager controller Pod. - * - * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). - * In this case this `region` field value is ignored. - * - * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), - * In this case this `region` field value is ignored. + * Always set the region when using AccessKeyID and SecretAccessKey */ region?: pulumi.Input; /** @@ -8858,32 +6329,11 @@ export namespace cert_manager { accessKeyIDSecretRef?: pulumi.Input; auth?: pulumi.Input; /** - * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. + * If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. */ hostedZoneID?: pulumi.Input; /** - * Override the AWS region. - * - * Route53 is a global service and does not have regional endpoints but the - * region specified here (or via environment variables) is used as a hint to - * help compute the correct AWS credential scope and partition when it - * connects to Route53. See: - * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) - * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) - * - * If you omit this region field, cert-manager will use the region from - * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set - * in the cert-manager controller Pod. - * - * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). - * In this case this `region` field value is ignored. - * - * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), - * In this case this `region` field value is ignored. + * Always set the region when using AccessKeyID and SecretAccessKey */ region?: pulumi.Input; /** @@ -8944,7 +6394,7 @@ export namespace cert_manager { * when challenges are processed. * This can contain arbitrary JSON data. * Secret values should not be specified in this stanza. - * If secret values are needed (e.g., credentials for a DNS service), you + * If secret values are needed (e.g. credentials for a DNS service), you * should use a SecretKeySelector to reference a Secret resource. * For details on the schema of this field, consult the webhook provider * implementation's documentation. @@ -8960,7 +6410,7 @@ export namespace cert_manager { /** * The name of the solver to use, as defined in the webhook provider * implementation. - * This will typically be the name of the provider, e.g., 'cloudflare'. + * This will typically be the name of the provider, e.g. 'cloudflare'. */ solverName?: pulumi.Input; } @@ -8975,7 +6425,7 @@ export namespace cert_manager { * when challenges are processed. * This can contain arbitrary JSON data. * Secret values should not be specified in this stanza. - * If secret values are needed (e.g., credentials for a DNS service), you + * If secret values are needed (e.g. credentials for a DNS service), you * should use a SecretKeySelector to reference a Secret resource. * For details on the schema of this field, consult the webhook provider * implementation's documentation. @@ -8991,7 +6441,7 @@ export namespace cert_manager { /** * The name of the solver to use, as defined in the webhook provider * implementation. - * This will typically be the name of the provider, e.g., 'cloudflare'. + * This will typically be the name of the provider, e.g. 'cloudflare'. */ solverName?: pulumi.Input; } @@ -9000,7 +6450,7 @@ export namespace cert_manager { * Configures cert-manager to attempt to complete authorizations by * performing the HTTP01 challenge flow. * It is not possible to obtain certificates for wildcard domain names - * (e.g., `*.example.com`) using the HTTP01 challenge mechanism. + * (e.g. `*.example.com`) using the HTTP01 challenge mechanism. */ export interface ClusterIssuerSpecAcmeSolversHttp01 { gatewayHTTPRoute?: pulumi.Input; @@ -9026,7 +6476,6 @@ export namespace cert_manager { * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways */ parentRefs?: pulumi.Input[]>; - podTemplate?: pulumi.Input; /** * Optional service type for Kubernetes solver service. Supported values * are NodePort or ClusterIP. If unset, defaults to NodePort. @@ -9039,12 +6488,15 @@ export namespace cert_manager { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -9055,23 +6507,28 @@ export namespace cert_manager { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -9079,17 +6536,20 @@ export namespace cert_manager { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: * Gateway has the AllowedRoutes field, and ReferenceGrant provides a * generic way to enable any other kind of cross-namespace reference. * + * * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -9097,6 +6557,7 @@ export namespace cert_manager { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -9104,6 +6565,7 @@ export namespace cert_manager { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -9112,16 +6574,19 @@ export namespace cert_manager { * and SectionName are specified, the name and port of the selected listener * must match both specified values. * + * * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -9130,6 +6595,7 @@ export namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -9137,6 +6603,7 @@ export namespace cert_manager { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -9144,10 +6611,12 @@ export namespace cert_manager { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -9157,6 +6626,7 @@ export namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -9167,12 +6637,15 @@ export namespace cert_manager { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -9183,23 +6656,28 @@ export namespace cert_manager { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -9207,17 +6685,20 @@ export namespace cert_manager { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: * Gateway has the AllowedRoutes field, and ReferenceGrant provides a * generic way to enable any other kind of cross-namespace reference. * + * * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -9225,6 +6706,7 @@ export namespace cert_manager { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -9232,6 +6714,7 @@ export namespace cert_manager { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -9240,16 +6723,19 @@ export namespace cert_manager { * and SectionName are specified, the name and port of the selected listener * must match both specified values. * + * * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -9258,6 +6744,7 @@ export namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -9265,6 +6752,7 @@ export namespace cert_manager { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -9272,10 +6760,12 @@ export namespace cert_manager { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -9285,6 +6775,7 @@ export namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -9309,7 +6800,6 @@ export namespace cert_manager { * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways */ parentRefs?: pulumi.Input[]>; - podTemplate?: pulumi.Input; /** * Optional service type for Kubernetes solver service. Supported values * are NodePort or ClusterIP. If unset, defaults to NodePort. @@ -9317,2112 +6807,6 @@ export namespace cert_manager { serviceType?: pulumi.Input; } - /** - * Optional pod template used to configure the ACME challenge solver pods - * used for HTTP01 challenges. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplate { - metadata?: pulumi.Input; - spec?: pulumi.Input; - } - - /** - * ObjectMeta overrides for the pod used to solve HTTP01 challenges. - * Only the 'labels' and 'annotations' fields may be set. - * If labels or annotations overlap with in-built values, the values here - * will override the in-built values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadata { - /** - * Annotations that should be added to the created ACME HTTP01 solver pods. - */ - annotations?: pulumi.Input<{[key: string]: pulumi.Input}>; - /** - * Labels that should be added to the created ACME HTTP01 solver pods. - */ - labels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * ObjectMeta overrides for the pod used to solve HTTP01 challenges. - * Only the 'labels' and 'annotations' fields may be set. - * If labels or annotations overlap with in-built values, the values here - * will override the in-built values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadataPatch { - /** - * Annotations that should be added to the created ACME HTTP01 solver pods. - */ - annotations?: pulumi.Input<{[key: string]: pulumi.Input}>; - /** - * Labels that should be added to the created ACME HTTP01 solver pods. - */ - labels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * Optional pod template used to configure the ACME challenge solver pods - * used for HTTP01 challenges. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplatePatch { - metadata?: pulumi.Input; - spec?: pulumi.Input; - } - - /** - * PodSpec defines overrides for the HTTP01 challenge solver pod. - * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - * All other fields will be ignored. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpec { - affinity?: pulumi.Input; - /** - * If specified, the pod's imagePullSecrets - */ - imagePullSecrets?: pulumi.Input[]>; - /** - * NodeSelector is a selector which must be true for the pod to fit on a node. - * Selector which must match a node's labels for the pod to be scheduled on that node. - * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - */ - nodeSelector?: pulumi.Input<{[key: string]: pulumi.Input}>; - /** - * If specified, the pod's priorityClassName. - */ - priorityClassName?: pulumi.Input; - resources?: pulumi.Input; - securityContext?: pulumi.Input; - /** - * If specified, the pod's service account - */ - serviceAccountName?: pulumi.Input; - /** - * If specified, the pod's tolerations. - */ - tolerations?: pulumi.Input[]>; - } - - /** - * If specified, the pod's scheduling constraints - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinity { - nodeAffinity?: pulumi.Input; - podAffinity?: pulumi.Input; - podAntiAffinity?: pulumi.Input; - } - - /** - * Describes node affinity scheduling rules for the pod. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node matches the corresponding matchExpressions; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input; - } - - /** - * Describes node affinity scheduling rules for the pod. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node matches the corresponding matchExpressions; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input; - } - - /** - * An empty preferred scheduling term matches all objects with implicit weight 0 - * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution { - preference?: pulumi.Input; - /** - * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - */ - weight?: pulumi.Input; - } - - /** - * An empty preferred scheduling term matches all objects with implicit weight 0 - * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - preference?: pulumi.Input; - /** - * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - */ - weight?: pulumi.Input; - } - - /** - * A node selector term, associated with the corresponding weight. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions?: pulumi.Input[]>; - /** - * A list of node selector requirements by node's fields. - */ - matchFields?: pulumi.Input[]>; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A node selector term, associated with the corresponding weight. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions?: pulumi.Input[]>; - /** - * A list of node selector requirements by node's fields. - */ - matchFields?: pulumi.Input[]>; - } - - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to an update), the system - * may or may not try to eventually evict the pod from its node. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution { - /** - * Required. A list of node selector terms. The terms are ORed. - */ - nodeSelectorTerms?: pulumi.Input[]>; - } - - /** - * A null or empty node selector term matches no objects. The requirements of - * them are ANDed. - * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions?: pulumi.Input[]>; - /** - * A list of node selector requirements by node's fields. - */ - matchFields?: pulumi.Input[]>; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A null or empty node selector term matches no objects. The requirements of - * them are ANDed. - * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions?: pulumi.Input[]>; - /** - * A list of node selector requirements by node's fields. - */ - matchFields?: pulumi.Input[]>; - } - - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to an update), the system - * may or may not try to eventually evict the pod from its node. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - /** - * Required. A list of node selector terms. The terms are ORed. - */ - nodeSelectorTerms?: pulumi.Input[]>; - } - - /** - * If specified, the pod's scheduling constraints - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch { - nodeAffinity?: pulumi.Input; - podAffinity?: pulumi.Input; - podAntiAffinity?: pulumi.Input; - } - - /** - * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - } - - /** - * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - } - - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution { - podAffinityTerm?: pulumi.Input; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight?: pulumi.Input; - } - - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - podAffinityTerm?: pulumi.Input; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight?: pulumi.Input; - } - - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - - /** - * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the anti-affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - /** - * If the anti-affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the anti-affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - } - - /** - * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the anti-affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - /** - * If the anti-affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the anti-affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - } - - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution { - podAffinityTerm?: pulumi.Input; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight?: pulumi.Input; - } - - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - podAffinityTerm?: pulumi.Input; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight?: pulumi.Input; - } - - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - - /** - * LocalObjectReference contains enough information to let you locate the - * referenced object inside the same namespace. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets { - /** - * Name of the referent. - * This field is effectively required, but due to backwards compatibility is - * allowed to be empty. Instances of this type with an empty value here are - * almost certainly wrong. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name?: pulumi.Input; - } - - /** - * LocalObjectReference contains enough information to let you locate the - * referenced object inside the same namespace. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch { - /** - * Name of the referent. - * This field is effectively required, but due to backwards compatibility is - * allowed to be empty. Instances of this type with an empty value here are - * almost certainly wrong. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name?: pulumi.Input; - } - - /** - * PodSpec defines overrides for the HTTP01 challenge solver pod. - * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - * All other fields will be ignored. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecPatch { - affinity?: pulumi.Input; - /** - * If specified, the pod's imagePullSecrets - */ - imagePullSecrets?: pulumi.Input[]>; - /** - * NodeSelector is a selector which must be true for the pod to fit on a node. - * Selector which must match a node's labels for the pod to be scheduled on that node. - * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - */ - nodeSelector?: pulumi.Input<{[key: string]: pulumi.Input}>; - /** - * If specified, the pod's priorityClassName. - */ - priorityClassName?: pulumi.Input; - resources?: pulumi.Input; - securityContext?: pulumi.Input; - /** - * If specified, the pod's service account - */ - serviceAccountName?: pulumi.Input; - /** - * If specified, the pod's tolerations. - */ - tolerations?: pulumi.Input[]>; - } - - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResources { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits?: pulumi.Input<{[key: string]: pulumi.Input}>; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits?: pulumi.Input<{[key: string]: pulumi.Input}>; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * If specified, the pod's security context - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup?: pulumi.Input; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy?: pulumi.Input; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup?: pulumi.Input; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot?: pulumi.Input; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser?: pulumi.Input; - seLinuxOptions?: pulumi.Input; - seccompProfile?: pulumi.Input; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups?: pulumi.Input[]>; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls?: pulumi.Input[]>; - } - - /** - * If specified, the pod's security context - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup?: pulumi.Input; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy?: pulumi.Input; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup?: pulumi.Input; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot?: pulumi.Input; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser?: pulumi.Input; - seLinuxOptions?: pulumi.Input; - seccompProfile?: pulumi.Input; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups?: pulumi.Input[]>; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls?: pulumi.Input[]>; - } - - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions { - /** - * Level is SELinux level label that applies to the container. - */ - level?: pulumi.Input; - /** - * Role is a SELinux role label that applies to the container. - */ - role?: pulumi.Input; - /** - * Type is a SELinux type label that applies to the container. - */ - type?: pulumi.Input; - /** - * User is a SELinux user label that applies to the container. - */ - user?: pulumi.Input; - } - - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch { - /** - * Level is SELinux level label that applies to the container. - */ - level?: pulumi.Input; - /** - * Role is a SELinux role label that applies to the container. - */ - role?: pulumi.Input; - /** - * Type is a SELinux type label that applies to the container. - */ - type?: pulumi.Input; - /** - * User is a SELinux user label that applies to the container. - */ - user?: pulumi.Input; - } - - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile?: pulumi.Input; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type?: pulumi.Input; - } - - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile?: pulumi.Input; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type?: pulumi.Input; - } - - /** - * Sysctl defines a kernel parameter to be set - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls { - /** - * Name of a property to set - */ - name?: pulumi.Input; - /** - * Value of a property to set - */ - value?: pulumi.Input; - } - - /** - * Sysctl defines a kernel parameter to be set - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch { - /** - * Name of a property to set - */ - name?: pulumi.Input; - /** - * Value of a property to set - */ - value?: pulumi.Input; - } - - /** - * The pod this Toleration is attached to tolerates any taint that matches - * the triple using the matching operator . - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerations { - /** - * Effect indicates the taint effect to match. Empty means match all taint effects. - * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - */ - effect?: pulumi.Input; - /** - * Key is the taint key that the toleration applies to. Empty means match all taint keys. - * If the key is empty, operator must be Exists; this combination means to match all values and all keys. - */ - key?: pulumi.Input; - /** - * Operator represents a key's relationship to the value. - * Valid operators are Exists and Equal. Defaults to Equal. - * Exists is equivalent to wildcard for value, so that a pod can - * tolerate all taints of a particular category. - */ - operator?: pulumi.Input; - /** - * TolerationSeconds represents the period of time the toleration (which must be - * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - * it is not set, which means tolerate the taint forever (do not evict). Zero and - * negative values will be treated as 0 (evict immediately) by the system. - */ - tolerationSeconds?: pulumi.Input; - /** - * Value is the taint value the toleration matches to. - * If the operator is Exists, the value should be empty, otherwise just a regular string. - */ - value?: pulumi.Input; - } - - /** - * The pod this Toleration is attached to tolerates any taint that matches - * the triple using the matching operator . - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch { - /** - * Effect indicates the taint effect to match. Empty means match all taint effects. - * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - */ - effect?: pulumi.Input; - /** - * Key is the taint key that the toleration applies to. Empty means match all taint keys. - * If the key is empty, operator must be Exists; this combination means to match all values and all keys. - */ - key?: pulumi.Input; - /** - * Operator represents a key's relationship to the value. - * Valid operators are Exists and Equal. Defaults to Equal. - * Exists is equivalent to wildcard for value, so that a pod can - * tolerate all taints of a particular category. - */ - operator?: pulumi.Input; - /** - * TolerationSeconds represents the period of time the toleration (which must be - * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - * it is not set, which means tolerate the taint forever (do not evict). Zero and - * negative values will be treated as 0 (evict immediately) by the system. - */ - tolerationSeconds?: pulumi.Input; - /** - * Value is the taint value the toleration matches to. - * If the operator is Exists, the value should be empty, otherwise just a regular string. - */ - value?: pulumi.Input; - } - /** * The ingress based HTTP01 challenge solver will solve challenges by * creating or modifying Ingress resources in order to route requests for @@ -11568,7 +6952,7 @@ export namespace cert_manager { */ export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateMetadata { /** - * Annotations that should be added to the created ACME HTTP01 solver pods. + * Annotations that should be added to the create ACME HTTP01 solver pods. */ annotations?: pulumi.Input<{[key: string]: pulumi.Input}>; /** @@ -11585,7 +6969,7 @@ export namespace cert_manager { */ export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateMetadataPatch { /** - * Annotations that should be added to the created ACME HTTP01 solver pods. + * Annotations that should be added to the create ACME HTTP01 solver pods. */ annotations?: pulumi.Input<{[key: string]: pulumi.Input}>; /** @@ -11624,8 +7008,6 @@ export namespace cert_manager { * If specified, the pod's priorityClassName. */ priorityClassName?: pulumi.Input; - resources?: pulumi.Input; - securityContext?: pulumi.Input; /** * If specified, the pod's service account */ @@ -12090,6 +7472,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -12101,6 +7484,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -12301,6 +7685,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -12312,6 +7697,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -12351,6 +7737,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -12362,6 +7749,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -12567,6 +7955,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -12578,6 +7967,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -12609,8 +7999,8 @@ export namespace cert_manager { * most preferred is the one with the greatest sum of weights, i.e. * for each node that meets all of the scheduling requirements (resource * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + * compute a sum by iterating through the elements of this field and adding + * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the * node(s) with the highest sum are the most preferred. */ preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; @@ -12637,8 +8027,8 @@ export namespace cert_manager { * most preferred is the one with the greatest sum of weights, i.e. * for each node that meets all of the scheduling requirements (resource * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + * compute a sum by iterating through the elements of this field and adding + * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the * node(s) with the highest sum are the most preferred. */ preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; @@ -12692,6 +8082,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -12703,6 +8094,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -12903,6 +8295,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -12914,6 +8307,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -12953,6 +8347,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -12964,6 +8359,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -13169,6 +8565,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -13180,6 +8577,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -13210,7 +8608,9 @@ export namespace cert_manager { * This field is effectively required, but due to backwards compatibility is * allowed to be empty. Instances of this type with an empty value here are * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name?: pulumi.Input; } @@ -13225,7 +8625,9 @@ export namespace cert_manager { * This field is effectively required, but due to backwards compatibility is * allowed to be empty. Instances of this type with an empty value here are * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name?: pulumi.Input; } @@ -13251,8 +8653,6 @@ export namespace cert_manager { * If specified, the pod's priorityClassName. */ priorityClassName?: pulumi.Input; - resources?: pulumi.Input; - securityContext?: pulumi.Input; /** * If specified, the pod's service account */ @@ -13263,328 +8663,6 @@ export namespace cert_manager { tolerations?: pulumi.Input[]>; } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResources { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits?: pulumi.Input<{[key: string]: pulumi.Input}>; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResourcesPatch { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits?: pulumi.Input<{[key: string]: pulumi.Input}>; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * If specified, the pod's security context - */ - export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContext { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup?: pulumi.Input; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy?: pulumi.Input; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup?: pulumi.Input; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot?: pulumi.Input; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser?: pulumi.Input; - seLinuxOptions?: pulumi.Input; - seccompProfile?: pulumi.Input; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups?: pulumi.Input[]>; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls?: pulumi.Input[]>; - } - - /** - * If specified, the pod's security context - */ - export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextPatch { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup?: pulumi.Input; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy?: pulumi.Input; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup?: pulumi.Input; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot?: pulumi.Input; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser?: pulumi.Input; - seLinuxOptions?: pulumi.Input; - seccompProfile?: pulumi.Input; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups?: pulumi.Input[]>; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls?: pulumi.Input[]>; - } - - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions { - /** - * Level is SELinux level label that applies to the container. - */ - level?: pulumi.Input; - /** - * Role is a SELinux role label that applies to the container. - */ - role?: pulumi.Input; - /** - * Type is a SELinux type label that applies to the container. - */ - type?: pulumi.Input; - /** - * User is a SELinux user label that applies to the container. - */ - user?: pulumi.Input; - } - - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch { - /** - * Level is SELinux level label that applies to the container. - */ - level?: pulumi.Input; - /** - * Role is a SELinux role label that applies to the container. - */ - role?: pulumi.Input; - /** - * Type is a SELinux type label that applies to the container. - */ - type?: pulumi.Input; - /** - * User is a SELinux user label that applies to the container. - */ - user?: pulumi.Input; - } - - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile?: pulumi.Input; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type?: pulumi.Input; - } - - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile?: pulumi.Input; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type?: pulumi.Input; - } - - /** - * Sysctl defines a kernel parameter to be set - */ - export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls { - /** - * Name of a property to set - */ - name?: pulumi.Input; - /** - * Value of a property to set - */ - value?: pulumi.Input; - } - - /** - * Sysctl defines a kernel parameter to be set - */ - export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch { - /** - * Name of a property to set - */ - name?: pulumi.Input; - /** - * Value of a property to set - */ - value?: pulumi.Input; - } - /** * The pod this Toleration is attached to tolerates any taint that matches * the triple using the matching operator . @@ -13661,7 +8739,7 @@ export namespace cert_manager { * Configures cert-manager to attempt to complete authorizations by * performing the HTTP01 challenge flow. * It is not possible to obtain certificates for wildcard domain names - * (e.g., `*.example.com`) using the HTTP01 challenge mechanism. + * (e.g. `*.example.com`) using the HTTP01 challenge mechanism. */ export interface ClusterIssuerSpecAcmeSolversHttp01Patch { gatewayHTTPRoute?: pulumi.Input; @@ -13888,11 +8966,6 @@ export namespace cert_manager { * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200". */ server?: pulumi.Input; - /** - * ServerName is used to verify the hostname on the returned certificates - * by the Vault server. - */ - serverName?: pulumi.Input; } /** @@ -13900,7 +8973,6 @@ export namespace cert_manager { */ export interface ClusterIssuerSpecVaultAuth { appRole?: pulumi.Input; - clientCertificate?: pulumi.Input; kubernetes?: pulumi.Input; tokenSecretRef?: pulumi.Input; } @@ -13981,58 +9053,6 @@ export namespace cert_manager { name?: pulumi.Input; } - /** - * ClientCertificate authenticates with Vault by presenting a client - * certificate during the request's TLS handshake. - * Works only when using HTTPS protocol. - */ - export interface ClusterIssuerSpecVaultAuthClientCertificate { - /** - * The Vault mountPath here is the mount path to use when authenticating with - * Vault. For example, setting a value to `/v1/auth/foo`, will use the path - * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the - * default value "/v1/auth/cert" will be used. - */ - mountPath?: pulumi.Input; - /** - * Name of the certificate role to authenticate against. - * If not set, matching any certificate role, if available. - */ - name?: pulumi.Input; - /** - * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing - * tls.crt and tls.key) used to authenticate to Vault using TLS client - * authentication. - */ - secretName?: pulumi.Input; - } - - /** - * ClientCertificate authenticates with Vault by presenting a client - * certificate during the request's TLS handshake. - * Works only when using HTTPS protocol. - */ - export interface ClusterIssuerSpecVaultAuthClientCertificatePatch { - /** - * The Vault mountPath here is the mount path to use when authenticating with - * Vault. For example, setting a value to `/v1/auth/foo`, will use the path - * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the - * default value "/v1/auth/cert" will be used. - */ - mountPath?: pulumi.Input; - /** - * Name of the certificate role to authenticate against. - * If not set, matching any certificate role, if available. - */ - name?: pulumi.Input; - /** - * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing - * tls.crt and tls.key) used to authenticate to Vault using TLS client - * authentication. - */ - secretName?: pulumi.Input; - } - /** * Kubernetes authenticates with Vault by passing the ServiceAccount * token stored in the named Secret resource to the Vault server. @@ -14156,7 +9176,6 @@ export namespace cert_manager { */ export interface ClusterIssuerSpecVaultAuthPatch { appRole?: pulumi.Input; - clientCertificate?: pulumi.Input; kubernetes?: pulumi.Input; tokenSecretRef?: pulumi.Input; } @@ -14343,11 +9362,6 @@ export namespace cert_manager { * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200". */ server?: pulumi.Input; - /** - * ServerName is used to verify the hostname on the returned certificates - * by the Vault server. - */ - serverName?: pulumi.Input; } /** @@ -14374,7 +9388,7 @@ export namespace cert_manager { apiTokenSecretRef?: pulumi.Input; /** * URL is the base URL for Venafi Cloud. - * Defaults to "https://api.venafi.cloud/". + * Defaults to "https://api.venafi.cloud/v1". */ url?: pulumi.Input; } @@ -14421,7 +9435,7 @@ export namespace cert_manager { apiTokenSecretRef?: pulumi.Input; /** * URL is the base URL for Venafi Cloud. - * Defaults to "https://api.venafi.cloud/". + * Defaults to "https://api.venafi.cloud/v1". */ url?: pulumi.Input; } @@ -14454,7 +9468,6 @@ export namespace cert_manager { * is used to validate the chain. */ caBundle?: pulumi.Input; - caBundleSecretRef?: pulumi.Input; credentialsRef?: pulumi.Input; /** * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, @@ -14464,51 +9477,9 @@ export namespace cert_manager { } /** - * Reference to a Secret containing a base64-encoded bundle of PEM CAs - * which will be used to validate the certificate chain presented by the TPP server. - * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle. - * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in - * the cert-manager controller container is used to validate the TLS connection. - */ - export interface ClusterIssuerSpecVenafiTppCaBundleSecretRef { - /** - * The key of the entry in the Secret resource's `data` field to be used. - * Some instances of this field may be defaulted, in others it may be - * required. - */ - key?: pulumi.Input; - /** - * Name of the resource being referred to. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name?: pulumi.Input; - } - - /** - * Reference to a Secret containing a base64-encoded bundle of PEM CAs - * which will be used to validate the certificate chain presented by the TPP server. - * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle. - * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in - * the cert-manager controller container is used to validate the TLS connection. - */ - export interface ClusterIssuerSpecVenafiTppCaBundleSecretRefPatch { - /** - * The key of the entry in the Secret resource's `data` field to be used. - * Some instances of this field may be defaulted, in others it may be - * required. - */ - key?: pulumi.Input; - /** - * Name of the resource being referred to. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name?: pulumi.Input; - } - - /** - * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials. - * The secret must contain the key 'access-token' for the Access Token Authentication, - * or two keys, 'username' and 'password' for the API Keys Authentication. + * CredentialsRef is a reference to a Secret containing the username and + * password for the TPP server. + * The secret must contain two keys, 'username' and 'password'. */ export interface ClusterIssuerSpecVenafiTppCredentialsRef { /** @@ -14519,9 +9490,9 @@ export namespace cert_manager { } /** - * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials. - * The secret must contain the key 'access-token' for the Access Token Authentication, - * or two keys, 'username' and 'password' for the API Keys Authentication. + * CredentialsRef is a reference to a Secret containing the username and + * password for the TPP server. + * The secret must contain two keys, 'username' and 'password'. */ export interface ClusterIssuerSpecVenafiTppCredentialsRefPatch { /** @@ -14543,7 +9514,6 @@ export namespace cert_manager { * is used to validate the chain. */ caBundle?: pulumi.Input; - caBundleSecretRef?: pulumi.Input; credentialsRef?: pulumi.Input; /** * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, @@ -14704,7 +9674,7 @@ export namespace cert_manager { * PreferredChain is the chain to use if the ACME server outputs multiple. * PreferredChain is no guarantee that this one gets delivered by the ACME * endpoint. - * For example, for Let's Encrypt's DST cross-sign you would use: + * For example, for Let's Encrypt's DST crosssign you would use: * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA. * This value picks the first certificate bundle in the combined set of * ACME default and alternative chains that has a root-most certificate with @@ -14712,11 +9682,6 @@ export namespace cert_manager { */ preferredChain?: pulumi.Input; privateKeySecretRef?: pulumi.Input; - /** - * Profile allows requesting a certificate profile from the ACME server. - * Supported profiles are listed by the server's ACME directory URL. - */ - profile?: pulumi.Input; /** * Server is the URL used to access the ACME server's 'directory' endpoint. * For example, for Let's Encrypt's staging endpoint, you would use: @@ -14876,7 +9841,7 @@ export namespace cert_manager { * PreferredChain is the chain to use if the ACME server outputs multiple. * PreferredChain is no guarantee that this one gets delivered by the ACME * endpoint. - * For example, for Let's Encrypt's DST cross-sign you would use: + * For example, for Let's Encrypt's DST crosssign you would use: * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA. * This value picks the first certificate bundle in the combined set of * ACME default and alternative chains that has a root-most certificate with @@ -14884,11 +9849,6 @@ export namespace cert_manager { */ preferredChain?: pulumi.Input; privateKeySecretRef?: pulumi.Input; - /** - * Profile allows requesting a certificate profile from the ACME server. - * Supported profiles are listed by the server's ACME directory URL. - */ - profile?: pulumi.Input; /** * Server is the URL used to access the ACME server's 'directory' endpoint. * For example, for Let's Encrypt's staging endpoint, you would use: @@ -15255,18 +10215,14 @@ export namespace cert_manager { */ export interface IssuerSpecAcmeSolversDns01AzureDNSManagedIdentity { /** - * client ID of the managed identity, cannot be used at the same time as resourceID + * client ID of the managed identity, can not be used at the same time as resourceID */ clientID?: pulumi.Input; /** - * resource ID of the managed identity, cannot be used at the same time as clientID + * resource ID of the managed identity, can not be used at the same time as clientID * Cannot be used for Azure Managed Service Identity */ resourceID?: pulumi.Input; - /** - * tenant ID of the managed identity, cannot be used at the same time as resourceID - */ - tenantID?: pulumi.Input; } /** @@ -15276,18 +10232,14 @@ export namespace cert_manager { */ export interface IssuerSpecAcmeSolversDns01AzureDNSManagedIdentityPatch { /** - * client ID of the managed identity, cannot be used at the same time as resourceID + * client ID of the managed identity, can not be used at the same time as resourceID */ clientID?: pulumi.Input; /** - * resource ID of the managed identity, cannot be used at the same time as clientID + * resource ID of the managed identity, can not be used at the same time as clientID * Cannot be used for Azure Managed Service Identity */ resourceID?: pulumi.Input; - /** - * tenant ID of the managed identity, cannot be used at the same time as resourceID - */ - tenantID?: pulumi.Input; } /** @@ -15569,10 +10521,6 @@ export namespace cert_manager { * This field is required. */ nameserver?: pulumi.Input; - /** - * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default). - */ - protocol?: pulumi.Input; /** * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. @@ -15600,10 +10548,6 @@ export namespace cert_manager { * This field is required. */ nameserver?: pulumi.Input; - /** - * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default). - */ - protocol?: pulumi.Input; /** * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. @@ -15670,32 +10614,11 @@ export namespace cert_manager { accessKeyIDSecretRef?: pulumi.Input; auth?: pulumi.Input; /** - * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. + * If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. */ hostedZoneID?: pulumi.Input; /** - * Override the AWS region. - * - * Route53 is a global service and does not have regional endpoints but the - * region specified here (or via environment variables) is used as a hint to - * help compute the correct AWS credential scope and partition when it - * connects to Route53. See: - * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) - * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) - * - * If you omit this region field, cert-manager will use the region from - * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set - * in the cert-manager controller Pod. - * - * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). - * In this case this `region` field value is ignored. - * - * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), - * In this case this `region` field value is ignored. + * Always set the region when using AccessKeyID and SecretAccessKey */ region?: pulumi.Input; /** @@ -15833,32 +10756,11 @@ export namespace cert_manager { accessKeyIDSecretRef?: pulumi.Input; auth?: pulumi.Input; /** - * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. + * If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. */ hostedZoneID?: pulumi.Input; /** - * Override the AWS region. - * - * Route53 is a global service and does not have regional endpoints but the - * region specified here (or via environment variables) is used as a hint to - * help compute the correct AWS credential scope and partition when it - * connects to Route53. See: - * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) - * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) - * - * If you omit this region field, cert-manager will use the region from - * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set - * in the cert-manager controller Pod. - * - * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). - * In this case this `region` field value is ignored. - * - * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), - * In this case this `region` field value is ignored. + * Always set the region when using AccessKeyID and SecretAccessKey */ region?: pulumi.Input; /** @@ -15919,7 +10821,7 @@ export namespace cert_manager { * when challenges are processed. * This can contain arbitrary JSON data. * Secret values should not be specified in this stanza. - * If secret values are needed (e.g., credentials for a DNS service), you + * If secret values are needed (e.g. credentials for a DNS service), you * should use a SecretKeySelector to reference a Secret resource. * For details on the schema of this field, consult the webhook provider * implementation's documentation. @@ -15935,7 +10837,7 @@ export namespace cert_manager { /** * The name of the solver to use, as defined in the webhook provider * implementation. - * This will typically be the name of the provider, e.g., 'cloudflare'. + * This will typically be the name of the provider, e.g. 'cloudflare'. */ solverName?: pulumi.Input; } @@ -15950,7 +10852,7 @@ export namespace cert_manager { * when challenges are processed. * This can contain arbitrary JSON data. * Secret values should not be specified in this stanza. - * If secret values are needed (e.g., credentials for a DNS service), you + * If secret values are needed (e.g. credentials for a DNS service), you * should use a SecretKeySelector to reference a Secret resource. * For details on the schema of this field, consult the webhook provider * implementation's documentation. @@ -15966,7 +10868,7 @@ export namespace cert_manager { /** * The name of the solver to use, as defined in the webhook provider * implementation. - * This will typically be the name of the provider, e.g., 'cloudflare'. + * This will typically be the name of the provider, e.g. 'cloudflare'. */ solverName?: pulumi.Input; } @@ -15975,7 +10877,7 @@ export namespace cert_manager { * Configures cert-manager to attempt to complete authorizations by * performing the HTTP01 challenge flow. * It is not possible to obtain certificates for wildcard domain names - * (e.g., `*.example.com`) using the HTTP01 challenge mechanism. + * (e.g. `*.example.com`) using the HTTP01 challenge mechanism. */ export interface IssuerSpecAcmeSolversHttp01 { gatewayHTTPRoute?: pulumi.Input; @@ -16001,7 +10903,6 @@ export namespace cert_manager { * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways */ parentRefs?: pulumi.Input[]>; - podTemplate?: pulumi.Input; /** * Optional service type for Kubernetes solver service. Supported values * are NodePort or ClusterIP. If unset, defaults to NodePort. @@ -16014,12 +10915,15 @@ export namespace cert_manager { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -16030,23 +10934,28 @@ export namespace cert_manager { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -16054,17 +10963,20 @@ export namespace cert_manager { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: * Gateway has the AllowedRoutes field, and ReferenceGrant provides a * generic way to enable any other kind of cross-namespace reference. * + * * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -16072,6 +10984,7 @@ export namespace cert_manager { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -16079,6 +10992,7 @@ export namespace cert_manager { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -16087,16 +11001,19 @@ export namespace cert_manager { * and SectionName are specified, the name and port of the selected listener * must match both specified values. * + * * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -16105,6 +11022,7 @@ export namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -16112,6 +11030,7 @@ export namespace cert_manager { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -16119,10 +11038,12 @@ export namespace cert_manager { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -16132,6 +11053,7 @@ export namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -16142,12 +11064,15 @@ export namespace cert_manager { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -16158,23 +11083,28 @@ export namespace cert_manager { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -16182,17 +11112,20 @@ export namespace cert_manager { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: * Gateway has the AllowedRoutes field, and ReferenceGrant provides a * generic way to enable any other kind of cross-namespace reference. * + * * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -16200,6 +11133,7 @@ export namespace cert_manager { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -16207,6 +11141,7 @@ export namespace cert_manager { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -16215,16 +11150,19 @@ export namespace cert_manager { * and SectionName are specified, the name and port of the selected listener * must match both specified values. * + * * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -16233,6 +11171,7 @@ export namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -16240,6 +11179,7 @@ export namespace cert_manager { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -16247,10 +11187,12 @@ export namespace cert_manager { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -16260,6 +11202,7 @@ export namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -16284,7 +11227,6 @@ export namespace cert_manager { * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways */ parentRefs?: pulumi.Input[]>; - podTemplate?: pulumi.Input; /** * Optional service type for Kubernetes solver service. Supported values * are NodePort or ClusterIP. If unset, defaults to NodePort. @@ -16292,2112 +11234,6 @@ export namespace cert_manager { serviceType?: pulumi.Input; } - /** - * Optional pod template used to configure the ACME challenge solver pods - * used for HTTP01 challenges. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplate { - metadata?: pulumi.Input; - spec?: pulumi.Input; - } - - /** - * ObjectMeta overrides for the pod used to solve HTTP01 challenges. - * Only the 'labels' and 'annotations' fields may be set. - * If labels or annotations overlap with in-built values, the values here - * will override the in-built values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadata { - /** - * Annotations that should be added to the created ACME HTTP01 solver pods. - */ - annotations?: pulumi.Input<{[key: string]: pulumi.Input}>; - /** - * Labels that should be added to the created ACME HTTP01 solver pods. - */ - labels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * ObjectMeta overrides for the pod used to solve HTTP01 challenges. - * Only the 'labels' and 'annotations' fields may be set. - * If labels or annotations overlap with in-built values, the values here - * will override the in-built values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadataPatch { - /** - * Annotations that should be added to the created ACME HTTP01 solver pods. - */ - annotations?: pulumi.Input<{[key: string]: pulumi.Input}>; - /** - * Labels that should be added to the created ACME HTTP01 solver pods. - */ - labels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * Optional pod template used to configure the ACME challenge solver pods - * used for HTTP01 challenges. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplatePatch { - metadata?: pulumi.Input; - spec?: pulumi.Input; - } - - /** - * PodSpec defines overrides for the HTTP01 challenge solver pod. - * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - * All other fields will be ignored. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpec { - affinity?: pulumi.Input; - /** - * If specified, the pod's imagePullSecrets - */ - imagePullSecrets?: pulumi.Input[]>; - /** - * NodeSelector is a selector which must be true for the pod to fit on a node. - * Selector which must match a node's labels for the pod to be scheduled on that node. - * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - */ - nodeSelector?: pulumi.Input<{[key: string]: pulumi.Input}>; - /** - * If specified, the pod's priorityClassName. - */ - priorityClassName?: pulumi.Input; - resources?: pulumi.Input; - securityContext?: pulumi.Input; - /** - * If specified, the pod's service account - */ - serviceAccountName?: pulumi.Input; - /** - * If specified, the pod's tolerations. - */ - tolerations?: pulumi.Input[]>; - } - - /** - * If specified, the pod's scheduling constraints - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinity { - nodeAffinity?: pulumi.Input; - podAffinity?: pulumi.Input; - podAntiAffinity?: pulumi.Input; - } - - /** - * Describes node affinity scheduling rules for the pod. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node matches the corresponding matchExpressions; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input; - } - - /** - * Describes node affinity scheduling rules for the pod. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node matches the corresponding matchExpressions; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input; - } - - /** - * An empty preferred scheduling term matches all objects with implicit weight 0 - * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution { - preference?: pulumi.Input; - /** - * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - */ - weight?: pulumi.Input; - } - - /** - * An empty preferred scheduling term matches all objects with implicit weight 0 - * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - preference?: pulumi.Input; - /** - * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - */ - weight?: pulumi.Input; - } - - /** - * A node selector term, associated with the corresponding weight. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions?: pulumi.Input[]>; - /** - * A list of node selector requirements by node's fields. - */ - matchFields?: pulumi.Input[]>; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A node selector term, associated with the corresponding weight. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions?: pulumi.Input[]>; - /** - * A list of node selector requirements by node's fields. - */ - matchFields?: pulumi.Input[]>; - } - - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to an update), the system - * may or may not try to eventually evict the pod from its node. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution { - /** - * Required. A list of node selector terms. The terms are ORed. - */ - nodeSelectorTerms?: pulumi.Input[]>; - } - - /** - * A null or empty node selector term matches no objects. The requirements of - * them are ANDed. - * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions?: pulumi.Input[]>; - /** - * A list of node selector requirements by node's fields. - */ - matchFields?: pulumi.Input[]>; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch { - /** - * The label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator?: pulumi.Input; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A null or empty node selector term matches no objects. The requirements of - * them are ANDed. - * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions?: pulumi.Input[]>; - /** - * A list of node selector requirements by node's fields. - */ - matchFields?: pulumi.Input[]>; - } - - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to an update), the system - * may or may not try to eventually evict the pod from its node. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - /** - * Required. A list of node selector terms. The terms are ORed. - */ - nodeSelectorTerms?: pulumi.Input[]>; - } - - /** - * If specified, the pod's scheduling constraints - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch { - nodeAffinity?: pulumi.Input; - podAffinity?: pulumi.Input; - podAntiAffinity?: pulumi.Input; - } - - /** - * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - } - - /** - * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - } - - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution { - podAffinityTerm?: pulumi.Input; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight?: pulumi.Input; - } - - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - podAffinityTerm?: pulumi.Input; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight?: pulumi.Input; - } - - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - - /** - * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the anti-affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - /** - * If the anti-affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the anti-affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - } - - /** - * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the anti-affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - /** - * If the anti-affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the anti-affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; - } - - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution { - podAffinityTerm?: pulumi.Input; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight?: pulumi.Input; - } - - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - podAffinityTerm?: pulumi.Input; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight?: pulumi.Input; - } - - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - labelSelector?: pulumi.Input; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys?: pulumi.Input[]>; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys?: pulumi.Input[]>; - namespaceSelector?: pulumi.Input; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces?: pulumi.Input[]>; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey?: pulumi.Input; - } - - /** - * LocalObjectReference contains enough information to let you locate the - * referenced object inside the same namespace. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets { - /** - * Name of the referent. - * This field is effectively required, but due to backwards compatibility is - * allowed to be empty. Instances of this type with an empty value here are - * almost certainly wrong. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name?: pulumi.Input; - } - - /** - * LocalObjectReference contains enough information to let you locate the - * referenced object inside the same namespace. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch { - /** - * Name of the referent. - * This field is effectively required, but due to backwards compatibility is - * allowed to be empty. Instances of this type with an empty value here are - * almost certainly wrong. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name?: pulumi.Input; - } - - /** - * PodSpec defines overrides for the HTTP01 challenge solver pod. - * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - * All other fields will be ignored. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecPatch { - affinity?: pulumi.Input; - /** - * If specified, the pod's imagePullSecrets - */ - imagePullSecrets?: pulumi.Input[]>; - /** - * NodeSelector is a selector which must be true for the pod to fit on a node. - * Selector which must match a node's labels for the pod to be scheduled on that node. - * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - */ - nodeSelector?: pulumi.Input<{[key: string]: pulumi.Input}>; - /** - * If specified, the pod's priorityClassName. - */ - priorityClassName?: pulumi.Input; - resources?: pulumi.Input; - securityContext?: pulumi.Input; - /** - * If specified, the pod's service account - */ - serviceAccountName?: pulumi.Input; - /** - * If specified, the pod's tolerations. - */ - tolerations?: pulumi.Input[]>; - } - - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResources { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits?: pulumi.Input<{[key: string]: pulumi.Input}>; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits?: pulumi.Input<{[key: string]: pulumi.Input}>; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * If specified, the pod's security context - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup?: pulumi.Input; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy?: pulumi.Input; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup?: pulumi.Input; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot?: pulumi.Input; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser?: pulumi.Input; - seLinuxOptions?: pulumi.Input; - seccompProfile?: pulumi.Input; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups?: pulumi.Input[]>; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls?: pulumi.Input[]>; - } - - /** - * If specified, the pod's security context - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup?: pulumi.Input; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy?: pulumi.Input; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup?: pulumi.Input; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot?: pulumi.Input; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser?: pulumi.Input; - seLinuxOptions?: pulumi.Input; - seccompProfile?: pulumi.Input; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups?: pulumi.Input[]>; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls?: pulumi.Input[]>; - } - - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions { - /** - * Level is SELinux level label that applies to the container. - */ - level?: pulumi.Input; - /** - * Role is a SELinux role label that applies to the container. - */ - role?: pulumi.Input; - /** - * Type is a SELinux type label that applies to the container. - */ - type?: pulumi.Input; - /** - * User is a SELinux user label that applies to the container. - */ - user?: pulumi.Input; - } - - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch { - /** - * Level is SELinux level label that applies to the container. - */ - level?: pulumi.Input; - /** - * Role is a SELinux role label that applies to the container. - */ - role?: pulumi.Input; - /** - * Type is a SELinux type label that applies to the container. - */ - type?: pulumi.Input; - /** - * User is a SELinux user label that applies to the container. - */ - user?: pulumi.Input; - } - - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile?: pulumi.Input; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type?: pulumi.Input; - } - - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile?: pulumi.Input; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type?: pulumi.Input; - } - - /** - * Sysctl defines a kernel parameter to be set - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls { - /** - * Name of a property to set - */ - name?: pulumi.Input; - /** - * Value of a property to set - */ - value?: pulumi.Input; - } - - /** - * Sysctl defines a kernel parameter to be set - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch { - /** - * Name of a property to set - */ - name?: pulumi.Input; - /** - * Value of a property to set - */ - value?: pulumi.Input; - } - - /** - * The pod this Toleration is attached to tolerates any taint that matches - * the triple using the matching operator . - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerations { - /** - * Effect indicates the taint effect to match. Empty means match all taint effects. - * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - */ - effect?: pulumi.Input; - /** - * Key is the taint key that the toleration applies to. Empty means match all taint keys. - * If the key is empty, operator must be Exists; this combination means to match all values and all keys. - */ - key?: pulumi.Input; - /** - * Operator represents a key's relationship to the value. - * Valid operators are Exists and Equal. Defaults to Equal. - * Exists is equivalent to wildcard for value, so that a pod can - * tolerate all taints of a particular category. - */ - operator?: pulumi.Input; - /** - * TolerationSeconds represents the period of time the toleration (which must be - * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - * it is not set, which means tolerate the taint forever (do not evict). Zero and - * negative values will be treated as 0 (evict immediately) by the system. - */ - tolerationSeconds?: pulumi.Input; - /** - * Value is the taint value the toleration matches to. - * If the operator is Exists, the value should be empty, otherwise just a regular string. - */ - value?: pulumi.Input; - } - - /** - * The pod this Toleration is attached to tolerates any taint that matches - * the triple using the matching operator . - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch { - /** - * Effect indicates the taint effect to match. Empty means match all taint effects. - * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - */ - effect?: pulumi.Input; - /** - * Key is the taint key that the toleration applies to. Empty means match all taint keys. - * If the key is empty, operator must be Exists; this combination means to match all values and all keys. - */ - key?: pulumi.Input; - /** - * Operator represents a key's relationship to the value. - * Valid operators are Exists and Equal. Defaults to Equal. - * Exists is equivalent to wildcard for value, so that a pod can - * tolerate all taints of a particular category. - */ - operator?: pulumi.Input; - /** - * TolerationSeconds represents the period of time the toleration (which must be - * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - * it is not set, which means tolerate the taint forever (do not evict). Zero and - * negative values will be treated as 0 (evict immediately) by the system. - */ - tolerationSeconds?: pulumi.Input; - /** - * Value is the taint value the toleration matches to. - * If the operator is Exists, the value should be empty, otherwise just a regular string. - */ - value?: pulumi.Input; - } - /** * The ingress based HTTP01 challenge solver will solve challenges by * creating or modifying Ingress resources in order to route requests for @@ -18543,7 +11379,7 @@ export namespace cert_manager { */ export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateMetadata { /** - * Annotations that should be added to the created ACME HTTP01 solver pods. + * Annotations that should be added to the create ACME HTTP01 solver pods. */ annotations?: pulumi.Input<{[key: string]: pulumi.Input}>; /** @@ -18560,7 +11396,7 @@ export namespace cert_manager { */ export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateMetadataPatch { /** - * Annotations that should be added to the created ACME HTTP01 solver pods. + * Annotations that should be added to the create ACME HTTP01 solver pods. */ annotations?: pulumi.Input<{[key: string]: pulumi.Input}>; /** @@ -18599,8 +11435,6 @@ export namespace cert_manager { * If specified, the pod's priorityClassName. */ priorityClassName?: pulumi.Input; - resources?: pulumi.Input; - securityContext?: pulumi.Input; /** * If specified, the pod's service account */ @@ -19065,6 +11899,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -19076,6 +11911,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -19276,6 +12112,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -19287,6 +12124,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -19326,6 +12164,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -19337,6 +12176,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -19542,6 +12382,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -19553,6 +12394,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -19584,8 +12426,8 @@ export namespace cert_manager { * most preferred is the one with the greatest sum of weights, i.e. * for each node that meets all of the scheduling requirements (resource * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + * compute a sum by iterating through the elements of this field and adding + * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the * node(s) with the highest sum are the most preferred. */ preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; @@ -19612,8 +12454,8 @@ export namespace cert_manager { * most preferred is the one with the greatest sum of weights, i.e. * for each node that meets all of the scheduling requirements (resource * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + * compute a sum by iterating through the elements of this field and adding + * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the * node(s) with the highest sum are the most preferred. */ preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input[]>; @@ -19667,6 +12509,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -19678,6 +12521,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -19878,6 +12722,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -19889,6 +12734,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -19928,6 +12774,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -19939,6 +12786,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -20144,6 +12992,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys?: pulumi.Input[]>; /** @@ -20155,6 +13004,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys?: pulumi.Input[]>; namespaceSelector?: pulumi.Input; @@ -20185,7 +13035,9 @@ export namespace cert_manager { * This field is effectively required, but due to backwards compatibility is * allowed to be empty. Instances of this type with an empty value here are * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name?: pulumi.Input; } @@ -20200,7 +13052,9 @@ export namespace cert_manager { * This field is effectively required, but due to backwards compatibility is * allowed to be empty. Instances of this type with an empty value here are * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name?: pulumi.Input; } @@ -20226,8 +13080,6 @@ export namespace cert_manager { * If specified, the pod's priorityClassName. */ priorityClassName?: pulumi.Input; - resources?: pulumi.Input; - securityContext?: pulumi.Input; /** * If specified, the pod's service account */ @@ -20238,328 +13090,6 @@ export namespace cert_manager { tolerations?: pulumi.Input[]>; } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResources { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits?: pulumi.Input<{[key: string]: pulumi.Input}>; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResourcesPatch { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits?: pulumi.Input<{[key: string]: pulumi.Input}>; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * If specified, the pod's security context - */ - export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContext { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup?: pulumi.Input; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy?: pulumi.Input; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup?: pulumi.Input; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot?: pulumi.Input; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser?: pulumi.Input; - seLinuxOptions?: pulumi.Input; - seccompProfile?: pulumi.Input; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups?: pulumi.Input[]>; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls?: pulumi.Input[]>; - } - - /** - * If specified, the pod's security context - */ - export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextPatch { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup?: pulumi.Input; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy?: pulumi.Input; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup?: pulumi.Input; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot?: pulumi.Input; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser?: pulumi.Input; - seLinuxOptions?: pulumi.Input; - seccompProfile?: pulumi.Input; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups?: pulumi.Input[]>; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls?: pulumi.Input[]>; - } - - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions { - /** - * Level is SELinux level label that applies to the container. - */ - level?: pulumi.Input; - /** - * Role is a SELinux role label that applies to the container. - */ - role?: pulumi.Input; - /** - * Type is a SELinux type label that applies to the container. - */ - type?: pulumi.Input; - /** - * User is a SELinux user label that applies to the container. - */ - user?: pulumi.Input; - } - - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch { - /** - * Level is SELinux level label that applies to the container. - */ - level?: pulumi.Input; - /** - * Role is a SELinux role label that applies to the container. - */ - role?: pulumi.Input; - /** - * Type is a SELinux type label that applies to the container. - */ - type?: pulumi.Input; - /** - * User is a SELinux user label that applies to the container. - */ - user?: pulumi.Input; - } - - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile?: pulumi.Input; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type?: pulumi.Input; - } - - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile?: pulumi.Input; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type?: pulumi.Input; - } - - /** - * Sysctl defines a kernel parameter to be set - */ - export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls { - /** - * Name of a property to set - */ - name?: pulumi.Input; - /** - * Value of a property to set - */ - value?: pulumi.Input; - } - - /** - * Sysctl defines a kernel parameter to be set - */ - export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch { - /** - * Name of a property to set - */ - name?: pulumi.Input; - /** - * Value of a property to set - */ - value?: pulumi.Input; - } - /** * The pod this Toleration is attached to tolerates any taint that matches * the triple using the matching operator . @@ -20636,7 +13166,7 @@ export namespace cert_manager { * Configures cert-manager to attempt to complete authorizations by * performing the HTTP01 challenge flow. * It is not possible to obtain certificates for wildcard domain names - * (e.g., `*.example.com`) using the HTTP01 challenge mechanism. + * (e.g. `*.example.com`) using the HTTP01 challenge mechanism. */ export interface IssuerSpecAcmeSolversHttp01Patch { gatewayHTTPRoute?: pulumi.Input; @@ -20863,11 +13393,6 @@ export namespace cert_manager { * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200". */ server?: pulumi.Input; - /** - * ServerName is used to verify the hostname on the returned certificates - * by the Vault server. - */ - serverName?: pulumi.Input; } /** @@ -20875,7 +13400,6 @@ export namespace cert_manager { */ export interface IssuerSpecVaultAuth { appRole?: pulumi.Input; - clientCertificate?: pulumi.Input; kubernetes?: pulumi.Input; tokenSecretRef?: pulumi.Input; } @@ -20956,58 +13480,6 @@ export namespace cert_manager { name?: pulumi.Input; } - /** - * ClientCertificate authenticates with Vault by presenting a client - * certificate during the request's TLS handshake. - * Works only when using HTTPS protocol. - */ - export interface IssuerSpecVaultAuthClientCertificate { - /** - * The Vault mountPath here is the mount path to use when authenticating with - * Vault. For example, setting a value to `/v1/auth/foo`, will use the path - * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the - * default value "/v1/auth/cert" will be used. - */ - mountPath?: pulumi.Input; - /** - * Name of the certificate role to authenticate against. - * If not set, matching any certificate role, if available. - */ - name?: pulumi.Input; - /** - * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing - * tls.crt and tls.key) used to authenticate to Vault using TLS client - * authentication. - */ - secretName?: pulumi.Input; - } - - /** - * ClientCertificate authenticates with Vault by presenting a client - * certificate during the request's TLS handshake. - * Works only when using HTTPS protocol. - */ - export interface IssuerSpecVaultAuthClientCertificatePatch { - /** - * The Vault mountPath here is the mount path to use when authenticating with - * Vault. For example, setting a value to `/v1/auth/foo`, will use the path - * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the - * default value "/v1/auth/cert" will be used. - */ - mountPath?: pulumi.Input; - /** - * Name of the certificate role to authenticate against. - * If not set, matching any certificate role, if available. - */ - name?: pulumi.Input; - /** - * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing - * tls.crt and tls.key) used to authenticate to Vault using TLS client - * authentication. - */ - secretName?: pulumi.Input; - } - /** * Kubernetes authenticates with Vault by passing the ServiceAccount * token stored in the named Secret resource to the Vault server. @@ -21131,7 +13603,6 @@ export namespace cert_manager { */ export interface IssuerSpecVaultAuthPatch { appRole?: pulumi.Input; - clientCertificate?: pulumi.Input; kubernetes?: pulumi.Input; tokenSecretRef?: pulumi.Input; } @@ -21318,11 +13789,6 @@ export namespace cert_manager { * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200". */ server?: pulumi.Input; - /** - * ServerName is used to verify the hostname on the returned certificates - * by the Vault server. - */ - serverName?: pulumi.Input; } /** @@ -21349,7 +13815,7 @@ export namespace cert_manager { apiTokenSecretRef?: pulumi.Input; /** * URL is the base URL for Venafi Cloud. - * Defaults to "https://api.venafi.cloud/". + * Defaults to "https://api.venafi.cloud/v1". */ url?: pulumi.Input; } @@ -21396,7 +13862,7 @@ export namespace cert_manager { apiTokenSecretRef?: pulumi.Input; /** * URL is the base URL for Venafi Cloud. - * Defaults to "https://api.venafi.cloud/". + * Defaults to "https://api.venafi.cloud/v1". */ url?: pulumi.Input; } @@ -21429,7 +13895,6 @@ export namespace cert_manager { * is used to validate the chain. */ caBundle?: pulumi.Input; - caBundleSecretRef?: pulumi.Input; credentialsRef?: pulumi.Input; /** * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, @@ -21439,51 +13904,9 @@ export namespace cert_manager { } /** - * Reference to a Secret containing a base64-encoded bundle of PEM CAs - * which will be used to validate the certificate chain presented by the TPP server. - * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle. - * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in - * the cert-manager controller container is used to validate the TLS connection. - */ - export interface IssuerSpecVenafiTppCaBundleSecretRef { - /** - * The key of the entry in the Secret resource's `data` field to be used. - * Some instances of this field may be defaulted, in others it may be - * required. - */ - key?: pulumi.Input; - /** - * Name of the resource being referred to. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name?: pulumi.Input; - } - - /** - * Reference to a Secret containing a base64-encoded bundle of PEM CAs - * which will be used to validate the certificate chain presented by the TPP server. - * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle. - * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in - * the cert-manager controller container is used to validate the TLS connection. - */ - export interface IssuerSpecVenafiTppCaBundleSecretRefPatch { - /** - * The key of the entry in the Secret resource's `data` field to be used. - * Some instances of this field may be defaulted, in others it may be - * required. - */ - key?: pulumi.Input; - /** - * Name of the resource being referred to. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name?: pulumi.Input; - } - - /** - * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials. - * The secret must contain the key 'access-token' for the Access Token Authentication, - * or two keys, 'username' and 'password' for the API Keys Authentication. + * CredentialsRef is a reference to a Secret containing the username and + * password for the TPP server. + * The secret must contain two keys, 'username' and 'password'. */ export interface IssuerSpecVenafiTppCredentialsRef { /** @@ -21494,9 +13917,9 @@ export namespace cert_manager { } /** - * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials. - * The secret must contain the key 'access-token' for the Access Token Authentication, - * or two keys, 'username' and 'password' for the API Keys Authentication. + * CredentialsRef is a reference to a Secret containing the username and + * password for the TPP server. + * The secret must contain two keys, 'username' and 'password'. */ export interface IssuerSpecVenafiTppCredentialsRefPatch { /** @@ -21518,7 +13941,6 @@ export namespace cert_manager { * is used to validate the chain. */ caBundle?: pulumi.Input; - caBundleSecretRef?: pulumi.Input; credentialsRef?: pulumi.Input; /** * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, @@ -21606,771 +14028,20 @@ export namespace cert_manager { export namespace gateway { export namespace v1 { - /** - * BackendTLSPolicy provides a way to configure how a Gateway - * connects to a Backend via TLS. - */ - export interface BackendTLSPolicy { - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - kind?: pulumi.Input<"BackendTLSPolicy">; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - metadata?: pulumi.Input; - spec?: pulumi.Input; - status?: pulumi.Input; - } - - /** - * Spec defines the desired state of BackendTLSPolicy. - */ - export interface BackendTLSPolicySpec { - /** - * Options are a list of key/value pairs to enable extended TLS - * configuration for each implementation. For example, configuring the - * minimum TLS version or supported cipher suites. - * - * A set of common keys MAY be defined by the API in the future. To avoid - * any ambiguity, implementation-specific definitions MUST use - * domain-prefixed names, such as `example.com/my-custom-option`. - * Un-prefixed names are reserved for key names defined by Gateway API. - * - * Support: Implementation-specific - */ - options?: pulumi.Input<{[key: string]: pulumi.Input}>; - /** - * TargetRefs identifies an API object to apply the policy to. - * Only Services have Extended support. Implementations MAY support - * additional objects, with Implementation Specific support. - * Note that this config applies to the entire referenced resource - * by default, but this default may change in the future to provide - * a more granular application of the policy. - * - * TargetRefs must be _distinct_. This means either that: - * - * * They select different targets. If this is the case, then targetRef - * entries are distinct. In terms of fields, this means that the - * multi-part key defined by `group`, `kind`, and `name` must - * be unique across all targetRef entries in the BackendTLSPolicy. - * * They select different sectionNames in the same target. - * - * When more than one BackendTLSPolicy selects the same target and - * sectionName, implementations MUST determine precedence using the - * following criteria, continuing on ties: - * - * * The older policy by creation timestamp takes precedence. For - * example, a policy with a creation timestamp of "2021-07-15 - * 01:02:03" MUST be given precedence over a policy with a - * creation timestamp of "2021-07-15 01:02:04". - * * The policy appearing first in alphabetical order by {name}. - * For example, a policy named `bar` is given precedence over a - * policy named `baz`. - * - * For any BackendTLSPolicy that does not take precedence, the - * implementation MUST ensure the `Accepted` Condition is set to - * `status: False`, with Reason `Conflicted`. - * - * Support: Extended for Kubernetes Service - * - * Support: Implementation-specific for any other resource - */ - targetRefs?: pulumi.Input[]>; - validation?: pulumi.Input; - } - - /** - * Spec defines the desired state of BackendTLSPolicy. - */ - export interface BackendTLSPolicySpecPatch { - /** - * Options are a list of key/value pairs to enable extended TLS - * configuration for each implementation. For example, configuring the - * minimum TLS version or supported cipher suites. - * - * A set of common keys MAY be defined by the API in the future. To avoid - * any ambiguity, implementation-specific definitions MUST use - * domain-prefixed names, such as `example.com/my-custom-option`. - * Un-prefixed names are reserved for key names defined by Gateway API. - * - * Support: Implementation-specific - */ - options?: pulumi.Input<{[key: string]: pulumi.Input}>; - /** - * TargetRefs identifies an API object to apply the policy to. - * Only Services have Extended support. Implementations MAY support - * additional objects, with Implementation Specific support. - * Note that this config applies to the entire referenced resource - * by default, but this default may change in the future to provide - * a more granular application of the policy. - * - * TargetRefs must be _distinct_. This means either that: - * - * * They select different targets. If this is the case, then targetRef - * entries are distinct. In terms of fields, this means that the - * multi-part key defined by `group`, `kind`, and `name` must - * be unique across all targetRef entries in the BackendTLSPolicy. - * * They select different sectionNames in the same target. - * - * When more than one BackendTLSPolicy selects the same target and - * sectionName, implementations MUST determine precedence using the - * following criteria, continuing on ties: - * - * * The older policy by creation timestamp takes precedence. For - * example, a policy with a creation timestamp of "2021-07-15 - * 01:02:03" MUST be given precedence over a policy with a - * creation timestamp of "2021-07-15 01:02:04". - * * The policy appearing first in alphabetical order by {name}. - * For example, a policy named `bar` is given precedence over a - * policy named `baz`. - * - * For any BackendTLSPolicy that does not take precedence, the - * implementation MUST ensure the `Accepted` Condition is set to - * `status: False`, with Reason `Conflicted`. - * - * Support: Extended for Kubernetes Service - * - * Support: Implementation-specific for any other resource - */ - targetRefs?: pulumi.Input[]>; - validation?: pulumi.Input; - } - - /** - * LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a - * direct policy to. This should be used as part of Policy resources that can - * target single resources. For more information on how this policy attachment - * mode works, and a sample Policy resource, refer to the policy attachment - * documentation for Gateway API. - * - * Note: This should only be used for direct policy attachment when references - * to SectionName are actually needed. In all other cases, - * LocalPolicyTargetReference should be used. - */ - export interface BackendTLSPolicySpecTargetRefs { - /** - * Group is the group of the target resource. - */ - group?: pulumi.Input; - /** - * Kind is kind of the target resource. - */ - kind?: pulumi.Input; - /** - * Name is the name of the target resource. - */ - name?: pulumi.Input; - /** - * SectionName is the name of a section within the target resource. When - * unspecified, this targetRef targets the entire resource. In the following - * resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name - * * HTTPRoute: HTTPRouteRule name - * * Service: Port name - * - * If a SectionName is specified, but does not exist on the targeted object, - * the Policy must fail to attach, and the policy implementation should record - * a `ResolvedRefs` or similar Condition in the Policy's status. - */ - sectionName?: pulumi.Input; - } - - /** - * LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a - * direct policy to. This should be used as part of Policy resources that can - * target single resources. For more information on how this policy attachment - * mode works, and a sample Policy resource, refer to the policy attachment - * documentation for Gateway API. - * - * Note: This should only be used for direct policy attachment when references - * to SectionName are actually needed. In all other cases, - * LocalPolicyTargetReference should be used. - */ - export interface BackendTLSPolicySpecTargetRefsPatch { - /** - * Group is the group of the target resource. - */ - group?: pulumi.Input; - /** - * Kind is kind of the target resource. - */ - kind?: pulumi.Input; - /** - * Name is the name of the target resource. - */ - name?: pulumi.Input; - /** - * SectionName is the name of a section within the target resource. When - * unspecified, this targetRef targets the entire resource. In the following - * resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name - * * HTTPRoute: HTTPRouteRule name - * * Service: Port name - * - * If a SectionName is specified, but does not exist on the targeted object, - * the Policy must fail to attach, and the policy implementation should record - * a `ResolvedRefs` or similar Condition in the Policy's status. - */ - sectionName?: pulumi.Input; - } - - /** - * Validation contains backend TLS validation configuration. - */ - export interface BackendTLSPolicySpecValidation { - /** - * CACertificateRefs contains one or more references to Kubernetes objects that - * contain a PEM-encoded TLS CA certificate bundle, which is used to - * validate a TLS handshake between the Gateway and backend Pod. - * - * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be - * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, - * not both. If CACertificateRefs is empty or unspecified, the configuration for - * WellKnownCACertificates MUST be honored instead if supported by the implementation. - * - * A CACertificateRef is invalid if: - * - * * It refers to a resource that cannot be resolved (e.g., the referenced resource - * does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key - * named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef` - * and the Message of the Condition must indicate which reference is invalid and why. - * - * * It refers to an unknown or unsupported kind of resource. In this case, the Reason - * must be set to `InvalidKind` and the Message of the Condition must explain which - * kind of resource is unknown or unsupported. - * - * * It refers to a resource in another namespace. This may change in future - * spec updates. - * - * Implementations MAY choose to perform further validation of the certificate - * content (e.g., checking expiry or enforcing specific formats). In such cases, - * an implementation-specific Reason and Message must be set for the invalid reference. - * - * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on - * the BackendTLSPolicy is set to `status: False`, with a Reason and Message - * that indicate the cause of the error. Connections using an invalid - * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error - * response. If ALL CACertificateRefs are invalid, the implementation MUST also - * ensure the `Accepted` Condition on the BackendTLSPolicy is set to - * `status: False`, with a Reason `NoValidCACertificate`. - * - * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support. - * Implementations MAY choose to support attaching multiple certificates to - * a backend, but this behavior is implementation-specific. - * - * Support: Core - An optional single reference to a Kubernetes ConfigMap, - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific - More than one reference, other kinds - * of resources, or a single reference that includes multiple certificates. - */ - caCertificateRefs?: pulumi.Input[]>; - /** - * Hostname is used for two purposes in the connection between Gateways and - * backends: - * - * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). - * 2. Hostname MUST be used for authentication and MUST match the certificate - * served by the matching backend, unless SubjectAltNames is specified. - * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection - * but MUST NOT be used for authentication. If you want to use the value - * of the Hostname field for authentication, you MUST add it to the SubjectAltNames list. - * - * Support: Core - */ - hostname?: pulumi.Input; - /** - * SubjectAltNames contains one or more Subject Alternative Names. - * When specified the certificate served from the backend MUST - * have at least one Subject Alternate Name matching one of the specified SubjectAltNames. - * - * Support: Extended - */ - subjectAltNames?: pulumi.Input[]>; - /** - * WellKnownCACertificates specifies whether system CA certificates may be used in - * the TLS handshake between the gateway and backend pod. - * - * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs - * must be specified with at least one entry for a valid configuration. Only one of - * CACertificateRefs or WellKnownCACertificates may be specified, not both. - * If an implementation does not support the WellKnownCACertificates field, or - * the supplied value is not recognized, the implementation MUST ensure the - * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with - * a Reason `Invalid`. - * - * Support: Implementation-specific - */ - wellKnownCACertificates?: pulumi.Input; - } - - /** - * LocalObjectReference identifies an API object within the namespace of the - * referrer. - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - export interface BackendTLSPolicySpecValidationCaCertificateRefs { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. For example "HTTPRoute" or "Service". - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - } - - /** - * LocalObjectReference identifies an API object within the namespace of the - * referrer. - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - export interface BackendTLSPolicySpecValidationCaCertificateRefsPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. For example "HTTPRoute" or "Service". - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - } - - /** - * Validation contains backend TLS validation configuration. - */ - export interface BackendTLSPolicySpecValidationPatch { - /** - * CACertificateRefs contains one or more references to Kubernetes objects that - * contain a PEM-encoded TLS CA certificate bundle, which is used to - * validate a TLS handshake between the Gateway and backend Pod. - * - * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be - * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, - * not both. If CACertificateRefs is empty or unspecified, the configuration for - * WellKnownCACertificates MUST be honored instead if supported by the implementation. - * - * A CACertificateRef is invalid if: - * - * * It refers to a resource that cannot be resolved (e.g., the referenced resource - * does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key - * named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef` - * and the Message of the Condition must indicate which reference is invalid and why. - * - * * It refers to an unknown or unsupported kind of resource. In this case, the Reason - * must be set to `InvalidKind` and the Message of the Condition must explain which - * kind of resource is unknown or unsupported. - * - * * It refers to a resource in another namespace. This may change in future - * spec updates. - * - * Implementations MAY choose to perform further validation of the certificate - * content (e.g., checking expiry or enforcing specific formats). In such cases, - * an implementation-specific Reason and Message must be set for the invalid reference. - * - * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on - * the BackendTLSPolicy is set to `status: False`, with a Reason and Message - * that indicate the cause of the error. Connections using an invalid - * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error - * response. If ALL CACertificateRefs are invalid, the implementation MUST also - * ensure the `Accepted` Condition on the BackendTLSPolicy is set to - * `status: False`, with a Reason `NoValidCACertificate`. - * - * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support. - * Implementations MAY choose to support attaching multiple certificates to - * a backend, but this behavior is implementation-specific. - * - * Support: Core - An optional single reference to a Kubernetes ConfigMap, - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific - More than one reference, other kinds - * of resources, or a single reference that includes multiple certificates. - */ - caCertificateRefs?: pulumi.Input[]>; - /** - * Hostname is used for two purposes in the connection between Gateways and - * backends: - * - * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). - * 2. Hostname MUST be used for authentication and MUST match the certificate - * served by the matching backend, unless SubjectAltNames is specified. - * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection - * but MUST NOT be used for authentication. If you want to use the value - * of the Hostname field for authentication, you MUST add it to the SubjectAltNames list. - * - * Support: Core - */ - hostname?: pulumi.Input; - /** - * SubjectAltNames contains one or more Subject Alternative Names. - * When specified the certificate served from the backend MUST - * have at least one Subject Alternate Name matching one of the specified SubjectAltNames. - * - * Support: Extended - */ - subjectAltNames?: pulumi.Input[]>; - /** - * WellKnownCACertificates specifies whether system CA certificates may be used in - * the TLS handshake between the gateway and backend pod. - * - * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs - * must be specified with at least one entry for a valid configuration. Only one of - * CACertificateRefs or WellKnownCACertificates may be specified, not both. - * If an implementation does not support the WellKnownCACertificates field, or - * the supplied value is not recognized, the implementation MUST ensure the - * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with - * a Reason `Invalid`. - * - * Support: Implementation-specific - */ - wellKnownCACertificates?: pulumi.Input; - } - - /** - * SubjectAltName represents Subject Alternative Name. - */ - export interface BackendTLSPolicySpecValidationSubjectAltNames { - /** - * Hostname contains Subject Alternative Name specified in DNS name format. - * Required when Type is set to Hostname, ignored otherwise. - * - * Support: Core - */ - hostname?: pulumi.Input; - /** - * Type determines the format of the Subject Alternative Name. Always required. - * - * Support: Core - */ - type?: pulumi.Input; - /** - * URI contains Subject Alternative Name specified in a full URI format. - * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. - * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa". - * Required when Type is set to URI, ignored otherwise. - * - * Support: Core - */ - uri?: pulumi.Input; - } - - /** - * SubjectAltName represents Subject Alternative Name. - */ - export interface BackendTLSPolicySpecValidationSubjectAltNamesPatch { - /** - * Hostname contains Subject Alternative Name specified in DNS name format. - * Required when Type is set to Hostname, ignored otherwise. - * - * Support: Core - */ - hostname?: pulumi.Input; - /** - * Type determines the format of the Subject Alternative Name. Always required. - * - * Support: Core - */ - type?: pulumi.Input; - /** - * URI contains Subject Alternative Name specified in a full URI format. - * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. - * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa". - * Required when Type is set to URI, ignored otherwise. - * - * Support: Core - */ - uri?: pulumi.Input; - } - - /** - * Status defines the current state of BackendTLSPolicy. - */ - export interface BackendTLSPolicyStatus { - /** - * Ancestors is a list of ancestor resources (usually Gateways) that are - * associated with the policy, and the status of the policy with respect to - * each ancestor. When this policy attaches to a parent, the controller that - * manages the parent and the ancestors MUST add an entry to this list when - * the controller first sees the policy and SHOULD update the entry as - * appropriate when the relevant ancestor is modified. - * - * Note that choosing the relevant ancestor is left to the Policy designers; - * an important part of Policy design is designing the right object level at - * which to namespace this status. - * - * Note also that implementations MUST ONLY populate ancestor status for - * the Ancestor resources they are responsible for. Implementations MUST - * use the ControllerName field to uniquely identify the entries in this list - * that they are responsible for. - * - * Note that to achieve this, the list of PolicyAncestorStatus structs - * MUST be treated as a map with a composite key, made up of the AncestorRef - * and ControllerName fields combined. - * - * A maximum of 16 ancestors will be represented in this list. An empty list - * means the Policy is not relevant for any ancestors. - * - * If this slice is full, implementations MUST NOT add further entries. - * Instead they MUST consider the policy unimplementable and signal that - * on any related resources such as the ancestor that would be referenced - * here. For example, if this list was full on BackendTLSPolicy, no - * additional Gateways would be able to reference the Service targeted by - * the BackendTLSPolicy. - */ - ancestors?: pulumi.Input[]>; - } - - /** - * PolicyAncestorStatus describes the status of a route with respect to an - * associated Ancestor. - * - * Ancestors refer to objects that are either the Target of a policy or above it - * in terms of object hierarchy. For example, if a policy targets a Service, the - * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and - * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most - * useful object to place Policy status on, so we recommend that implementations - * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers - * have a _very_ good reason otherwise. - * - * In the context of policy attachment, the Ancestor is used to distinguish which - * resource results in a distinct application of this policy. For example, if a policy - * targets a Service, it may have a distinct result per attached Gateway. - * - * Policies targeting the same resource may have different effects depending on the - * ancestors of those resources. For example, different Gateways targeting the same - * Service may have different capabilities, especially if they have different underlying - * implementations. - * - * For example, in BackendTLSPolicy, the Policy attaches to a Service that is - * used as a backend in a HTTPRoute that is itself attached to a Gateway. - * In this case, the relevant object for status is the Gateway, and that is the - * ancestor object referred to in this status. - * - * Note that a parent is also an ancestor, so for objects where the parent is the - * relevant object for status, this struct SHOULD still be used. - * - * This struct is intended to be used in a slice that's effectively a map, - * with a composite key made up of the AncestorRef and the ControllerName. - */ - export interface BackendTLSPolicyStatusAncestors { - ancestorRef?: pulumi.Input; - /** - * Conditions describes the status of the Policy with respect to the given Ancestor. - */ - conditions?: pulumi.Input[]>; - /** - * ControllerName is a domain/path string that indicates the name of the - * controller that wrote this status. This corresponds with the - * controllerName field on GatewayClass. - * - * Example: "example.net/gateway-controller". - * - * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - * valid Kubernetes names - * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - * - * Controllers MUST populate this field when writing status. Controllers should ensure that - * entries to status populated with their ControllerName are cleaned up when they are no - * longer necessary. - */ - controllerName?: pulumi.Input; - } - - /** - * AncestorRef corresponds with a ParentRef in the spec that this - * PolicyAncestorStatus struct describes the status of. - */ - export interface BackendTLSPolicyStatusAncestorsAncestorRef { - /** - * Group is the group of the referent. - * When unspecified, "gateway.networking.k8s.io" is inferred. - * To set the core API group (such as for a "Service" kind referent), - * Group must be explicitly set to "" (empty string). - * - * Support: Core - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * Support for other resources is Implementation-Specific. - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - * - * Support: Core - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referent. When unspecified, this refers - * to the local namespace of the Route. - * - * Note that there are specific rules for ParentRefs which cross namespace - * boundaries. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example: - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable any other kind of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - * - * - * Support: Core - */ - namespace?: pulumi.Input; - /** - * Port is the network port this Route targets. It can be interpreted - * differently based on the type of parent resource. - * - * When the parent resource is a Gateway, this targets all listeners - * listening on the specified port that also support this kind of Route(and - * select this Route). It's not recommended to set `Port` unless the - * networking behaviors specified in a Route must apply to a specific port - * as opposed to a listener(s) whose port(s) may be changed. When both Port - * and SectionName are specified, the name and port of the selected listener - * must match both specified values. - * - * - * When the parent resource is a Service, this targets a specific port in the - * Service spec. When both Port (experimental) and SectionName are specified, - * the name and port of the selected port must match both specified values. - * - * - * Implementations MAY choose to support other parent resources. - * Implementations supporting other types of parent resources MUST clearly - * document how/if Port is interpreted. - * - * For the purpose of status, an attachment is considered successful as - * long as the parent resource accepts it partially. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - * from the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, - * the Route MUST be considered detached from the Gateway. - * - * Support: Extended - */ - port?: pulumi.Input; - /** - * SectionName is the name of a section within the target resource. In the - * following resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * * Service: Port name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * - * Implementations MAY choose to support attaching Routes to other resources. - * If that is the case, they MUST clearly document how SectionName is - * interpreted. - * - * When unspecified (empty string), this will reference the entire resource. - * For the purpose of status, an attachment is considered successful if at - * least one section in the parent resource accepts it. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - * the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, the - * Route MUST be considered detached from the Gateway. - * - * Support: Core - */ - sectionName?: pulumi.Input; - } - - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - export interface BackendTLSPolicyStatusAncestorsConditions { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime?: pulumi.Input; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message?: pulumi.Input; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration?: pulumi.Input; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason?: pulumi.Input; - /** - * status of the condition, one of True, False, Unknown. - */ - status?: pulumi.Input; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type?: pulumi.Input; - } - /** * GRPCRoute provides a way to route gRPC requests. This includes the capability * to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. * Filters can be used to specify additional processing steps. Backends specify * where matching requests will be routed. * + * * GRPCRoute falls under extended support within the Gateway API. Within the * following specification, the word "MUST" indicates that an implementation * supporting GRPCRoute must conform to the indicated requirement, but an * implementation not supporting this route type need not follow the requirement * unless explicitly indicated. * + * * Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST * accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via * ALPN. If the implementation does not support this, then it MUST set the @@ -22378,6 +14049,7 @@ export namespace gateway { * "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections * with an upgrade from HTTP/1. * + * * Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST * support HTTP/2 over cleartext TCP (h2c, * https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial @@ -22414,14 +14086,17 @@ export namespace gateway { * Host header to select a GRPCRoute to process the request. This matches * the RFC 1123 definition of a hostname with 2 notable exceptions: * + * * 1. IPs are not allowed. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label MUST appear by itself as the first label. * + * * If a hostname is specified by both the Listener and GRPCRoute, there * MUST be at least one intersecting hostname for the GRPCRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches GRPCRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -22431,34 +14106,41 @@ export namespace gateway { * `test.example.com` and `*.example.com` would both match. On the other * hand, `example.com` and `test.example.net` would not match. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * If both the Listener and GRPCRoute have specified hostnames, any * GRPCRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * GRPCRoute specified `test.example.com` and `test.example.net`, * `test.example.net` MUST NOT be considered for a match. * + * * If both the Listener and GRPCRoute have specified hostnames, and none * match with the criteria above, then the GRPCRoute MUST NOT be accepted by * the implementation. The implementation MUST raise an 'Accepted' Condition * with a status of `False` in the corresponding RouteParentStatus. * + * * If a Route (A) of type HTTPRoute or GRPCRoute is attached to a * Listener and that listener already has another Route (B) of the other * type attached and the intersection of the hostnames of A and B is * non-empty, then the implementation MUST accept exactly one of these two * routes, determined by the following criteria, in order: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * The rejected Route MUST raise an 'Accepted' condition with a status of * 'False' in the corresponding RouteParentStatus. * + * * Support: Core */ hostnames?: pulumi.Input[]>; @@ -22474,16 +14156,21 @@ export namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -22493,8 +14180,10 @@ export namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -22502,12 +14191,14 @@ export namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -22515,10 +14206,12 @@ export namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -22530,21 +14223,6 @@ export namespace gateway { * Rules are a list of GRPC matchers, filters and actions. */ rules?: pulumi.Input[]>; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways?: pulumi.Input; } /** @@ -22552,12 +14230,15 @@ export namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -22568,23 +14249,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -22592,6 +14278,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -22599,10 +14286,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -22610,6 +14299,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -22617,6 +14307,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -22626,15 +14317,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -22643,6 +14337,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -22650,6 +14345,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -22657,10 +14353,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -22670,6 +14368,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -22680,12 +14379,15 @@ export namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -22696,23 +14398,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -22720,6 +14427,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -22727,10 +14435,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -22738,6 +14448,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -22745,6 +14456,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -22754,15 +14466,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -22771,6 +14486,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -22778,6 +14494,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -22785,10 +14502,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -22798,6 +14517,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -22812,14 +14532,17 @@ export namespace gateway { * Host header to select a GRPCRoute to process the request. This matches * the RFC 1123 definition of a hostname with 2 notable exceptions: * + * * 1. IPs are not allowed. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label MUST appear by itself as the first label. * + * * If a hostname is specified by both the Listener and GRPCRoute, there * MUST be at least one intersecting hostname for the GRPCRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches GRPCRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -22829,34 +14552,41 @@ export namespace gateway { * `test.example.com` and `*.example.com` would both match. On the other * hand, `example.com` and `test.example.net` would not match. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * If both the Listener and GRPCRoute have specified hostnames, any * GRPCRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * GRPCRoute specified `test.example.com` and `test.example.net`, * `test.example.net` MUST NOT be considered for a match. * + * * If both the Listener and GRPCRoute have specified hostnames, and none * match with the criteria above, then the GRPCRoute MUST NOT be accepted by * the implementation. The implementation MUST raise an 'Accepted' Condition * with a status of `False` in the corresponding RouteParentStatus. * + * * If a Route (A) of type HTTPRoute or GRPCRoute is attached to a * Listener and that listener already has another Route (B) of the other * type attached and the intersection of the hostnames of A and B is * non-empty, then the implementation MUST accept exactly one of these two * routes, determined by the following criteria, in order: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * The rejected Route MUST raise an 'Accepted' condition with a status of * 'False' in the corresponding RouteParentStatus. * + * * Support: Core */ hostnames?: pulumi.Input[]>; @@ -22872,16 +14602,21 @@ export namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -22891,8 +14626,10 @@ export namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -22900,12 +14637,14 @@ export namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -22913,10 +14652,12 @@ export namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -22928,21 +14669,6 @@ export namespace gateway { * Rules are a list of GRPC matchers, filters and actions. */ rules?: pulumi.Input[]>; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways?: pulumi.Input; } /** @@ -22955,30 +14681,38 @@ export namespace gateway { * BackendRefs defines the backend(s) where matching requests should be * sent. * + * * Failure behavior here depends on how many BackendRefs are specified and * how many are invalid. * + * * If *all* entries in BackendRefs are invalid, and there are also no filters * specified in this route rule, *all* traffic which matches this rule MUST * receive an `UNAVAILABLE` status. * + * * See the GRPCBackendRef definition for the rules about what makes a single * GRPCBackendRef invalid. * + * * When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for * requests that would have otherwise been routed to an invalid backend. If * multiple backends are specified, and some are invalid, the proportion of * requests that would otherwise have been routed to an invalid backend * MUST receive an `UNAVAILABLE` status. * + * * For example, if two backends are specified with equal weights, and one is * invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. * Implementations may choose how that 50 percent is determined. * + * * Support: Core for Kubernetes Service * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Core */ backendRefs?: pulumi.Input[]>; @@ -22986,26 +14720,32 @@ export namespace gateway { * Filters define the filters that are applied to requests that match * this rule. * + * * The effects of ordering of multiple behaviors are currently unspecified. * This can change in the future based on feedback during the alpha stage. * + * * Conformance-levels at this level are defined based on the type of filter: * + * * - ALL core filters MUST be supported by all implementations that support * GRPCRoute. * - Implementers are encouraged to support extended filters. * - Implementation-specific custom filters have no API guarantees across * implementations. * + * * Specifying the same filter multiple times is not supported unless explicitly * indicated in the filter. * - * If an implementation cannot support a combination of filters, it must clearly + * + * If an implementation can not support a combination of filters, it must clearly * document that limitation. In cases where incompatible or unsupported * filters are specified and cause the `Accepted` condition to be set to status * `False`, implementations may use the `IncompatibleFilters` reason to specify * this configuration error. * + * * Support: Core */ filters?: pulumi.Input[]>; @@ -23014,8 +14754,10 @@ export namespace gateway { * gRPC requests. Each match is independent, i.e. this rule will be matched * if **any** one of the matches is satisfied. * + * * For example, take the following matches configuration: * + * * ``` * matches: * - method: @@ -23027,77 +14769,91 @@ export namespace gateway { * service: foo.bar.v2 * ``` * + * * For a request to match against this rule, it MUST satisfy * EITHER of the two conditions: * + * * - service of foo.bar AND contains the header `version: 2` * - service of foo.bar.v2 * + * * See the documentation for GRPCRouteMatch on how to specify multiple * match conditions to be ANDed together. * + * * If no matches are specified, the implementation MUST match every gRPC request. * + * * Proxy or Load Balancer routing configuration generated from GRPCRoutes * MUST prioritize rules based on the following criteria, continuing on * ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. * Precedence MUST be given to the rule with the largest number of: * + * * * Characters in a matching non-wildcard hostname. * * Characters in a matching hostname. * * Characters in a matching service. * * Characters in a matching method. * * Header matches. * + * * If ties still exist across multiple Routes, matching precedence MUST be * determined in order of the following criteria, continuing on ties: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * If ties still exist within the Route that has been given precedence, * matching precedence MUST be granted to the first matching rule meeting * the above criteria. */ matches?: pulumi.Input[]>; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name?: pulumi.Input; sessionPersistence?: pulumi.Input; } /** * GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * */ export interface GRPCRouteSpecRulesBackendRefs { /** * Filters defined at this level MUST be executed if and only if the * request is being forwarded to the backend defined here. * + * * Support: Implementation-specific (For broader support of filters, use the * Filters field in GRPCRouteRule.) */ @@ -23111,16 +14867,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -23132,11 +14892,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -23156,11 +14918,13 @@ export namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight?: pulumi.Input; @@ -23183,14 +14947,17 @@ export namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations supporting GRPCRoute MUST support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by specific vendors. * In the future, filters showing convergence in behavior across multiple * implementations will be considered for inclusion in extended or core @@ -23198,9 +14965,11 @@ export namespace gateway { * is specified using the ExtensionRef field. `Type` MUST be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. @@ -23214,8 +14983,10 @@ export namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * Support: Implementation-specific * + * * This filter can be used multiple times within the same rule. */ export interface GRPCRouteSpecRulesBackendRefsFiltersExtensionRef { @@ -23240,8 +15011,10 @@ export namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * Support: Implementation-specific * + * * This filter can be used multiple times within the same rule. */ export interface GRPCRouteSpecRulesBackendRefsFiltersExtensionRefPatch { @@ -23277,14 +15050,17 @@ export namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations supporting GRPCRoute MUST support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by specific vendors. * In the future, filters showing convergence in behavior across multiple * implementations will be considered for inclusion in extended or core @@ -23292,9 +15068,11 @@ export namespace gateway { * is specified using the ExtensionRef field. `Type` MUST be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. @@ -23306,6 +15084,7 @@ export namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifier { @@ -23314,15 +15093,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -23334,15 +15116,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -23352,15 +15137,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -23374,7 +15162,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -23395,7 +15184,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -23414,6 +15204,7 @@ export namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch { @@ -23422,15 +15213,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -23442,15 +15236,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -23460,15 +15257,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -23482,7 +15282,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -23503,7 +15304,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -23523,49 +15325,47 @@ export namespace gateway { * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirror { backendRef?: pulumi.Input; - fraction?: pulumi.Input; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent?: pulumi.Input; } /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef { @@ -23578,16 +15378,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -23599,11 +15403,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -23620,26 +15426,32 @@ export namespace gateway { /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch { @@ -23652,16 +15464,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -23673,11 +15489,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -23691,59 +15509,28 @@ export namespace gateway { port?: pulumi.Input; } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorFraction { - denominator?: pulumi.Input; - numerator?: pulumi.Input; - } - - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch { - denominator?: pulumi.Input; - numerator?: pulumi.Input; - } - /** * RequestMirror defines a schema for a filter that mirrors requests. * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorPatch { backendRef?: pulumi.Input; - fraction?: pulumi.Input; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent?: pulumi.Input; } /** * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifier { @@ -23752,15 +15539,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -23772,15 +15562,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -23790,15 +15583,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -23812,7 +15608,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -23833,7 +15630,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -23852,6 +15650,7 @@ export namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch { @@ -23860,15 +15659,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -23880,15 +15682,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -23898,15 +15703,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -23920,7 +15728,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -23941,7 +15750,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -23959,31 +15769,42 @@ export namespace gateway { /** * GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * */ export interface GRPCRouteSpecRulesBackendRefsPatch { /** * Filters defined at this level MUST be executed if and only if the * request is being forwarded to the backend defined here. * + * * Support: Implementation-specific (For broader support of filters, use the * Filters field in GRPCRouteRule.) */ @@ -23997,16 +15818,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -24018,11 +15843,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -24042,11 +15869,13 @@ export namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight?: pulumi.Input; @@ -24069,14 +15898,17 @@ export namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations supporting GRPCRoute MUST support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by specific vendors. * In the future, filters showing convergence in behavior across multiple * implementations will be considered for inclusion in extended or core @@ -24084,9 +15916,11 @@ export namespace gateway { * is specified using the ExtensionRef field. `Type` MUST be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. @@ -24100,8 +15934,10 @@ export namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * Support: Implementation-specific * + * * This filter can be used multiple times within the same rule. */ export interface GRPCRouteSpecRulesFiltersExtensionRef { @@ -24126,8 +15962,10 @@ export namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * Support: Implementation-specific * + * * This filter can be used multiple times within the same rule. */ export interface GRPCRouteSpecRulesFiltersExtensionRefPatch { @@ -24163,14 +16001,17 @@ export namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations supporting GRPCRoute MUST support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by specific vendors. * In the future, filters showing convergence in behavior across multiple * implementations will be considered for inclusion in extended or core @@ -24178,9 +16019,11 @@ export namespace gateway { * is specified using the ExtensionRef field. `Type` MUST be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. @@ -24192,6 +16035,7 @@ export namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ export interface GRPCRouteSpecRulesFiltersRequestHeaderModifier { @@ -24200,15 +16044,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -24220,15 +16067,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -24238,15 +16088,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -24260,7 +16113,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24281,7 +16135,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24300,6 +16155,7 @@ export namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierPatch { @@ -24308,15 +16164,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -24328,15 +16187,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -24346,15 +16208,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -24368,7 +16233,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24389,7 +16255,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24409,49 +16276,47 @@ export namespace gateway { * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ export interface GRPCRouteSpecRulesFiltersRequestMirror { backendRef?: pulumi.Input; - fraction?: pulumi.Input; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent?: pulumi.Input; } /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ export interface GRPCRouteSpecRulesFiltersRequestMirrorBackendRef { @@ -24464,16 +16329,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -24485,11 +16354,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -24506,26 +16377,32 @@ export namespace gateway { /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ export interface GRPCRouteSpecRulesFiltersRequestMirrorBackendRefPatch { @@ -24538,16 +16415,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -24559,11 +16440,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -24577,59 +16460,28 @@ export namespace gateway { port?: pulumi.Input; } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - export interface GRPCRouteSpecRulesFiltersRequestMirrorFraction { - denominator?: pulumi.Input; - numerator?: pulumi.Input; - } - - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - export interface GRPCRouteSpecRulesFiltersRequestMirrorFractionPatch { - denominator?: pulumi.Input; - numerator?: pulumi.Input; - } - /** * RequestMirror defines a schema for a filter that mirrors requests. * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ export interface GRPCRouteSpecRulesFiltersRequestMirrorPatch { backendRef?: pulumi.Input; - fraction?: pulumi.Input; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent?: pulumi.Input; } /** * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ export interface GRPCRouteSpecRulesFiltersResponseHeaderModifier { @@ -24638,15 +16490,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -24658,15 +16513,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -24676,15 +16534,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -24698,7 +16559,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24719,7 +16581,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24738,6 +16601,7 @@ export namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierPatch { @@ -24746,15 +16610,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -24766,15 +16633,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -24784,15 +16654,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -24806,7 +16679,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24827,7 +16701,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24847,9 +16722,11 @@ export namespace gateway { * action. Multiple match types are ANDed together, i.e. the match will * evaluate to true only if all conditions are satisfied. * + * * For example, the match below will match a gRPC request only if its service * is `foo` AND it contains the `version: v1` header: * + * * ``` * matches: * - method: @@ -24859,6 +16736,7 @@ export namespace gateway { * - name: "version" * value "v1" * + * * ``` */ export interface GRPCRouteSpecRulesMatches { @@ -24879,6 +16757,7 @@ export namespace gateway { /** * Name is the name of the gRPC Header to be matched. * + * * If multiple entries specify equivalent header names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent * entries with an equivalent header name MUST be ignored. Due to the @@ -24904,6 +16783,7 @@ export namespace gateway { /** * Name is the name of the gRPC Header to be matched. * + * * If multiple entries specify equivalent header names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent * entries with an equivalent header name MUST be ignored. Due to the @@ -24930,6 +16810,7 @@ export namespace gateway { * Value of the method to match against. If left empty or omitted, will * match all services. * + * * At least one of Service and Method MUST be a non-empty string. */ method?: pulumi.Input; @@ -24937,6 +16818,7 @@ export namespace gateway { * Value of the service to match against. If left empty or omitted, will * match any service. * + * * At least one of Service and Method MUST be a non-empty string. */ service?: pulumi.Input; @@ -24944,8 +16826,10 @@ export namespace gateway { * Type specifies how to match against the service and/or method. * Support: Core (Exact with service and method specified) * + * * Support: Implementation-specific (Exact with method specified but no service specified) * + * * Support: Implementation-specific (RegularExpression) */ type?: pulumi.Input; @@ -24960,6 +16844,7 @@ export namespace gateway { * Value of the method to match against. If left empty or omitted, will * match all services. * + * * At least one of Service and Method MUST be a non-empty string. */ method?: pulumi.Input; @@ -24967,6 +16852,7 @@ export namespace gateway { * Value of the service to match against. If left empty or omitted, will * match any service. * + * * At least one of Service and Method MUST be a non-empty string. */ service?: pulumi.Input; @@ -24974,8 +16860,10 @@ export namespace gateway { * Type specifies how to match against the service and/or method. * Support: Core (Exact with service and method specified) * + * * Support: Implementation-specific (Exact with method specified but no service specified) * + * * Support: Implementation-specific (RegularExpression) */ type?: pulumi.Input; @@ -24986,9 +16874,11 @@ export namespace gateway { * action. Multiple match types are ANDed together, i.e. the match will * evaluate to true only if all conditions are satisfied. * + * * For example, the match below will match a gRPC request only if its service * is `foo` AND it contains the `version: v1` header: * + * * ``` * matches: * - method: @@ -24998,6 +16888,7 @@ export namespace gateway { * - name: "version" * value "v1" * + * * ``` */ export interface GRPCRouteSpecRulesMatchesPatch { @@ -25020,30 +16911,38 @@ export namespace gateway { * BackendRefs defines the backend(s) where matching requests should be * sent. * + * * Failure behavior here depends on how many BackendRefs are specified and * how many are invalid. * + * * If *all* entries in BackendRefs are invalid, and there are also no filters * specified in this route rule, *all* traffic which matches this rule MUST * receive an `UNAVAILABLE` status. * + * * See the GRPCBackendRef definition for the rules about what makes a single * GRPCBackendRef invalid. * + * * When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for * requests that would have otherwise been routed to an invalid backend. If * multiple backends are specified, and some are invalid, the proportion of * requests that would otherwise have been routed to an invalid backend * MUST receive an `UNAVAILABLE` status. * + * * For example, if two backends are specified with equal weights, and one is * invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. * Implementations may choose how that 50 percent is determined. * + * * Support: Core for Kubernetes Service * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Core */ backendRefs?: pulumi.Input[]>; @@ -25051,26 +16950,32 @@ export namespace gateway { * Filters define the filters that are applied to requests that match * this rule. * + * * The effects of ordering of multiple behaviors are currently unspecified. * This can change in the future based on feedback during the alpha stage. * + * * Conformance-levels at this level are defined based on the type of filter: * + * * - ALL core filters MUST be supported by all implementations that support * GRPCRoute. * - Implementers are encouraged to support extended filters. * - Implementation-specific custom filters have no API guarantees across * implementations. * + * * Specifying the same filter multiple times is not supported unless explicitly * indicated in the filter. * - * If an implementation cannot support a combination of filters, it must clearly + * + * If an implementation can not support a combination of filters, it must clearly * document that limitation. In cases where incompatible or unsupported * filters are specified and cause the `Accepted` condition to be set to status * `False`, implementations may use the `IncompatibleFilters` reason to specify * this configuration error. * + * * Support: Core */ filters?: pulumi.Input[]>; @@ -25079,8 +16984,10 @@ export namespace gateway { * gRPC requests. Each match is independent, i.e. this rule will be matched * if **any** one of the matches is satisfied. * + * * For example, take the following matches configuration: * + * * ``` * matches: * - method: @@ -25092,46 +16999,49 @@ export namespace gateway { * service: foo.bar.v2 * ``` * + * * For a request to match against this rule, it MUST satisfy * EITHER of the two conditions: * + * * - service of foo.bar AND contains the header `version: 2` * - service of foo.bar.v2 * + * * See the documentation for GRPCRouteMatch on how to specify multiple * match conditions to be ANDed together. * + * * If no matches are specified, the implementation MUST match every gRPC request. * + * * Proxy or Load Balancer routing configuration generated from GRPCRoutes * MUST prioritize rules based on the following criteria, continuing on * ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. * Precedence MUST be given to the rule with the largest number of: * + * * * Characters in a matching non-wildcard hostname. * * Characters in a matching hostname. * * Characters in a matching service. * * Characters in a matching method. * * Header matches. * + * * If ties still exist across multiple Routes, matching precedence MUST be * determined in order of the following criteria, continuing on ties: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * If ties still exist within the Route that has been given precedence, * matching precedence MUST be granted to the first matching rule meeting * the above criteria. */ matches?: pulumi.Input[]>; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name?: pulumi.Input; sessionPersistence?: pulumi.Input; } @@ -25139,6 +17049,7 @@ export namespace gateway { * SessionPersistence defines and configures session persistence * for the route rule. * + * * Support: Extended */ export interface GRPCRouteSpecRulesSessionPersistence { @@ -25147,6 +17058,7 @@ export namespace gateway { * session. Once the AbsoluteTimeout duration has elapsed, the * session becomes invalid. * + * * Support: Extended */ absoluteTimeout?: pulumi.Input; @@ -25156,6 +17068,7 @@ export namespace gateway { * Once the session has been idle for more than the specified * IdleTimeout duration, the session becomes invalid. * + * * Support: Extended */ idleTimeout?: pulumi.Input; @@ -25165,6 +17078,7 @@ export namespace gateway { * should avoid reusing session names to prevent unintended * consequences, such as rejection or unpredictable behavior. * + * * Support: Implementation-specific */ sessionName?: pulumi.Input; @@ -25173,8 +17087,10 @@ export namespace gateway { * the use a header or cookie. Defaults to cookie based session * persistence. * + * * Support: Core for "Cookie" type * + * * Support: Extended for "Header" type */ type?: pulumi.Input; @@ -25184,6 +17100,7 @@ export namespace gateway { * CookieConfig provides configuration settings that are specific * to cookie-based session persistence. * + * * Support: Core */ export interface GRPCRouteSpecRulesSessionPersistenceCookieConfig { @@ -25194,18 +17111,20 @@ export namespace gateway { * attributes, while a session cookie is deleted when the current * session ends. * + * * When set to "Permanent", AbsoluteTimeout indicates the * cookie's lifetime via the Expires or Max-Age cookie attributes * and is required. * + * * When set to "Session", AbsoluteTimeout indicates the * absolute lifetime of the cookie tracked by the gateway and * is optional. * - * Defaults to "Session". * * Support: Core for "Session" type * + * * Support: Extended for "Permanent" type */ lifetimeType?: pulumi.Input; @@ -25215,6 +17134,7 @@ export namespace gateway { * CookieConfig provides configuration settings that are specific * to cookie-based session persistence. * + * * Support: Core */ export interface GRPCRouteSpecRulesSessionPersistenceCookieConfigPatch { @@ -25225,18 +17145,20 @@ export namespace gateway { * attributes, while a session cookie is deleted when the current * session ends. * + * * When set to "Permanent", AbsoluteTimeout indicates the * cookie's lifetime via the Expires or Max-Age cookie attributes * and is required. * + * * When set to "Session", AbsoluteTimeout indicates the * absolute lifetime of the cookie tracked by the gateway and * is optional. * - * Defaults to "Session". * * Support: Core for "Session" type * + * * Support: Extended for "Permanent" type */ lifetimeType?: pulumi.Input; @@ -25246,6 +17168,7 @@ export namespace gateway { * SessionPersistence defines and configures session persistence * for the route rule. * + * * Support: Extended */ export interface GRPCRouteSpecRulesSessionPersistencePatch { @@ -25254,6 +17177,7 @@ export namespace gateway { * session. Once the AbsoluteTimeout duration has elapsed, the * session becomes invalid. * + * * Support: Extended */ absoluteTimeout?: pulumi.Input; @@ -25263,6 +17187,7 @@ export namespace gateway { * Once the session has been idle for more than the specified * IdleTimeout duration, the session becomes invalid. * + * * Support: Extended */ idleTimeout?: pulumi.Input; @@ -25272,6 +17197,7 @@ export namespace gateway { * should avoid reusing session names to prevent unintended * consequences, such as rejection or unpredictable behavior. * + * * Support: Implementation-specific */ sessionName?: pulumi.Input; @@ -25280,8 +17206,10 @@ export namespace gateway { * the use a header or cookie. Defaults to cookie based session * persistence. * + * * Support: Core for "Cookie" type * + * * Support: Extended for "Header" type */ type?: pulumi.Input; @@ -25299,11 +17227,13 @@ export namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -25320,19 +17250,23 @@ export namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -25342,12 +17276,15 @@ export namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -25358,6 +17295,22 @@ export namespace gateway { /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface GRPCRouteStatusParentsConditions { /** @@ -25390,6 +17343,10 @@ export namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } @@ -25405,23 +17362,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -25429,6 +17391,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -25436,10 +17399,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -25447,6 +17412,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -25454,6 +17420,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -25463,15 +17430,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -25480,6 +17450,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -25487,6 +17458,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -25494,10 +17466,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -25507,6 +17481,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -25537,6 +17512,7 @@ export namespace gateway { * GatewayClass describes a class of Gateways available to the user for creating * Gateway resources. * + * * It is recommended that this resource be used as a template for Gateways. This * means that a Gateway is based on the state of the GatewayClass at the time it * was created and changes to the GatewayClass or associated parameters are not @@ -25545,11 +17521,13 @@ export namespace gateway { * If implementations choose to propagate GatewayClass changes to existing * Gateways, that MUST be clearly documented by the implementation. * + * * Whenever one or more Gateways are using a GatewayClass, implementations SHOULD * add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the * associated GatewayClass. This ensures that a GatewayClass associated with a * Gateway is not deleted while in use. * + * * GatewayClass is a Cluster level resource. */ export interface GatewayClass { @@ -25577,10 +17555,13 @@ export namespace gateway { * ControllerName is the name of the controller that is managing Gateways of * this class. The value of this field MUST be a domain prefixed path. * + * * Example: "example.net/gateway-controller". * + * * This field is not mutable and cannot be empty. * + * * Support: Core */ controllerName?: pulumi.Input; @@ -25596,19 +17577,21 @@ export namespace gateway { * parameters corresponding to the GatewayClass. This is optional if the * controller does not require any additional configuration. * + * * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, * or an implementation-specific custom resource. The resource can be * cluster-scoped or namespace-scoped. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the GatewayClass SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. + * + * If the referent cannot be found, the GatewayClass's "InvalidParameters" + * status condition will be true. + * * * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * + * * Support: Implementation-specific */ export interface GatewayClassSpecParametersRef { @@ -25637,19 +17620,21 @@ export namespace gateway { * parameters corresponding to the GatewayClass. This is optional if the * controller does not require any additional configuration. * + * * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, * or an implementation-specific custom resource. The resource can be * cluster-scoped or namespace-scoped. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the GatewayClass SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. + * + * If the referent cannot be found, the GatewayClass's "InvalidParameters" + * status condition will be true. + * * * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * + * * Support: Implementation-specific */ export interface GatewayClassSpecParametersRefPatch { @@ -25681,10 +17666,13 @@ export namespace gateway { * ControllerName is the name of the controller that is managing Gateways of * this class. The value of this field MUST be a domain prefixed path. * + * * Example: "example.net/gateway-controller". * + * * This field is not mutable and cannot be empty. * + * * Support: Core */ controllerName?: pulumi.Input; @@ -25698,6 +17686,7 @@ export namespace gateway { /** * Status defines the current state of GatewayClass. * + * * Implementations MUST populate status on all GatewayClass resources which * specify their controller name. */ @@ -25706,19 +17695,36 @@ export namespace gateway { * Conditions is the current status from the controller for * this GatewayClass. * + * * Controllers should prefer to publish conditions using values * of GatewayClassConditionType for the type of each Condition. */ conditions?: pulumi.Input[]>; /** * SupportedFeatures is the set of features the GatewayClass support. - * It MUST be sorted in ascending alphabetical order by the Name key. + * It MUST be sorted in ascending alphabetical order. */ - supportedFeatures?: pulumi.Input[]>; + supportedFeatures?: pulumi.Input[]>; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface GatewayClassStatusConditions { /** @@ -25751,18 +17757,14 @@ export namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } - export interface GatewayClassStatusSupportedFeatures { - /** - * FeatureName is used to describe distinct features that are covered by - * conformance tests. - */ - name?: pulumi.Input; - } - /** * Spec defines the desired state of Gateway. */ @@ -25771,7 +17773,8 @@ export namespace gateway { * Addresses requested for this Gateway. This is optional and behavior can * depend on the implementation. If a value is set in the spec and the * requested address is invalid or unavailable, the implementation MUST - * indicate this in an associated entry in GatewayStatus.Conditions. + * indicate this in the associated entry in GatewayStatus.Addresses. + * * * The Addresses field represents a request for the address(es) on the * "outside of the Gateway", that traffic bound for this Gateway will use. @@ -25779,38 +17782,20 @@ export namespace gateway { * other networking infrastructure, or some other address that traffic will * be sent to. * + * * If no Addresses are specified, the implementation MAY schedule the * Gateway in an implementation-specific manner, assigning an appropriate * set of Addresses. * + * * The implementation MUST bind all Listeners to every GatewayAddress that * it assigns to the Gateway and add a corresponding entry in * GatewayStatus.Addresses. * + * * Support: Extended */ addresses?: pulumi.Input[]>; - allowedListeners?: pulumi.Input; - /** - * DefaultScope, when set, configures the Gateway as a default Gateway, - * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute) - * attached to it, according to the scope configured here. - * - * If unset (the default) or set to None, the Gateway will not act as a - * default Gateway; if set, the Gateway will claim any Route with a - * matching scope set in its UseDefaultGateway field, subject to the usual - * rules about which routes the Gateway can attach to. - * - * Think carefully before using this functionality! While the normal rules - * about which Route can apply are still enforced, it is simply easier for - * the wrong Route to be accidentally attached to this Gateway in this - * configuration. If the Gateway operator is not also the operator in - * control of the scope (e.g. namespace) with tight controls and checks on - * what kind of workloads and Routes get added in that scope, we strongly - * recommend not using this just because it seems convenient, and instead - * stick to direct Route attachment. - */ - defaultScope?: pulumi.Input; /** * GatewayClassName used for this Gateway. This is the name of a * GatewayClass resource. @@ -25822,7 +17807,6 @@ export namespace gateway { * logical endpoints that are bound on this Gateway's addresses. * At least one Listener MUST be specified. * - * ## Distinct Listeners * * Each Listener in a set of Listeners (for example, in a single Gateway) * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to @@ -25831,107 +17815,97 @@ export namespace gateway { * from multiple Gateways onto a single data plane, and these rules _also_ * apply in that case). * + * * Practically, this means that each listener in a set MUST have a unique * combination of Port, Protocol, and, if supported by the protocol, Hostname. * - * Some combinations of port, protocol, and TLS settings are considered - * Core support and MUST be supported by implementations based on the objects - * they support: * - * HTTPRoute + * Some combinations of port, protocol, and TLS settings are considered + * Core support and MUST be supported by implementations based on their + * targeted conformance profile: + * + * + * HTTP Profile + * * * 1. HTTPRoute, Port: 80, Protocol: HTTP * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided * - * TLSRoute + * + * TLS Profile + * * * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough * + * * "Distinct" Listeners have the following property: * - * **The implementation can match inbound requests to a single distinct - * Listener**. * - * When multiple Listeners share values for fields (for + * The implementation can match inbound requests to a single distinct + * Listener. When multiple Listeners share values for fields (for * example, two Listeners with the same Port value), the implementation * can match requests to only one of the Listeners using other * Listener fields. * - * When multiple listeners have the same value for the Protocol field, then - * each of the Listeners with matching Protocol values MUST have different - * values for other fields. * - * The set of fields that MUST be different for a Listener differs per protocol. - * The following rules define the rules for what fields MUST be considered for - * Listeners to be distinct with each protocol currently defined in the - * Gateway API spec. + * For example, the following Listener scenarios are distinct: * - * The set of listeners that all share a protocol value MUST have _different_ - * values for _at least one_ of these fields to be distinct: * - * * **HTTP, HTTPS, TLS**: Port, Hostname - * * **TCP, UDP**: Port + * 1. Multiple Listeners with the same Port that all use the "HTTP" + * Protocol that all have unique Hostname values. + * 2. Multiple Listeners with the same Port that use either the "HTTPS" or + * "TLS" Protocol that all have unique Hostname values. + * 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener + * with the same Protocol has the same Port value. * - * One **very** important rule to call out involves what happens when an - * implementation: * - * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol - * Listeners, and - * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP - * Protocol. + * Some fields in the Listener struct have possible values that affect + * whether the Listener is distinct. Hostname is particularly relevant + * for HTTP or HTTPS protocols. * - * In this case all the Listeners that share a port with the - * TCP Listener are not distinct and so MUST NOT be accepted. * - * If an implementation does not support TCP Protocol Listeners, then the - * previous rule does not apply, and the TCP Listeners SHOULD NOT be - * accepted. + * When using the Hostname value to select between same-Port, same-Protocol + * Listeners, the Hostname value must be different on each Listener for the + * Listener to be distinct. * - * Note that the `tls` field is not used for determining if a listener is distinct, because - * Listeners that _only_ differ on TLS config will still conflict in all cases. * - * ### Listeners that are distinct only by Hostname - * - * When the Listeners are distinct based only on Hostname, inbound request + * When the Listeners are distinct based on Hostname, inbound request * hostnames MUST match from the most specific to least specific Hostname * values to choose the correct Listener and its associated set of Routes. * - * Exact matches MUST be processed before wildcard matches, and wildcard - * matches MUST be processed before fallback (empty Hostname value) + * + * Exact matches must be processed before wildcard matches, and wildcard + * matches must be processed before fallback (empty Hostname value) * matches. For example, `"foo.example.com"` takes precedence over * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. * + * * Additionally, if there are multiple wildcard entries, more specific * wildcard entries must be processed before less specific wildcard entries. * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. - * * The precise definition here is that the higher the number of dots in the * hostname to the right of the wildcard character, the higher the precedence. * + * * The wildcard character will match any number of characters _and dots_ to * the left, however, so `"*.example.com"` will match both * `"foo.bar.example.com"` _and_ `"bar.example.com"`. * - * ## Handling indistinct Listeners * * If a set of Listeners contains Listeners that are not distinct, then those - * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted" + * Listeners are Conflicted, and the implementation MUST set the "Conflicted" * condition in the Listener Status to "True". * - * The words "indistinct" and "conflicted" are considered equivalent for the - * purpose of this documentation. * * Implementations MAY choose to accept a Gateway with some Conflicted * Listeners only if they only accept the partial Listener set that contains - * no Conflicted Listeners. + * no Conflicted Listeners. To put this another way, implementations may + * accept a partial Listener set only if they throw out *all* the conflicting + * Listeners. No picking one of the conflicting listeners as the winner. + * This also means that the Gateway must have at least one non-conflicting + * Listener in this case, otherwise it violates the requirement that at + * least one Listener must be present. * - * Specifically, an implementation MAY accept a partial Listener set subject to - * the following rules: - * - * * The implementation MUST NOT pick one conflicting Listener as the winner. - * ALL indistinct Listeners must not be accepted for processing. - * * At least one distinct Listener MUST be present, or else the Gateway effectively - * contains _no_ Listeners, and must be rejected from processing as a whole. * * The implementation MUST set a "ListenersNotValid" condition on the * Gateway Status when the Gateway contains Conflicted Listeners whether or @@ -25940,52 +17914,45 @@ export namespace gateway { * Accepted. Additionally, the Listener status for those listeners SHOULD * indicate which Listeners are conflicted and not Accepted. * - * ## General Listener behavior * - * Note that, for all distinct Listeners, requests SHOULD match at most one Listener. - * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a - * request to "foo.example.com" SHOULD only be routed using routes attached - * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * A Gateway's Listeners are considered "compatible" if: * - * This concept is known as "Listener Isolation", and it is an Extended feature - * of Gateway API. Implementations that do not support Listener Isolation MUST - * clearly document this, and MUST NOT claim support for the - * `GatewayHTTPListenerIsolation` feature. - * - * Implementations that _do_ support Listener Isolation SHOULD claim support - * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated - * conformance tests. - * - * ## Compatible Listeners - * - * A Gateway's Listeners are considered _compatible_ if: * * 1. They are distinct. * 2. The implementation can serve them in compliance with the Addresses * requirement that all Listeners are available on all assigned * addresses. * + * * Compatible combinations in Extended support are expected to vary across * implementations. A combination that is compatible for one implementation * may not be compatible for another. * + * * For example, an implementation that cannot serve both TCP and UDP listeners * on the same address, or cannot mix HTTPS and generic TLS listens on the same port * would not consider those cases compatible, even though they are distinct. * + * + * Note that requests SHOULD match at most one Listener. For example, if + * Listeners are defined for "foo.example.com" and "*.example.com", a + * request to "foo.example.com" SHOULD only be routed using routes attached + * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * This concept is known as "Listener Isolation". Implementations that do + * not support Listener Isolation MUST clearly document this. + * + * * Implementations MAY merge separate Gateways onto a single set of * Addresses if all Listeners across all Gateways are compatible. * - * In a future release the MinItems=1 requirement MAY be dropped. * * Support: Core */ listeners?: pulumi.Input[]>; - tls?: pulumi.Input; } /** - * GatewaySpecAddress describes an address that can be bound to a Gateway. + * GatewayAddress describes an address that can be bound to a Gateway. */ export interface GatewaySpecAddresses { /** @@ -25993,11 +17960,9 @@ export namespace gateway { */ type?: pulumi.Input; /** - * When a value is unspecified, an implementation SHOULD automatically - * assign an address matching the requested type if possible. + * Value of the address. The validity of the values will depend + * on the type and support by the controller. * - * If an implementation does not support an empty value, they MUST set the - * "Programmed" condition in status to False with a reason of "AddressNotAssigned". * * Examples: `1.2.3.4`, `128::1`, `my-ip-address`. */ @@ -26005,7 +17970,7 @@ export namespace gateway { } /** - * GatewaySpecAddress describes an address that can be bound to a Gateway. + * GatewayAddress describes an address that can be bound to a Gateway. */ export interface GatewaySpecAddressesPatch { /** @@ -26013,182 +17978,46 @@ export namespace gateway { */ type?: pulumi.Input; /** - * When a value is unspecified, an implementation SHOULD automatically - * assign an address matching the requested type if possible. + * Value of the address. The validity of the values will depend + * on the type and support by the controller. * - * If an implementation does not support an empty value, they MUST set the - * "Programmed" condition in status to False with a reason of "AddressNotAssigned". * * Examples: `1.2.3.4`, `128::1`, `my-ip-address`. */ value?: pulumi.Input; } - /** - * AllowedListeners defines which ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - export interface GatewaySpecAllowedListeners { - namespaces?: pulumi.Input; - } - - /** - * Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - export interface GatewaySpecAllowedListenersNamespaces { - /** - * From indicates where ListenerSets can attach to this Gateway. Possible - * values are: - * - * * Same: Only ListenerSets in the same namespace may be attached to this Gateway. - * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway. - * * All: ListenerSets in all namespaces may be attached to this Gateway. - * * None: Only listeners defined in the Gateway's spec are allowed - * - * While this feature is experimental, the default value None - */ - from?: pulumi.Input; - selector?: pulumi.Input; - } - - /** - * Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - export interface GatewaySpecAllowedListenersNamespacesPatch { - /** - * From indicates where ListenerSets can attach to this Gateway. Possible - * values are: - * - * * Same: Only ListenerSets in the same namespace may be attached to this Gateway. - * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway. - * * All: ListenerSets in all namespaces may be attached to this Gateway. - * * None: Only listeners defined in the Gateway's spec are allowed - * - * While this feature is experimental, the default value None - */ - from?: pulumi.Input; - selector?: pulumi.Input; - } - - /** - * Selector must be specified when From is set to "Selector". In that case, - * only ListenerSets in Namespaces matching this Selector will be selected by this - * Gateway. This field is ignored for other values of "From". - */ - export interface GatewaySpecAllowedListenersNamespacesSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * Selector must be specified when From is set to "Selector". In that case, - * only ListenerSets in Namespaces matching this Selector will be selected by this - * Gateway. This field is ignored for other values of "From". - */ - export interface GatewaySpecAllowedListenersNamespacesSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * AllowedListeners defines which ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - export interface GatewaySpecAllowedListenersPatch { - namespaces?: pulumi.Input; - } - /** * Infrastructure defines infrastructure level attributes about this Gateway instance. * - * Support: Extended + * + * Support: Core */ export interface GatewaySpecInfrastructure { /** * Annotations that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. * + * * An implementation may chose to add additional implementation-specific annotations as they see fit. * + * * Support: Extended */ annotations?: pulumi.Input<{[key: string]: pulumi.Input}>; /** * Labels that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. * For other implementations, this refers to any relevant (implementation specific) "labels" concepts. * + * * An implementation may chose to add additional implementation-specific labels as they see fit. * - * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels - * change, it SHOULD clearly warn about this behavior in documentation. * * Support: Extended */ @@ -26201,16 +18030,14 @@ export namespace gateway { * parameters corresponding to the Gateway. This is optional if the * controller does not require any additional configuration. * + * * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis * + * * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the Gateway SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. * * Support: Implementation-specific */ @@ -26234,16 +18061,14 @@ export namespace gateway { * parameters corresponding to the Gateway. This is optional if the * controller does not require any additional configuration. * + * * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis * + * * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the Gateway SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. * * Support: Implementation-specific */ @@ -26265,30 +18090,34 @@ export namespace gateway { /** * Infrastructure defines infrastructure level attributes about this Gateway instance. * - * Support: Extended + * + * Support: Core */ export interface GatewaySpecInfrastructurePatch { /** * Annotations that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. * + * * An implementation may chose to add additional implementation-specific annotations as they see fit. * + * * Support: Extended */ annotations?: pulumi.Input<{[key: string]: pulumi.Input}>; /** * Labels that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. * For other implementations, this refers to any relevant (implementation specific) "labels" concepts. * + * * An implementation may chose to add additional implementation-specific labels as they see fit. * - * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels - * change, it SHOULD clearly warn about this behavior in documentation. * * Support: Extended */ @@ -26308,36 +18137,18 @@ export namespace gateway { * field is ignored for protocols that don't require hostname based * matching. * + * * Implementations MUST apply Hostname matching appropriately for each of * the following protocols: * + * * * TLS: The Listener Hostname MUST match the SNI. * * HTTP: The Listener Hostname MUST match the Host header of the request. - * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header. - * Note that this does not require the SNI and Host header to be the same. - * The semantics of this are described in more detail below. + * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + * protocol layers as described above. If an implementation does not + * ensure that both the SNI and Host header match the Listener hostname, + * it MUST clearly document that. * - * To ensure security, Section 11.1 of RFC-6066 emphasizes that server - * implementations that rely on SNI hostname matching MUST also verify - * hostnames within the application protocol. - * - * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the - * reuse of a connection by responding with the HTTP 421 Misdirected Request - * status code. This indicates that the origin server has rejected the - * request because it appears to have been misdirected. - * - * To detect misdirected requests, Gateways SHOULD match the authority of - * the requests with all the SNI hostname(s) configured across all the - * Gateway Listeners on the same port and protocol: - * - * * If another Listener has an exact match or more specific wildcard entry, - * the Gateway SHOULD return a 421. - * * If the current Listener (selected by SNI matching during ClientHello) - * does not match the Host: - * * If another Listener does match the Host the Gateway SHOULD return a - * 421. - * * If no other Listener matches the Host, the Gateway MUST return a - * 404. * * For HTTPRoute and TLSRoute resources, there is an interaction with the * `spec.hostnames` array. When both listener and route specify hostnames, @@ -26345,10 +18156,12 @@ export namespace gateway { * accepted. For more information, refer to the Route specific Hostnames * documentation. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * Support: Core */ hostname?: pulumi.Input; @@ -26356,6 +18169,7 @@ export namespace gateway { * Name is the name of the Listener. This name MUST be unique within a * Gateway. * + * * Support: Core */ name?: pulumi.Input; @@ -26363,12 +18177,14 @@ export namespace gateway { * Port is the network port. Multiple listeners may use the * same port, subject to the Listener compatibility rules. * + * * Support: Core */ port?: pulumi.Input; /** * Protocol specifies the network protocol this listener expects to receive. * + * * Support: Core */ protocol?: pulumi.Input; @@ -26380,10 +18196,12 @@ export namespace gateway { * Listener and the trusted namespaces where those Route resources MAY be * present. * + * * Although a client request may match multiple route rules, only one rule * may ultimately receive the request. Matching precedence MUST be * determined in order of the following criteria: * + * * * The most specific match as defined by the Route type. * * The oldest Route based on creation timestamp. For example, a Route with * a creation timestamp of "2020-09-08 01:02:03" is given precedence over @@ -26392,6 +18210,7 @@ export namespace gateway { * alphabetical order (namespace/name) should be given precedence. For * example, foo/bar is given precedence over foo/baz. * + * * All valid rules within a Route attached to this Listener should be * implemented. Invalid Route rules can be ignored (sometimes that will mean * the full Route). If a Route rule transitions from valid to invalid, @@ -26399,6 +18218,7 @@ export namespace gateway { * example, even if a filter specified by a Route rule is invalid, the rest * of the rules within that Route should still be supported. * + * * Support: Core */ export interface GatewaySpecListenersAllowedRoutes { @@ -26407,12 +18227,14 @@ export namespace gateway { * to this Gateway Listener. When unspecified or empty, the kinds of Routes * selected are determined using the Listener protocol. * + * * A RouteGroupKind MUST correspond to kinds of Routes that are compatible * with the application protocol specified in the Listener's Protocol field. * If an implementation does not support or recognize this resource type, it * MUST set the "ResolvedRefs" condition to False for this Listener with the * "InvalidRouteKinds" reason. * + * * Support: Core */ kinds?: pulumi.Input[]>; @@ -26451,6 +18273,7 @@ export namespace gateway { * Namespaces indicates namespaces from which Routes may be attached to this * Listener. This is restricted to the namespace of this Gateway by default. * + * * Support: Core */ export interface GatewaySpecListenersAllowedRoutesNamespaces { @@ -26458,11 +18281,13 @@ export namespace gateway { * From indicates where Routes will be selected for this Gateway. Possible * values are: * + * * * All: Routes in all namespaces may be used by this Gateway. * * Selector: Routes in namespaces selected by the selector may be used by * this Gateway. * * Same: Only Routes in the same namespace may be used by this Gateway. * + * * Support: Core */ from?: pulumi.Input; @@ -26473,6 +18298,7 @@ export namespace gateway { * Namespaces indicates namespaces from which Routes may be attached to this * Listener. This is restricted to the namespace of this Gateway by default. * + * * Support: Core */ export interface GatewaySpecListenersAllowedRoutesNamespacesPatch { @@ -26480,11 +18306,13 @@ export namespace gateway { * From indicates where Routes will be selected for this Gateway. Possible * values are: * + * * * All: Routes in all namespaces may be used by this Gateway. * * Selector: Routes in namespaces selected by the selector may be used by * this Gateway. * * Same: Only Routes in the same namespace may be used by this Gateway. * + * * Support: Core */ from?: pulumi.Input; @@ -26496,6 +18324,7 @@ export namespace gateway { * only Routes in Namespaces matching this Selector will be selected by this * Gateway. This field is ignored for other values of "From". * + * * Support: Core */ export interface GatewaySpecListenersAllowedRoutesNamespacesSelector { @@ -26562,6 +18391,7 @@ export namespace gateway { * only Routes in Namespaces matching this Selector will be selected by this * Gateway. This field is ignored for other values of "From". * + * * Support: Core */ export interface GatewaySpecListenersAllowedRoutesNamespacesSelectorPatch { @@ -26582,10 +18412,12 @@ export namespace gateway { * Listener and the trusted namespaces where those Route resources MAY be * present. * + * * Although a client request may match multiple route rules, only one rule * may ultimately receive the request. Matching precedence MUST be * determined in order of the following criteria: * + * * * The most specific match as defined by the Route type. * * The oldest Route based on creation timestamp. For example, a Route with * a creation timestamp of "2020-09-08 01:02:03" is given precedence over @@ -26594,6 +18426,7 @@ export namespace gateway { * alphabetical order (namespace/name) should be given precedence. For * example, foo/bar is given precedence over foo/baz. * + * * All valid rules within a Route attached to this Listener should be * implemented. Invalid Route rules can be ignored (sometimes that will mean * the full Route). If a Route rule transitions from valid to invalid, @@ -26601,6 +18434,7 @@ export namespace gateway { * example, even if a filter specified by a Route rule is invalid, the rest * of the rules within that Route should still be supported. * + * * Support: Core */ export interface GatewaySpecListenersAllowedRoutesPatch { @@ -26609,12 +18443,14 @@ export namespace gateway { * to this Gateway Listener. When unspecified or empty, the kinds of Routes * selected are determined using the Listener protocol. * + * * A RouteGroupKind MUST correspond to kinds of Routes that are compatible * with the application protocol specified in the Listener's Protocol field. * If an implementation does not support or recognize this resource type, it * MUST set the "ResolvedRefs" condition to False for this Listener with the * "InvalidRouteKinds" reason. * + * * Support: Core */ kinds?: pulumi.Input[]>; @@ -26633,36 +18469,18 @@ export namespace gateway { * field is ignored for protocols that don't require hostname based * matching. * + * * Implementations MUST apply Hostname matching appropriately for each of * the following protocols: * + * * * TLS: The Listener Hostname MUST match the SNI. * * HTTP: The Listener Hostname MUST match the Host header of the request. - * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header. - * Note that this does not require the SNI and Host header to be the same. - * The semantics of this are described in more detail below. + * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + * protocol layers as described above. If an implementation does not + * ensure that both the SNI and Host header match the Listener hostname, + * it MUST clearly document that. * - * To ensure security, Section 11.1 of RFC-6066 emphasizes that server - * implementations that rely on SNI hostname matching MUST also verify - * hostnames within the application protocol. - * - * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the - * reuse of a connection by responding with the HTTP 421 Misdirected Request - * status code. This indicates that the origin server has rejected the - * request because it appears to have been misdirected. - * - * To detect misdirected requests, Gateways SHOULD match the authority of - * the requests with all the SNI hostname(s) configured across all the - * Gateway Listeners on the same port and protocol: - * - * * If another Listener has an exact match or more specific wildcard entry, - * the Gateway SHOULD return a 421. - * * If the current Listener (selected by SNI matching during ClientHello) - * does not match the Host: - * * If another Listener does match the Host the Gateway SHOULD return a - * 421. - * * If no other Listener matches the Host, the Gateway MUST return a - * 404. * * For HTTPRoute and TLSRoute resources, there is an interaction with the * `spec.hostnames` array. When both listener and route specify hostnames, @@ -26670,10 +18488,12 @@ export namespace gateway { * accepted. For more information, refer to the Route specific Hostnames * documentation. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * Support: Core */ hostname?: pulumi.Input; @@ -26681,6 +18501,7 @@ export namespace gateway { * Name is the name of the Listener. This name MUST be unique within a * Gateway. * + * * Support: Core */ name?: pulumi.Input; @@ -26688,12 +18509,14 @@ export namespace gateway { * Port is the network port. Multiple listeners may use the * same port, subject to the Listener compatibility rules. * + * * Support: Core */ port?: pulumi.Input; /** * Protocol specifies the network protocol this listener expects to receive. * + * * Support: Core */ protocol?: pulumi.Input; @@ -26705,12 +18528,15 @@ export namespace gateway { * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field * if the Protocol field is "HTTP", "TCP", or "UDP". * - * The association of SNIs to Certificate defined in ListenerTLSConfig is + * + * The association of SNIs to Certificate defined in GatewayTLSConfig is * defined based on the Hostname field for this listener. * + * * The GatewayClass MUST use the longest matching SNI out of all * available certificates for any TLS handshake. * + * * Support: Core */ export interface GatewaySpecListenersTls { @@ -26720,31 +18546,39 @@ export namespace gateway { * establish a TLS handshake for requests that match the hostname of the * associated listener. * + * * A single CertificateRef to a Kubernetes Secret has "Core" support. * Implementations MAY choose to support attaching multiple certificates to * a Listener, but this behavior is implementation-specific. * + * * References to a resource in different namespace are invalid UNLESS there * is a ReferenceGrant in the target namespace that allows the certificate * to be attached. If a ReferenceGrant does not allow this reference, the * "ResolvedRefs" condition MUST be set to False for this listener with the * "RefNotPermitted" reason. * + * * This field is required to have at least one element when the mode is set * to "Terminate" (default) and is optional otherwise. * + * * CertificateRefs can reference to standard Kubernetes resources, i.e. * Secret, or implementation-specific custom resources. * + * * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls * + * * Support: Implementation-specific (More than one reference or other resource types) */ certificateRefs?: pulumi.Input[]>; + frontendValidation?: pulumi.Input; /** * Mode defines the TLS behavior for the TLS session initiated by the client. * There are two possible modes: * + * * - Terminate: The TLS session between the downstream client and the * Gateway is terminated at the Gateway. This mode requires certificates * to be specified in some way, such as populating the certificateRefs @@ -26754,6 +18588,7 @@ export namespace gateway { * the ClientHello message of the TLS protocol. The certificateRefs field * is ignored in this mode. * + * * Support: Core */ mode?: pulumi.Input; @@ -26762,11 +18597,13 @@ export namespace gateway { * configuration for each implementation. For example, configuring the * minimum TLS version or supported cipher suites. * + * * A set of common keys MAY be defined by the API in the future. To avoid * any ambiguity, implementation-specific definitions MUST use * domain-prefixed names, such as `example.com/my-custom-option`. * Un-prefixed names are reserved for key names defined by Gateway API. * + * * Support: Implementation-specific */ options?: pulumi.Input<{[key: string]: pulumi.Input}>; @@ -26776,9 +18613,11 @@ export namespace gateway { * SecretObjectReference identifies an API object including its namespace, * defaulting to Secret. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. * + * * References to objects with invalid Group and Kind are not valid, and must * be rejected by the implementation, with appropriate Conditions set * on the containing object. @@ -26801,11 +18640,13 @@ export namespace gateway { * Namespace is the namespace of the referenced object. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -26815,9 +18656,11 @@ export namespace gateway { * SecretObjectReference identifies an API object including its namespace, * defaulting to Secret. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. * + * * References to objects with invalid Group and Kind are not valid, and must * be rejected by the implementation, with appropriate Conditions set * on the containing object. @@ -26840,27 +18683,198 @@ export namespace gateway { * Namespace is the namespace of the referenced object. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; } + /** + * FrontendValidation holds configuration information for validating the frontend (client). + * Setting this field will require clients to send a client certificate + * required for validation during the TLS handshake. In browsers this may result in a dialog appearing + * that requests a user to specify the client certificate. + * The maximum depth of a certificate chain accepted in verification is Implementation specific. + * + * + * Support: Extended + */ + export interface GatewaySpecListenersTlsFrontendValidation { + /** + * CACertificateRefs contains one or more references to + * Kubernetes objects that contain TLS certificates of + * the Certificate Authorities that can be used + * as a trust anchor to validate the certificates presented by the client. + * + * + * A single CA certificate reference to a Kubernetes ConfigMap + * has "Core" support. + * Implementations MAY choose to support attaching multiple CA certificates to + * a Listener, but this behavior is implementation-specific. + * + * + * Support: Core - A single reference to a Kubernetes ConfigMap + * with the CA certificate in a key named `ca.crt`. + * + * + * Support: Implementation-specific (More than one reference, or other kinds + * of resources). + * + * + * References to a resource in a different namespace are invalid UNLESS there + * is a ReferenceGrant in the target namespace that allows the certificate + * to be attached. If a ReferenceGrant does not allow this reference, the + * "ResolvedRefs" condition MUST be set to False for this listener with the + * "RefNotPermitted" reason. + */ + caCertificateRefs?: pulumi.Input[]>; + } + + /** + * ObjectReference identifies an API object including its namespace. + * + * + * The API object must be valid in the cluster; the Group and Kind must + * be registered in the cluster for this reference to be valid. + * + * + * References to objects with invalid Group and Kind are not valid, and must + * be rejected by the implementation, with appropriate Conditions set + * on the containing object. + */ + export interface GatewaySpecListenersTlsFrontendValidationCaCertificateRefs { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group?: pulumi.Input; + /** + * Kind is kind of the referent. For example "ConfigMap" or "Service". + */ + kind?: pulumi.Input; + /** + * Name is the name of the referent. + */ + name?: pulumi.Input; + /** + * Namespace is the namespace of the referenced object. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace?: pulumi.Input; + } + + /** + * ObjectReference identifies an API object including its namespace. + * + * + * The API object must be valid in the cluster; the Group and Kind must + * be registered in the cluster for this reference to be valid. + * + * + * References to objects with invalid Group and Kind are not valid, and must + * be rejected by the implementation, with appropriate Conditions set + * on the containing object. + */ + export interface GatewaySpecListenersTlsFrontendValidationCaCertificateRefsPatch { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group?: pulumi.Input; + /** + * Kind is kind of the referent. For example "ConfigMap" or "Service". + */ + kind?: pulumi.Input; + /** + * Name is the name of the referent. + */ + name?: pulumi.Input; + /** + * Namespace is the namespace of the referenced object. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace?: pulumi.Input; + } + + /** + * FrontendValidation holds configuration information for validating the frontend (client). + * Setting this field will require clients to send a client certificate + * required for validation during the TLS handshake. In browsers this may result in a dialog appearing + * that requests a user to specify the client certificate. + * The maximum depth of a certificate chain accepted in verification is Implementation specific. + * + * + * Support: Extended + */ + export interface GatewaySpecListenersTlsFrontendValidationPatch { + /** + * CACertificateRefs contains one or more references to + * Kubernetes objects that contain TLS certificates of + * the Certificate Authorities that can be used + * as a trust anchor to validate the certificates presented by the client. + * + * + * A single CA certificate reference to a Kubernetes ConfigMap + * has "Core" support. + * Implementations MAY choose to support attaching multiple CA certificates to + * a Listener, but this behavior is implementation-specific. + * + * + * Support: Core - A single reference to a Kubernetes ConfigMap + * with the CA certificate in a key named `ca.crt`. + * + * + * Support: Implementation-specific (More than one reference, or other kinds + * of resources). + * + * + * References to a resource in a different namespace are invalid UNLESS there + * is a ReferenceGrant in the target namespace that allows the certificate + * to be attached. If a ReferenceGrant does not allow this reference, the + * "ResolvedRefs" condition MUST be set to False for this listener with the + * "RefNotPermitted" reason. + */ + caCertificateRefs?: pulumi.Input[]>; + } + /** * TLS is the TLS configuration for the Listener. This field is required if * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field * if the Protocol field is "HTTP", "TCP", or "UDP". * - * The association of SNIs to Certificate defined in ListenerTLSConfig is + * + * The association of SNIs to Certificate defined in GatewayTLSConfig is * defined based on the Hostname field for this listener. * + * * The GatewayClass MUST use the longest matching SNI out of all * available certificates for any TLS handshake. * + * * Support: Core */ export interface GatewaySpecListenersTlsPatch { @@ -26870,31 +18884,39 @@ export namespace gateway { * establish a TLS handshake for requests that match the hostname of the * associated listener. * + * * A single CertificateRef to a Kubernetes Secret has "Core" support. * Implementations MAY choose to support attaching multiple certificates to * a Listener, but this behavior is implementation-specific. * + * * References to a resource in different namespace are invalid UNLESS there * is a ReferenceGrant in the target namespace that allows the certificate * to be attached. If a ReferenceGrant does not allow this reference, the * "ResolvedRefs" condition MUST be set to False for this listener with the * "RefNotPermitted" reason. * + * * This field is required to have at least one element when the mode is set * to "Terminate" (default) and is optional otherwise. * + * * CertificateRefs can reference to standard Kubernetes resources, i.e. * Secret, or implementation-specific custom resources. * + * * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls * + * * Support: Implementation-specific (More than one reference or other resource types) */ certificateRefs?: pulumi.Input[]>; + frontendValidation?: pulumi.Input; /** * Mode defines the TLS behavior for the TLS session initiated by the client. * There are two possible modes: * + * * - Terminate: The TLS session between the downstream client and the * Gateway is terminated at the Gateway. This mode requires certificates * to be specified in some way, such as populating the certificateRefs @@ -26904,6 +18926,7 @@ export namespace gateway { * the ClientHello message of the TLS protocol. The certificateRefs field * is ignored in this mode. * + * * Support: Core */ mode?: pulumi.Input; @@ -26912,11 +18935,13 @@ export namespace gateway { * configuration for each implementation. For example, configuring the * minimum TLS version or supported cipher suites. * + * * A set of common keys MAY be defined by the API in the future. To avoid * any ambiguity, implementation-specific definitions MUST use * domain-prefixed names, such as `example.com/my-custom-option`. * Un-prefixed names are reserved for key names defined by Gateway API. * + * * Support: Implementation-specific */ options?: pulumi.Input<{[key: string]: pulumi.Input}>; @@ -26930,7 +18955,8 @@ export namespace gateway { * Addresses requested for this Gateway. This is optional and behavior can * depend on the implementation. If a value is set in the spec and the * requested address is invalid or unavailable, the implementation MUST - * indicate this in an associated entry in GatewayStatus.Conditions. + * indicate this in the associated entry in GatewayStatus.Addresses. + * * * The Addresses field represents a request for the address(es) on the * "outside of the Gateway", that traffic bound for this Gateway will use. @@ -26938,38 +18964,20 @@ export namespace gateway { * other networking infrastructure, or some other address that traffic will * be sent to. * + * * If no Addresses are specified, the implementation MAY schedule the * Gateway in an implementation-specific manner, assigning an appropriate * set of Addresses. * + * * The implementation MUST bind all Listeners to every GatewayAddress that * it assigns to the Gateway and add a corresponding entry in * GatewayStatus.Addresses. * + * * Support: Extended */ addresses?: pulumi.Input[]>; - allowedListeners?: pulumi.Input; - /** - * DefaultScope, when set, configures the Gateway as a default Gateway, - * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute) - * attached to it, according to the scope configured here. - * - * If unset (the default) or set to None, the Gateway will not act as a - * default Gateway; if set, the Gateway will claim any Route with a - * matching scope set in its UseDefaultGateway field, subject to the usual - * rules about which routes the Gateway can attach to. - * - * Think carefully before using this functionality! While the normal rules - * about which Route can apply are still enforced, it is simply easier for - * the wrong Route to be accidentally attached to this Gateway in this - * configuration. If the Gateway operator is not also the operator in - * control of the scope (e.g. namespace) with tight controls and checks on - * what kind of workloads and Routes get added in that scope, we strongly - * recommend not using this just because it seems convenient, and instead - * stick to direct Route attachment. - */ - defaultScope?: pulumi.Input; /** * GatewayClassName used for this Gateway. This is the name of a * GatewayClass resource. @@ -26981,7 +18989,6 @@ export namespace gateway { * logical endpoints that are bound on this Gateway's addresses. * At least one Listener MUST be specified. * - * ## Distinct Listeners * * Each Listener in a set of Listeners (for example, in a single Gateway) * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to @@ -26990,107 +18997,97 @@ export namespace gateway { * from multiple Gateways onto a single data plane, and these rules _also_ * apply in that case). * + * * Practically, this means that each listener in a set MUST have a unique * combination of Port, Protocol, and, if supported by the protocol, Hostname. * - * Some combinations of port, protocol, and TLS settings are considered - * Core support and MUST be supported by implementations based on the objects - * they support: * - * HTTPRoute + * Some combinations of port, protocol, and TLS settings are considered + * Core support and MUST be supported by implementations based on their + * targeted conformance profile: + * + * + * HTTP Profile + * * * 1. HTTPRoute, Port: 80, Protocol: HTTP * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided * - * TLSRoute + * + * TLS Profile + * * * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough * + * * "Distinct" Listeners have the following property: * - * **The implementation can match inbound requests to a single distinct - * Listener**. * - * When multiple Listeners share values for fields (for + * The implementation can match inbound requests to a single distinct + * Listener. When multiple Listeners share values for fields (for * example, two Listeners with the same Port value), the implementation * can match requests to only one of the Listeners using other * Listener fields. * - * When multiple listeners have the same value for the Protocol field, then - * each of the Listeners with matching Protocol values MUST have different - * values for other fields. * - * The set of fields that MUST be different for a Listener differs per protocol. - * The following rules define the rules for what fields MUST be considered for - * Listeners to be distinct with each protocol currently defined in the - * Gateway API spec. + * For example, the following Listener scenarios are distinct: * - * The set of listeners that all share a protocol value MUST have _different_ - * values for _at least one_ of these fields to be distinct: * - * * **HTTP, HTTPS, TLS**: Port, Hostname - * * **TCP, UDP**: Port + * 1. Multiple Listeners with the same Port that all use the "HTTP" + * Protocol that all have unique Hostname values. + * 2. Multiple Listeners with the same Port that use either the "HTTPS" or + * "TLS" Protocol that all have unique Hostname values. + * 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener + * with the same Protocol has the same Port value. * - * One **very** important rule to call out involves what happens when an - * implementation: * - * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol - * Listeners, and - * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP - * Protocol. + * Some fields in the Listener struct have possible values that affect + * whether the Listener is distinct. Hostname is particularly relevant + * for HTTP or HTTPS protocols. * - * In this case all the Listeners that share a port with the - * TCP Listener are not distinct and so MUST NOT be accepted. * - * If an implementation does not support TCP Protocol Listeners, then the - * previous rule does not apply, and the TCP Listeners SHOULD NOT be - * accepted. + * When using the Hostname value to select between same-Port, same-Protocol + * Listeners, the Hostname value must be different on each Listener for the + * Listener to be distinct. * - * Note that the `tls` field is not used for determining if a listener is distinct, because - * Listeners that _only_ differ on TLS config will still conflict in all cases. * - * ### Listeners that are distinct only by Hostname - * - * When the Listeners are distinct based only on Hostname, inbound request + * When the Listeners are distinct based on Hostname, inbound request * hostnames MUST match from the most specific to least specific Hostname * values to choose the correct Listener and its associated set of Routes. * - * Exact matches MUST be processed before wildcard matches, and wildcard - * matches MUST be processed before fallback (empty Hostname value) + * + * Exact matches must be processed before wildcard matches, and wildcard + * matches must be processed before fallback (empty Hostname value) * matches. For example, `"foo.example.com"` takes precedence over * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. * + * * Additionally, if there are multiple wildcard entries, more specific * wildcard entries must be processed before less specific wildcard entries. * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. - * * The precise definition here is that the higher the number of dots in the * hostname to the right of the wildcard character, the higher the precedence. * + * * The wildcard character will match any number of characters _and dots_ to * the left, however, so `"*.example.com"` will match both * `"foo.bar.example.com"` _and_ `"bar.example.com"`. * - * ## Handling indistinct Listeners * * If a set of Listeners contains Listeners that are not distinct, then those - * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted" + * Listeners are Conflicted, and the implementation MUST set the "Conflicted" * condition in the Listener Status to "True". * - * The words "indistinct" and "conflicted" are considered equivalent for the - * purpose of this documentation. * * Implementations MAY choose to accept a Gateway with some Conflicted * Listeners only if they only accept the partial Listener set that contains - * no Conflicted Listeners. + * no Conflicted Listeners. To put this another way, implementations may + * accept a partial Listener set only if they throw out *all* the conflicting + * Listeners. No picking one of the conflicting listeners as the winner. + * This also means that the Gateway must have at least one non-conflicting + * Listener in this case, otherwise it violates the requirement that at + * least one Listener must be present. * - * Specifically, an implementation MAY accept a partial Listener set subject to - * the following rules: - * - * * The implementation MUST NOT pick one conflicting Listener as the winner. - * ALL indistinct Listeners must not be accepted for processing. - * * At least one distinct Listener MUST be present, or else the Gateway effectively - * contains _no_ Listeners, and must be rejected from processing as a whole. * * The implementation MUST set a "ListenersNotValid" condition on the * Gateway Status when the Gateway contains Conflicted Listeners whether or @@ -27099,656 +19096,41 @@ export namespace gateway { * Accepted. Additionally, the Listener status for those listeners SHOULD * indicate which Listeners are conflicted and not Accepted. * - * ## General Listener behavior * - * Note that, for all distinct Listeners, requests SHOULD match at most one Listener. - * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a - * request to "foo.example.com" SHOULD only be routed using routes attached - * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * A Gateway's Listeners are considered "compatible" if: * - * This concept is known as "Listener Isolation", and it is an Extended feature - * of Gateway API. Implementations that do not support Listener Isolation MUST - * clearly document this, and MUST NOT claim support for the - * `GatewayHTTPListenerIsolation` feature. - * - * Implementations that _do_ support Listener Isolation SHOULD claim support - * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated - * conformance tests. - * - * ## Compatible Listeners - * - * A Gateway's Listeners are considered _compatible_ if: * * 1. They are distinct. * 2. The implementation can serve them in compliance with the Addresses * requirement that all Listeners are available on all assigned * addresses. * + * * Compatible combinations in Extended support are expected to vary across * implementations. A combination that is compatible for one implementation * may not be compatible for another. * + * * For example, an implementation that cannot serve both TCP and UDP listeners * on the same address, or cannot mix HTTPS and generic TLS listens on the same port * would not consider those cases compatible, even though they are distinct. * + * + * Note that requests SHOULD match at most one Listener. For example, if + * Listeners are defined for "foo.example.com" and "*.example.com", a + * request to "foo.example.com" SHOULD only be routed using routes attached + * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * This concept is known as "Listener Isolation". Implementations that do + * not support Listener Isolation MUST clearly document this. + * + * * Implementations MAY merge separate Gateways onto a single set of * Addresses if all Listeners across all Gateways are compatible. * - * In a future release the MinItems=1 requirement MAY be dropped. * * Support: Core */ listeners?: pulumi.Input[]>; - tls?: pulumi.Input; - } - - /** - * TLS specifies frontend and backend tls configuration for entire gateway. - * - * Support: Extended - */ - export interface GatewaySpecTls { - backend?: pulumi.Input; - frontend?: pulumi.Input; - } - - /** - * Backend describes TLS configuration for gateway when connecting - * to backends. - * - * Note that this contains only details for the Gateway as a TLS client, - * and does _not_ imply behavior about how to choose which backend should - * get a TLS connection. That is determined by the presence of a BackendTLSPolicy. - * - * Support: Core - */ - export interface GatewaySpecTlsBackend { - clientCertificateRef?: pulumi.Input; - } - - /** - * ClientCertificateRef is a reference to an object that contains a Client - * Certificate and the associated private key. - * - * References to a resource in different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - * - * ClientCertificateRef can reference to standard Kubernetes resources, i.e. - * Secret, or implementation-specific custom resources. - * - * Support: Core - */ - export interface GatewaySpecTlsBackendClientCertificateRef { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. For example "Secret". - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - } - - /** - * ClientCertificateRef is a reference to an object that contains a Client - * Certificate and the associated private key. - * - * References to a resource in different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - * - * ClientCertificateRef can reference to standard Kubernetes resources, i.e. - * Secret, or implementation-specific custom resources. - * - * Support: Core - */ - export interface GatewaySpecTlsBackendClientCertificateRefPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. For example "Secret". - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - } - - /** - * Backend describes TLS configuration for gateway when connecting - * to backends. - * - * Note that this contains only details for the Gateway as a TLS client, - * and does _not_ imply behavior about how to choose which backend should - * get a TLS connection. That is determined by the presence of a BackendTLSPolicy. - * - * Support: Core - */ - export interface GatewaySpecTlsBackendPatch { - clientCertificateRef?: pulumi.Input; - } - - /** - * Frontend describes TLS config when client connects to Gateway. - * Support: Core - */ - export interface GatewaySpecTlsFrontend { - default?: pulumi.Input; - /** - * PerPort specifies tls configuration assigned per port. - * Per port configuration is optional. Once set this configuration overrides - * the default configuration for all Listeners handling HTTPS traffic - * that match this port. - * Each override port requires a unique TLS configuration. - * - * support: Core - */ - perPort?: pulumi.Input[]>; - } - - /** - * Default specifies the default client certificate validation configuration - * for all Listeners handling HTTPS traffic, unless a per-port configuration - * is defined. - * - * support: Core - */ - export interface GatewaySpecTlsFrontendDefault { - validation?: pulumi.Input; - } - - /** - * Default specifies the default client certificate validation configuration - * for all Listeners handling HTTPS traffic, unless a per-port configuration - * is defined. - * - * support: Core - */ - export interface GatewaySpecTlsFrontendDefaultPatch { - validation?: pulumi.Input; - } - - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - export interface GatewaySpecTlsFrontendDefaultValidation { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs?: pulumi.Input[]>; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode?: pulumi.Input; - } - - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - export interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefs { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - } - - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - export interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefsPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - } - - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - export interface GatewaySpecTlsFrontendDefaultValidationPatch { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs?: pulumi.Input[]>; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode?: pulumi.Input; - } - - /** - * Frontend describes TLS config when client connects to Gateway. - * Support: Core - */ - export interface GatewaySpecTlsFrontendPatch { - default?: pulumi.Input; - /** - * PerPort specifies tls configuration assigned per port. - * Per port configuration is optional. Once set this configuration overrides - * the default configuration for all Listeners handling HTTPS traffic - * that match this port. - * Each override port requires a unique TLS configuration. - * - * support: Core - */ - perPort?: pulumi.Input[]>; - } - - export interface GatewaySpecTlsFrontendPerPort { - /** - * The Port indicates the Port Number to which the TLS configuration will be - * applied. This configuration will be applied to all Listeners handling HTTPS - * traffic that match this port. - * - * Support: Core - */ - port?: pulumi.Input; - tls?: pulumi.Input; - } - - export interface GatewaySpecTlsFrontendPerPortPatch { - /** - * The Port indicates the Port Number to which the TLS configuration will be - * applied. This configuration will be applied to all Listeners handling HTTPS - * traffic that match this port. - * - * Support: Core - */ - port?: pulumi.Input; - tls?: pulumi.Input; - } - - /** - * TLS store the configuration that will be applied to all Listeners handling - * HTTPS traffic and matching given port. - * - * Support: Core - */ - export interface GatewaySpecTlsFrontendPerPortTls { - validation?: pulumi.Input; - } - - /** - * TLS store the configuration that will be applied to all Listeners handling - * HTTPS traffic and matching given port. - * - * Support: Core - */ - export interface GatewaySpecTlsFrontendPerPortTlsPatch { - validation?: pulumi.Input; - } - - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - export interface GatewaySpecTlsFrontendPerPortTlsValidation { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs?: pulumi.Input[]>; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode?: pulumi.Input; - } - - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - export interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefs { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - } - - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - export interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefsPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - } - - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - export interface GatewaySpecTlsFrontendPerPortTlsValidationPatch { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs?: pulumi.Input[]>; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode?: pulumi.Input; - } - - /** - * TLS specifies frontend and backend tls configuration for entire gateway. - * - * Support: Extended - */ - export interface GatewaySpecTlsPatch { - backend?: pulumi.Input; - frontend?: pulumi.Input; } /** @@ -27759,9 +19141,11 @@ export namespace gateway { * Addresses lists the network addresses that have been bound to the * Gateway. * + * * This list may differ from the addresses provided in the spec under some * conditions: * + * * * no addresses are specified, all addresses are dynamically assigned * * a combination of specified and dynamic addresses are assigned * * a specified address was unusable (e.g. already in use) @@ -27770,13 +19154,16 @@ export namespace gateway { /** * Conditions describe the current conditions of the Gateway. * + * * Implementations should prefer to express Gateway conditions * using the `GatewayConditionType` and `GatewayConditionReason` * constants so that operators and tools can converge on a common * vocabulary to describe Gateway state. * + * * Known condition types are: * + * * * "Accepted" * * "Programmed" * * "Ready" @@ -27800,6 +19187,7 @@ export namespace gateway { * Value of the address. The validity of the values will depend * on the type and support by the controller. * + * * Examples: `1.2.3.4`, `128::1`, `my-ip-address`. */ value?: pulumi.Input; @@ -27807,6 +19195,22 @@ export namespace gateway { /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface GatewayStatusConditions { /** @@ -27839,6 +19243,10 @@ export namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } @@ -27851,6 +19259,7 @@ export namespace gateway { * AttachedRoutes represents the total number of Routes that have been * successfully attached to this Listener. * + * * Successful attachment of a Route to a Listener is based solely on the * combination of the AllowedRoutes field on the corresponding Listener * and the Route's ParentRefs field. A Route is successfully attached to @@ -27863,6 +19272,7 @@ export namespace gateway { * for Listeners with condition Accepted: false and MUST count successfully * attached Routes that may themselves have Accepted: false conditions. * + * * Uses for this field include troubleshooting Route attachment and * measuring blast radius/impact of changes to a Listener. */ @@ -27880,6 +19290,7 @@ export namespace gateway { * listener. This MUST represent the kinds an implementation supports for * that Listener configuration. * + * * If kinds are specified in Spec that are not supported, they MUST NOT * appear in this list and an implementation MUST set the "ResolvedRefs" * condition to "False" with the "InvalidRouteKinds" reason. If both valid @@ -27891,6 +19302,22 @@ export namespace gateway { /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface GatewayStatusListenersConditions { /** @@ -27923,6 +19350,10 @@ export namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } @@ -27975,17 +19406,21 @@ export namespace gateway { * performing a match and (absent of any applicable header modification * configuration) MUST forward this header unmodified to the backend. * + * * Valid values for Hostnames are determined by RFC 1123 definition of a * hostname with 2 notable exceptions: * + * * 1. IPs are not allowed. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label must appear by itself as the first label. * + * * If a hostname is specified by both the Listener and HTTPRoute, there * must be at least one intersecting hostname for the HTTPRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches HTTPRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -27996,31 +19431,38 @@ export namespace gateway { * all match. On the other hand, `example.com` and `test.example.net` would * not match. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * If both the Listener and HTTPRoute have specified hostnames, any * HTTPRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * HTTPRoute specified `test.example.com` and `test.example.net`, * `test.example.net` must not be considered for a match. * + * * If both the Listener and HTTPRoute have specified hostnames, and none * match with the criteria above, then the HTTPRoute is not accepted. The * implementation must raise an 'Accepted' Condition with a status of * `False` in the corresponding RouteParentStatus. * + * * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. * overlapping wildcard matching and exact matching hostnames), precedence must * be given to rules from the HTTPRoute with the largest number of: * + * * * Characters in a matching non-wildcard hostname. * * Characters in a matching hostname. * + * * If ties exist across multiple Routes, the matching precedence rules for * HTTPRouteMatches takes over. * + * * Support: Core */ hostnames?: pulumi.Input[]>; @@ -28036,16 +19478,21 @@ export namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -28055,8 +19502,10 @@ export namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -28064,12 +19513,14 @@ export namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -28077,10 +19528,12 @@ export namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -28092,21 +19545,6 @@ export namespace gateway { * Rules are a list of HTTP matchers, filters and actions. */ rules?: pulumi.Input[]>; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways?: pulumi.Input; } /** @@ -28114,12 +19552,15 @@ export namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -28130,23 +19571,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -28154,6 +19600,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -28161,10 +19608,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -28172,6 +19621,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -28179,6 +19629,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -28188,15 +19639,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -28205,6 +19659,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -28212,6 +19667,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -28219,10 +19675,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -28232,6 +19690,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -28242,12 +19701,15 @@ export namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -28258,23 +19720,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -28282,6 +19749,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -28289,10 +19757,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -28300,6 +19770,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -28307,6 +19778,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -28316,15 +19788,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -28333,6 +19808,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -28340,6 +19816,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -28347,10 +19824,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -28360,6 +19839,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -28376,17 +19856,21 @@ export namespace gateway { * performing a match and (absent of any applicable header modification * configuration) MUST forward this header unmodified to the backend. * + * * Valid values for Hostnames are determined by RFC 1123 definition of a * hostname with 2 notable exceptions: * + * * 1. IPs are not allowed. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label must appear by itself as the first label. * + * * If a hostname is specified by both the Listener and HTTPRoute, there * must be at least one intersecting hostname for the HTTPRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches HTTPRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -28397,31 +19881,38 @@ export namespace gateway { * all match. On the other hand, `example.com` and `test.example.net` would * not match. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * If both the Listener and HTTPRoute have specified hostnames, any * HTTPRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * HTTPRoute specified `test.example.com` and `test.example.net`, * `test.example.net` must not be considered for a match. * + * * If both the Listener and HTTPRoute have specified hostnames, and none * match with the criteria above, then the HTTPRoute is not accepted. The * implementation must raise an 'Accepted' Condition with a status of * `False` in the corresponding RouteParentStatus. * + * * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. * overlapping wildcard matching and exact matching hostnames), precedence must * be given to rules from the HTTPRoute with the largest number of: * + * * * Characters in a matching non-wildcard hostname. * * Characters in a matching hostname. * + * * If ties exist across multiple Routes, the matching precedence rules for * HTTPRouteMatches takes over. * + * * Support: Core */ hostnames?: pulumi.Input[]>; @@ -28437,16 +19928,21 @@ export namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -28456,8 +19952,10 @@ export namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -28465,12 +19963,14 @@ export namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -28478,10 +19978,12 @@ export namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -28493,21 +19995,6 @@ export namespace gateway { * Rules are a list of HTTP matchers, filters and actions. */ rules?: pulumi.Input[]>; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways?: pulumi.Input; } /** @@ -28520,37 +20007,41 @@ export namespace gateway { * BackendRefs defines the backend(s) where matching requests should be * sent. * + * * Failure behavior here depends on how many BackendRefs are specified and * how many are invalid. * + * * If *all* entries in BackendRefs are invalid, and there are also no filters * specified in this route rule, *all* traffic which matches this rule MUST * receive a 500 status code. * + * * See the HTTPBackendRef definition for the rules about what makes a single * HTTPBackendRef invalid. * + * * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for * requests that would have otherwise been routed to an invalid backend. If * multiple backends are specified, and some are invalid, the proportion of * requests that would otherwise have been routed to an invalid backend * MUST receive a 500 status code. * + * * For example, if two backends are specified with equal weights, and one is * invalid, 50 percent of traffic must receive a 500. Implementations may * choose how that 50 percent is determined. * - * When a HTTPBackendRef refers to a Service that has no ready endpoints, - * implementations SHOULD return a 503 for requests to that backend instead. - * If an implementation chooses to do this, all of the above rules for 500 responses - * MUST also apply for responses that return a 503. * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Core */ backendRefs?: pulumi.Input[]>; @@ -28558,38 +20049,46 @@ export namespace gateway { * Filters define the filters that are applied to requests that match * this rule. * + * * Wherever possible, implementations SHOULD implement filters in the order * they are specified. * + * * Implementations MAY choose to implement this ordering strictly, rejecting - * any combination or order of filters that cannot be supported. If implementations + * any combination or order of filters that can not be supported. If implementations * choose a strict interpretation of filter ordering, they MUST clearly document * that behavior. * + * * To reject an invalid combination or order of filters, implementations SHOULD * consider the Route Rules with this configuration invalid. If all Route Rules * in a Route are invalid, the entire Route would be considered invalid. If only * a portion of Route Rules are invalid, implementations MUST set the * "PartiallyInvalid" condition for the Route. * + * * Conformance-levels at this level are defined based on the type of filter: * + * * - ALL core filters MUST be supported by all implementations. * - Implementers are encouraged to support extended filters. * - Implementation-specific custom filters have no API guarantees across * implementations. * + * * Specifying the same filter multiple times is not supported unless explicitly * indicated in the filter. * + * * All filters are expected to be compatible with each other except for the * URLRewrite and RequestRedirect filters, which may not be combined. If an - * implementation cannot support other combinations of filters, they must clearly + * implementation can not support other combinations of filters, they must clearly * document that limitation. In cases where incompatible or unsupported * filters are specified and cause the `Accepted` condition to be set to status * `False`, implementations may use the `IncompatibleFilters` reason to specify * this configuration error. * + * * Support: Core */ filters?: pulumi.Input[]>; @@ -28598,8 +20097,10 @@ export namespace gateway { * HTTP requests. Each match is independent, i.e. this rule will be matched * if **any** one of the matches is satisfied. * + * * For example, take the following matches configuration: * + * * ``` * matches: * - path: @@ -28611,54 +20112,58 @@ export namespace gateway { * value: "/v2/foo" * ``` * + * * For a request to match against this rule, a request must satisfy * EITHER of the two conditions: * + * * - path prefixed with `/foo` AND contains the header `version: v2` * - path prefix of `/v2/foo` * + * * See the documentation for HTTPRouteMatch on how to specify multiple * match conditions that should be ANDed together. * + * * If no matches are specified, the default is a prefix * path match on "/", which has the effect of matching every * HTTP request. * + * * Proxy or Load Balancer routing configuration generated from HTTPRoutes * MUST prioritize matches based on the following criteria, continuing on * ties. Across all rules specified on applicable Routes, precedence must be * given to the match having: * + * * * "Exact" path match. * * "Prefix" path match with largest number of characters. * * Method match. * * Largest number of header matches. * * Largest number of query param matches. * + * * Note: The precedence of RegularExpression path matches are implementation-specific. * + * * If ties still exist across multiple Routes, matching precedence MUST be * determined in order of the following criteria, continuing on ties: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * If ties still exist within an HTTPRoute, matching precedence MUST be granted * to the FIRST matching rule (in list order) with a match meeting the above * criteria. * + * * When no rules matching a request have been successfully attached to the * parent a request is coming from, a HTTP 404 status code MUST be returned. */ matches?: pulumi.Input[]>; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name?: pulumi.Input; - retry?: pulumi.Input; sessionPersistence?: pulumi.Input; timeouts?: pulumi.Input; } @@ -28666,31 +20171,42 @@ export namespace gateway { /** * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * */ export interface HTTPRouteSpecRulesBackendRefs { /** * Filters defined at this level should be executed if and only if the * request is being forwarded to the backend defined here. * + * * Support: Implementation-specific (For broader support of filters, use the * Filters field in HTTPRouteRule.) */ @@ -28704,16 +20220,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -28725,11 +20245,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -28749,11 +20271,13 @@ export namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight?: pulumi.Input; @@ -28768,9 +20292,7 @@ export namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ export interface HTTPRouteSpecRulesBackendRefsFilters { - cors?: pulumi.Input; extensionRef?: pulumi.Input; - externalAuth?: pulumi.Input; requestHeaderModifier?: pulumi.Input; requestMirror?: pulumi.Input; requestRedirect?: pulumi.Input; @@ -28779,14 +20301,17 @@ export namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -28795,16 +20320,20 @@ export namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -28813,426 +20342,16 @@ export namespace gateway { urlRewrite?: pulumi.Input; } - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersCors { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials?: pulumi.Input; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders?: pulumi.Input[]>; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods?: pulumi.Input[]>; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins?: pulumi.Input[]>; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders?: pulumi.Input[]>; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge?: pulumi.Input; - } - - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersCorsPatch { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials?: pulumi.Input; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders?: pulumi.Input[]>; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods?: pulumi.Input[]>; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins?: pulumi.Input[]>; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders?: pulumi.Input[]>; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge?: pulumi.Input; - } - /** * ExtensionRef is an optional, implementation-specific extension to the * "filter" behavior. For example, resource "myroutefilter" in group * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ export interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRef { @@ -29257,8 +20376,10 @@ export namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ export interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRefPatch { @@ -29277,410 +20398,6 @@ export namespace gateway { name?: pulumi.Input; } - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuth { - backendRef?: pulumi.Input; - forwardBody?: pulumi.Input; - grpc?: pulumi.Input; - http?: pulumi.Input; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol?: pulumi.Input; - } - - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRef { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port?: pulumi.Input; - } - - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRefPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port?: pulumi.Input; - } - - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBody { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize?: pulumi.Input; - } - - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBodyPatch { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize?: pulumi.Input; - } - - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpc { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders?: pulumi.Input[]>; - } - - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpcPatch { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders?: pulumi.Input[]>; - } - - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttp { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders?: pulumi.Input[]>; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders?: pulumi.Input[]>; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path?: pulumi.Input; - } - - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttpPatch { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders?: pulumi.Input[]>; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders?: pulumi.Input[]>; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path?: pulumi.Input; - } - - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthPatch { - backendRef?: pulumi.Input; - forwardBody?: pulumi.Input; - grpc?: pulumi.Input; - http?: pulumi.Input; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol?: pulumi.Input; - } - /** * HTTPRouteFilter defines processing steps that must be completed during the * request or response lifecycle. HTTPRouteFilters are meant as an extension @@ -29690,9 +20407,7 @@ export namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ export interface HTTPRouteSpecRulesBackendRefsFiltersPatch { - cors?: pulumi.Input; extensionRef?: pulumi.Input; - externalAuth?: pulumi.Input; requestHeaderModifier?: pulumi.Input; requestMirror?: pulumi.Input; requestRedirect?: pulumi.Input; @@ -29701,14 +20416,17 @@ export namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -29717,16 +20435,20 @@ export namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -29739,6 +20461,7 @@ export namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifier { @@ -29747,15 +20470,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -29767,15 +20493,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -29785,15 +20514,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -29807,7 +20539,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -29828,7 +20561,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -29847,6 +20581,7 @@ export namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch { @@ -29855,15 +20590,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -29875,15 +20613,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -29893,15 +20634,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -29915,7 +20659,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -29936,7 +20681,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -29956,49 +20702,47 @@ export namespace gateway { * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirror { backendRef?: pulumi.Input; - fraction?: pulumi.Input; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent?: pulumi.Input; } /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef { @@ -30011,16 +20755,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -30032,11 +20780,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -30053,26 +20803,32 @@ export namespace gateway { /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch { @@ -30085,16 +20841,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -30106,11 +20866,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -30124,59 +20886,28 @@ export namespace gateway { port?: pulumi.Input; } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFraction { - denominator?: pulumi.Input; - numerator?: pulumi.Input; - } - - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch { - denominator?: pulumi.Input; - numerator?: pulumi.Input; - } - /** * RequestMirror defines a schema for a filter that mirrors requests. * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorPatch { backendRef?: pulumi.Input; - fraction?: pulumi.Input; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent?: pulumi.Input; } /** * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirect { @@ -30185,6 +20916,7 @@ export namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname?: pulumi.Input; @@ -30193,9 +20925,11 @@ export namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -30203,14 +20937,17 @@ export namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port?: pulumi.Input; @@ -30218,29 +20955,36 @@ export namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme?: pulumi.Input; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode?: pulumi.Input; @@ -30250,6 +20994,7 @@ export namespace gateway { * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPatch { @@ -30258,6 +21003,7 @@ export namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname?: pulumi.Input; @@ -30266,9 +21012,11 @@ export namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -30276,14 +21024,17 @@ export namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port?: pulumi.Input; @@ -30291,29 +21042,36 @@ export namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme?: pulumi.Input; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode?: pulumi.Input; @@ -30324,6 +21082,7 @@ export namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPath { @@ -30338,26 +21097,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -30370,6 +21146,7 @@ export namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPathPatch { @@ -30384,26 +21161,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -30415,6 +21209,7 @@ export namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifier { @@ -30423,15 +21218,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -30443,15 +21241,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -30461,15 +21262,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -30483,7 +21287,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -30504,7 +21309,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -30523,6 +21329,7 @@ export namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch { @@ -30531,15 +21338,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -30551,15 +21361,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -30569,15 +21382,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -30591,7 +21407,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -30612,7 +21429,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -30630,6 +21448,7 @@ export namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewrite { @@ -30637,6 +21456,7 @@ export namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname?: pulumi.Input; @@ -30646,6 +21466,7 @@ export namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePatch { @@ -30653,6 +21474,7 @@ export namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname?: pulumi.Input; @@ -30662,6 +21484,7 @@ export namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePath { @@ -30676,26 +21499,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -30706,6 +21546,7 @@ export namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePathPatch { @@ -30720,26 +21561,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -30750,31 +21608,42 @@ export namespace gateway { /** * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * */ export interface HTTPRouteSpecRulesBackendRefsPatch { /** * Filters defined at this level should be executed if and only if the * request is being forwarded to the backend defined here. * + * * Support: Implementation-specific (For broader support of filters, use the * Filters field in HTTPRouteRule.) */ @@ -30788,16 +21657,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -30809,11 +21682,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -30833,11 +21708,13 @@ export namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight?: pulumi.Input; @@ -30852,9 +21729,7 @@ export namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ export interface HTTPRouteSpecRulesFilters { - cors?: pulumi.Input; extensionRef?: pulumi.Input; - externalAuth?: pulumi.Input; requestHeaderModifier?: pulumi.Input; requestMirror?: pulumi.Input; requestRedirect?: pulumi.Input; @@ -30863,14 +21738,17 @@ export namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -30879,16 +21757,20 @@ export namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -30897,426 +21779,16 @@ export namespace gateway { urlRewrite?: pulumi.Input; } - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesFiltersCors { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials?: pulumi.Input; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders?: pulumi.Input[]>; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods?: pulumi.Input[]>; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins?: pulumi.Input[]>; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders?: pulumi.Input[]>; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge?: pulumi.Input; - } - - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesFiltersCorsPatch { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials?: pulumi.Input; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders?: pulumi.Input[]>; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods?: pulumi.Input[]>; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins?: pulumi.Input[]>; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders?: pulumi.Input[]>; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge?: pulumi.Input; - } - /** * ExtensionRef is an optional, implementation-specific extension to the * "filter" behavior. For example, resource "myroutefilter" in group * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ export interface HTTPRouteSpecRulesFiltersExtensionRef { @@ -31341,8 +21813,10 @@ export namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ export interface HTTPRouteSpecRulesFiltersExtensionRefPatch { @@ -31361,410 +21835,6 @@ export namespace gateway { name?: pulumi.Input; } - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesFiltersExternalAuth { - backendRef?: pulumi.Input; - forwardBody?: pulumi.Input; - grpc?: pulumi.Input; - http?: pulumi.Input; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol?: pulumi.Input; - } - - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthBackendRef { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port?: pulumi.Input; - } - - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthBackendRefPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port?: pulumi.Input; - } - - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthForwardBody { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize?: pulumi.Input; - } - - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthForwardBodyPatch { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize?: pulumi.Input; - } - - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthGrpc { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders?: pulumi.Input[]>; - } - - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthGrpcPatch { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders?: pulumi.Input[]>; - } - - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthHttp { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders?: pulumi.Input[]>; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders?: pulumi.Input[]>; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path?: pulumi.Input; - } - - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthHttpPatch { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders?: pulumi.Input[]>; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders?: pulumi.Input[]>; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path?: pulumi.Input; - } - - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthPatch { - backendRef?: pulumi.Input; - forwardBody?: pulumi.Input; - grpc?: pulumi.Input; - http?: pulumi.Input; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol?: pulumi.Input; - } - /** * HTTPRouteFilter defines processing steps that must be completed during the * request or response lifecycle. HTTPRouteFilters are meant as an extension @@ -31774,9 +21844,7 @@ export namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ export interface HTTPRouteSpecRulesFiltersPatch { - cors?: pulumi.Input; extensionRef?: pulumi.Input; - externalAuth?: pulumi.Input; requestHeaderModifier?: pulumi.Input; requestMirror?: pulumi.Input; requestRedirect?: pulumi.Input; @@ -31785,14 +21853,17 @@ export namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -31801,16 +21872,20 @@ export namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -31823,6 +21898,7 @@ export namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ export interface HTTPRouteSpecRulesFiltersRequestHeaderModifier { @@ -31831,15 +21907,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -31851,15 +21930,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -31869,15 +21951,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -31891,7 +21976,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -31912,7 +21998,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -31931,6 +22018,7 @@ export namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierPatch { @@ -31939,15 +22027,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -31959,15 +22050,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -31977,15 +22071,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -31999,7 +22096,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -32020,7 +22118,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -32040,49 +22139,47 @@ export namespace gateway { * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersRequestMirror { backendRef?: pulumi.Input; - fraction?: pulumi.Input; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent?: pulumi.Input; } /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ export interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRef { @@ -32095,16 +22192,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -32116,11 +22217,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -32137,26 +22240,32 @@ export namespace gateway { /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ export interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRefPatch { @@ -32169,16 +22278,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -32190,11 +22303,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -32208,59 +22323,28 @@ export namespace gateway { port?: pulumi.Input; } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - export interface HTTPRouteSpecRulesFiltersRequestMirrorFraction { - denominator?: pulumi.Input; - numerator?: pulumi.Input; - } - - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - export interface HTTPRouteSpecRulesFiltersRequestMirrorFractionPatch { - denominator?: pulumi.Input; - numerator?: pulumi.Input; - } - /** * RequestMirror defines a schema for a filter that mirrors requests. * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersRequestMirrorPatch { backendRef?: pulumi.Input; - fraction?: pulumi.Input; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent?: pulumi.Input; } /** * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ export interface HTTPRouteSpecRulesFiltersRequestRedirect { @@ -32269,6 +22353,7 @@ export namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname?: pulumi.Input; @@ -32277,9 +22362,11 @@ export namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -32287,14 +22374,17 @@ export namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port?: pulumi.Input; @@ -32302,29 +22392,36 @@ export namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme?: pulumi.Input; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode?: pulumi.Input; @@ -32334,6 +22431,7 @@ export namespace gateway { * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ export interface HTTPRouteSpecRulesFiltersRequestRedirectPatch { @@ -32342,6 +22440,7 @@ export namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname?: pulumi.Input; @@ -32350,9 +22449,11 @@ export namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -32360,14 +22461,17 @@ export namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port?: pulumi.Input; @@ -32375,29 +22479,36 @@ export namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme?: pulumi.Input; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode?: pulumi.Input; @@ -32408,6 +22519,7 @@ export namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersRequestRedirectPath { @@ -32422,26 +22534,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -32454,6 +22583,7 @@ export namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersRequestRedirectPathPatch { @@ -32468,26 +22598,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -32499,6 +22646,7 @@ export namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersResponseHeaderModifier { @@ -32507,15 +22655,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -32527,15 +22678,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -32545,15 +22699,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -32567,7 +22724,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -32588,7 +22746,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -32607,6 +22766,7 @@ export namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierPatch { @@ -32615,15 +22775,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -32635,15 +22798,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -32653,15 +22819,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -32675,7 +22844,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -32696,7 +22866,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -32714,6 +22885,7 @@ export namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersUrlRewrite { @@ -32721,6 +22893,7 @@ export namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname?: pulumi.Input; @@ -32730,6 +22903,7 @@ export namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersUrlRewritePatch { @@ -32737,6 +22911,7 @@ export namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname?: pulumi.Input; @@ -32746,6 +22921,7 @@ export namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersUrlRewritePath { @@ -32760,26 +22936,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -32790,6 +22983,7 @@ export namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersUrlRewritePathPatch { @@ -32804,26 +22998,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -32836,18 +23047,22 @@ export namespace gateway { * action. Multiple match types are ANDed together, i.e. the match will * evaluate to true only if all conditions are satisfied. * + * * For example, the match below will match a HTTP request only if its path * starts with `/foo` AND it contains the `version: v1` header: * + * * ``` * match: * + * * path: * value: "/foo" * headers: * - name: "version" * value "v1" * + * * ``` */ export interface HTTPRouteSpecRulesMatches { @@ -32862,6 +23077,7 @@ export namespace gateway { * When specified, this route will be matched only if the request has the * specified method. * + * * Support: Extended */ method?: pulumi.Input; @@ -32871,6 +23087,7 @@ export namespace gateway { * values are ANDed together, meaning, a request must match all the * specified query parameters to select the route. * + * * Support: Extended */ queryParams?: pulumi.Input[]>; @@ -32883,7 +23100,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesMatchesHeaders { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent @@ -32891,6 +23109,7 @@ export namespace gateway { * case-insensitivity of header names, "foo" and "Foo" are considered * equivalent. * + * * When a header is repeated in an HTTP request, it is * implementation-specific behavior as to how this is represented. * Generally, proxies should follow the guidance from the RFC: @@ -32901,10 +23120,13 @@ export namespace gateway { /** * Type specifies how to match against the value of the header. * + * * Support: Core (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression HeaderMatchType has implementation-specific * conformance, implementations can support POSIX, PCRE or any other dialects * of regular expressions. Please read the implementation's documentation to @@ -32924,7 +23146,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesMatchesHeadersPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent @@ -32932,6 +23155,7 @@ export namespace gateway { * case-insensitivity of header names, "foo" and "Foo" are considered * equivalent. * + * * When a header is repeated in an HTTP request, it is * implementation-specific behavior as to how this is represented. * Generally, proxies should follow the guidance from the RFC: @@ -32942,10 +23166,13 @@ export namespace gateway { /** * Type specifies how to match against the value of the header. * + * * Support: Core (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression HeaderMatchType has implementation-specific * conformance, implementations can support POSIX, PCRE or any other dialects * of regular expressions. Please read the implementation's documentation to @@ -32963,18 +23190,22 @@ export namespace gateway { * action. Multiple match types are ANDed together, i.e. the match will * evaluate to true only if all conditions are satisfied. * + * * For example, the match below will match a HTTP request only if its path * starts with `/foo` AND it contains the `version: v1` header: * + * * ``` * match: * + * * path: * value: "/foo" * headers: * - name: "version" * value "v1" * + * * ``` */ export interface HTTPRouteSpecRulesMatchesPatch { @@ -32989,6 +23220,7 @@ export namespace gateway { * When specified, this route will be matched only if the request has the * specified method. * + * * Support: Extended */ method?: pulumi.Input; @@ -32998,6 +23230,7 @@ export namespace gateway { * values are ANDed together, meaning, a request must match all the * specified query parameters to select the route. * + * * Support: Extended */ queryParams?: pulumi.Input[]>; @@ -33011,8 +23244,10 @@ export namespace gateway { /** * Type specifies how to match against the path Value. * + * * Support: Core (Exact, PathPrefix) * + * * Support: Implementation-specific (RegularExpression) */ type?: pulumi.Input; @@ -33030,8 +23265,10 @@ export namespace gateway { /** * Type specifies how to match against the path Value. * + * * Support: Core (Exact, PathPrefix) * + * * Support: Implementation-specific (RegularExpression) */ type?: pulumi.Input; @@ -33051,10 +23288,12 @@ export namespace gateway { * exact string match. (See * https://tools.ietf.org/html/rfc7230#section-2.7.3). * + * * If multiple entries specify equivalent query param names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent * entries with an equivalent query param name MUST be ignored. * + * * If a query param is repeated in an HTTP request, the behavior is * purposely left undefined, since different data planes have different * capabilities. However, it is *recommended* that implementations should @@ -33062,6 +23301,7 @@ export namespace gateway { * as this behavior is expected in other load balancing contexts outside of * the Gateway API. * + * * Users SHOULD NOT route traffic based on repeated query params to guard * themselves against potential differences in the implementations. */ @@ -33069,10 +23309,13 @@ export namespace gateway { /** * Type specifies how to match against the value of the query parameter. * + * * Support: Extended (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression QueryParamMatchType has Implementation-specific * conformance, implementations can support POSIX, PCRE or any other * dialects of regular expressions. Please read the implementation's @@ -33095,10 +23338,12 @@ export namespace gateway { * exact string match. (See * https://tools.ietf.org/html/rfc7230#section-2.7.3). * + * * If multiple entries specify equivalent query param names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent * entries with an equivalent query param name MUST be ignored. * + * * If a query param is repeated in an HTTP request, the behavior is * purposely left undefined, since different data planes have different * capabilities. However, it is *recommended* that implementations should @@ -33106,6 +23351,7 @@ export namespace gateway { * as this behavior is expected in other load balancing contexts outside of * the Gateway API. * + * * Users SHOULD NOT route traffic based on repeated query params to guard * themselves against potential differences in the implementations. */ @@ -33113,10 +23359,13 @@ export namespace gateway { /** * Type specifies how to match against the value of the query parameter. * + * * Support: Extended (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression QueryParamMatchType has Implementation-specific * conformance, implementations can support POSIX, PCRE or any other * dialects of regular expressions. Please read the implementation's @@ -33139,37 +23388,41 @@ export namespace gateway { * BackendRefs defines the backend(s) where matching requests should be * sent. * + * * Failure behavior here depends on how many BackendRefs are specified and * how many are invalid. * + * * If *all* entries in BackendRefs are invalid, and there are also no filters * specified in this route rule, *all* traffic which matches this rule MUST * receive a 500 status code. * + * * See the HTTPBackendRef definition for the rules about what makes a single * HTTPBackendRef invalid. * + * * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for * requests that would have otherwise been routed to an invalid backend. If * multiple backends are specified, and some are invalid, the proportion of * requests that would otherwise have been routed to an invalid backend * MUST receive a 500 status code. * + * * For example, if two backends are specified with equal weights, and one is * invalid, 50 percent of traffic must receive a 500. Implementations may * choose how that 50 percent is determined. * - * When a HTTPBackendRef refers to a Service that has no ready endpoints, - * implementations SHOULD return a 503 for requests to that backend instead. - * If an implementation chooses to do this, all of the above rules for 500 responses - * MUST also apply for responses that return a 503. * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Core */ backendRefs?: pulumi.Input[]>; @@ -33177,38 +23430,46 @@ export namespace gateway { * Filters define the filters that are applied to requests that match * this rule. * + * * Wherever possible, implementations SHOULD implement filters in the order * they are specified. * + * * Implementations MAY choose to implement this ordering strictly, rejecting - * any combination or order of filters that cannot be supported. If implementations + * any combination or order of filters that can not be supported. If implementations * choose a strict interpretation of filter ordering, they MUST clearly document * that behavior. * + * * To reject an invalid combination or order of filters, implementations SHOULD * consider the Route Rules with this configuration invalid. If all Route Rules * in a Route are invalid, the entire Route would be considered invalid. If only * a portion of Route Rules are invalid, implementations MUST set the * "PartiallyInvalid" condition for the Route. * + * * Conformance-levels at this level are defined based on the type of filter: * + * * - ALL core filters MUST be supported by all implementations. * - Implementers are encouraged to support extended filters. * - Implementation-specific custom filters have no API guarantees across * implementations. * + * * Specifying the same filter multiple times is not supported unless explicitly * indicated in the filter. * + * * All filters are expected to be compatible with each other except for the * URLRewrite and RequestRedirect filters, which may not be combined. If an - * implementation cannot support other combinations of filters, they must clearly + * implementation can not support other combinations of filters, they must clearly * document that limitation. In cases where incompatible or unsupported * filters are specified and cause the `Accepted` condition to be set to status * `False`, implementations may use the `IncompatibleFilters` reason to specify * this configuration error. * + * * Support: Core */ filters?: pulumi.Input[]>; @@ -33217,8 +23478,10 @@ export namespace gateway { * HTTP requests. Each match is independent, i.e. this rule will be matched * if **any** one of the matches is satisfied. * + * * For example, take the following matches configuration: * + * * ``` * matches: * - path: @@ -33230,196 +23493,67 @@ export namespace gateway { * value: "/v2/foo" * ``` * + * * For a request to match against this rule, a request must satisfy * EITHER of the two conditions: * + * * - path prefixed with `/foo` AND contains the header `version: v2` * - path prefix of `/v2/foo` * + * * See the documentation for HTTPRouteMatch on how to specify multiple * match conditions that should be ANDed together. * + * * If no matches are specified, the default is a prefix * path match on "/", which has the effect of matching every * HTTP request. * + * * Proxy or Load Balancer routing configuration generated from HTTPRoutes * MUST prioritize matches based on the following criteria, continuing on * ties. Across all rules specified on applicable Routes, precedence must be * given to the match having: * + * * * "Exact" path match. * * "Prefix" path match with largest number of characters. * * Method match. * * Largest number of header matches. * * Largest number of query param matches. * + * * Note: The precedence of RegularExpression path matches are implementation-specific. * + * * If ties still exist across multiple Routes, matching precedence MUST be * determined in order of the following criteria, continuing on ties: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * If ties still exist within an HTTPRoute, matching precedence MUST be granted * to the FIRST matching rule (in list order) with a match meeting the above * criteria. * + * * When no rules matching a request have been successfully attached to the * parent a request is coming from, a HTTP 404 status code MUST be returned. */ matches?: pulumi.Input[]>; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name?: pulumi.Input; - retry?: pulumi.Input; sessionPersistence?: pulumi.Input; timeouts?: pulumi.Input; } - /** - * Retry defines the configuration for when to retry an HTTP request. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesRetry { - /** - * Attempts specifies the maximum number of times an individual request - * from the gateway to a backend should be retried. - * - * If the maximum number of retries has been attempted without a successful - * response from the backend, the Gateway MUST return an error. - * - * When this field is unspecified, the number of times to attempt to retry - * a backend request is implementation-specific. - * - * Support: Extended - */ - attempts?: pulumi.Input; - /** - * Backoff specifies the minimum duration a Gateway should wait between - * retry attempts and is represented in Gateway API Duration formatting. - * - * For example, setting the `rules[].retry.backoff` field to the value - * `100ms` will cause a backend request to first be retried approximately - * 100 milliseconds after timing out or receiving a response code configured - * to be retryable. - * - * An implementation MAY use an exponential or alternative backoff strategy - * for subsequent retry attempts, MAY cap the maximum backoff duration to - * some amount greater than the specified minimum, and MAY add arbitrary - * jitter to stagger requests, as long as unsuccessful backend requests are - * not retried before the configured minimum duration. - * - * If a Request timeout (`rules[].timeouts.request`) is configured on the - * route, the entire duration of the initial request and any retry attempts - * MUST not exceed the Request timeout duration. If any retry attempts are - * still in progress when the Request timeout duration has been reached, - * these SHOULD be canceled if possible and the Gateway MUST immediately - * return a timeout error. - * - * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is - * configured on the route, any retry attempts which reach the configured - * BackendRequest timeout duration without a response SHOULD be canceled if - * possible and the Gateway should wait for at least the specified backoff - * duration before attempting to retry the backend request again. - * - * If a BackendRequest timeout is _not_ configured on the route, retry - * attempts MAY time out after an implementation default duration, or MAY - * remain pending until a configured Request timeout or implementation - * default duration for total request time is reached. - * - * When this field is unspecified, the time to wait between retry attempts - * is implementation-specific. - * - * Support: Extended - */ - backoff?: pulumi.Input; - /** - * Codes defines the HTTP response status codes for which a backend request - * should be retried. - * - * Support: Extended - */ - codes?: pulumi.Input[]>; - } - - /** - * Retry defines the configuration for when to retry an HTTP request. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesRetryPatch { - /** - * Attempts specifies the maximum number of times an individual request - * from the gateway to a backend should be retried. - * - * If the maximum number of retries has been attempted without a successful - * response from the backend, the Gateway MUST return an error. - * - * When this field is unspecified, the number of times to attempt to retry - * a backend request is implementation-specific. - * - * Support: Extended - */ - attempts?: pulumi.Input; - /** - * Backoff specifies the minimum duration a Gateway should wait between - * retry attempts and is represented in Gateway API Duration formatting. - * - * For example, setting the `rules[].retry.backoff` field to the value - * `100ms` will cause a backend request to first be retried approximately - * 100 milliseconds after timing out or receiving a response code configured - * to be retryable. - * - * An implementation MAY use an exponential or alternative backoff strategy - * for subsequent retry attempts, MAY cap the maximum backoff duration to - * some amount greater than the specified minimum, and MAY add arbitrary - * jitter to stagger requests, as long as unsuccessful backend requests are - * not retried before the configured minimum duration. - * - * If a Request timeout (`rules[].timeouts.request`) is configured on the - * route, the entire duration of the initial request and any retry attempts - * MUST not exceed the Request timeout duration. If any retry attempts are - * still in progress when the Request timeout duration has been reached, - * these SHOULD be canceled if possible and the Gateway MUST immediately - * return a timeout error. - * - * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is - * configured on the route, any retry attempts which reach the configured - * BackendRequest timeout duration without a response SHOULD be canceled if - * possible and the Gateway should wait for at least the specified backoff - * duration before attempting to retry the backend request again. - * - * If a BackendRequest timeout is _not_ configured on the route, retry - * attempts MAY time out after an implementation default duration, or MAY - * remain pending until a configured Request timeout or implementation - * default duration for total request time is reached. - * - * When this field is unspecified, the time to wait between retry attempts - * is implementation-specific. - * - * Support: Extended - */ - backoff?: pulumi.Input; - /** - * Codes defines the HTTP response status codes for which a backend request - * should be retried. - * - * Support: Extended - */ - codes?: pulumi.Input[]>; - } - /** * SessionPersistence defines and configures session persistence * for the route rule. * + * * Support: Extended */ export interface HTTPRouteSpecRulesSessionPersistence { @@ -33428,6 +23562,7 @@ export namespace gateway { * session. Once the AbsoluteTimeout duration has elapsed, the * session becomes invalid. * + * * Support: Extended */ absoluteTimeout?: pulumi.Input; @@ -33437,6 +23572,7 @@ export namespace gateway { * Once the session has been idle for more than the specified * IdleTimeout duration, the session becomes invalid. * + * * Support: Extended */ idleTimeout?: pulumi.Input; @@ -33446,6 +23582,7 @@ export namespace gateway { * should avoid reusing session names to prevent unintended * consequences, such as rejection or unpredictable behavior. * + * * Support: Implementation-specific */ sessionName?: pulumi.Input; @@ -33454,8 +23591,10 @@ export namespace gateway { * the use a header or cookie. Defaults to cookie based session * persistence. * + * * Support: Core for "Cookie" type * + * * Support: Extended for "Header" type */ type?: pulumi.Input; @@ -33465,6 +23604,7 @@ export namespace gateway { * CookieConfig provides configuration settings that are specific * to cookie-based session persistence. * + * * Support: Core */ export interface HTTPRouteSpecRulesSessionPersistenceCookieConfig { @@ -33475,18 +23615,20 @@ export namespace gateway { * attributes, while a session cookie is deleted when the current * session ends. * + * * When set to "Permanent", AbsoluteTimeout indicates the * cookie's lifetime via the Expires or Max-Age cookie attributes * and is required. * + * * When set to "Session", AbsoluteTimeout indicates the * absolute lifetime of the cookie tracked by the gateway and * is optional. * - * Defaults to "Session". * * Support: Core for "Session" type * + * * Support: Extended for "Permanent" type */ lifetimeType?: pulumi.Input; @@ -33496,6 +23638,7 @@ export namespace gateway { * CookieConfig provides configuration settings that are specific * to cookie-based session persistence. * + * * Support: Core */ export interface HTTPRouteSpecRulesSessionPersistenceCookieConfigPatch { @@ -33506,18 +23649,20 @@ export namespace gateway { * attributes, while a session cookie is deleted when the current * session ends. * + * * When set to "Permanent", AbsoluteTimeout indicates the * cookie's lifetime via the Expires or Max-Age cookie attributes * and is required. * + * * When set to "Session", AbsoluteTimeout indicates the * absolute lifetime of the cookie tracked by the gateway and * is optional. * - * Defaults to "Session". * * Support: Core for "Session" type * + * * Support: Extended for "Permanent" type */ lifetimeType?: pulumi.Input; @@ -33527,6 +23672,7 @@ export namespace gateway { * SessionPersistence defines and configures session persistence * for the route rule. * + * * Support: Extended */ export interface HTTPRouteSpecRulesSessionPersistencePatch { @@ -33535,6 +23681,7 @@ export namespace gateway { * session. Once the AbsoluteTimeout duration has elapsed, the * session becomes invalid. * + * * Support: Extended */ absoluteTimeout?: pulumi.Input; @@ -33544,6 +23691,7 @@ export namespace gateway { * Once the session has been idle for more than the specified * IdleTimeout duration, the session becomes invalid. * + * * Support: Extended */ idleTimeout?: pulumi.Input; @@ -33553,6 +23701,7 @@ export namespace gateway { * should avoid reusing session names to prevent unintended * consequences, such as rejection or unpredictable behavior. * + * * Support: Implementation-specific */ sessionName?: pulumi.Input; @@ -33561,8 +23710,10 @@ export namespace gateway { * the use a header or cookie. Defaults to cookie based session * persistence. * + * * Support: Core for "Cookie" type * + * * Support: Extended for "Header" type */ type?: pulumi.Input; @@ -33571,6 +23722,7 @@ export namespace gateway { /** * Timeouts defines the timeouts that can be configured for an HTTP request. * + * * Support: Extended */ export interface HTTPRouteSpecRulesTimeouts { @@ -33579,19 +23731,21 @@ export namespace gateway { * to a backend. This covers the time from when the request first starts being * sent from the gateway to when the full response has been received from the backend. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * An entire client HTTP transaction with a gateway, covered by the Request timeout, * may result in more than one call from the gateway to the destination backend, * for example, if automatic retries are supported. * - * The value of BackendRequest must be a Gateway API Duration string as defined by - * GEP-2257. When this field is unspecified, its behavior is implementation-specific; - * when specified, the value of BackendRequest must be no more than the value of the - * Request timeout (since the Request timeout encompasses the BackendRequest timeout). + * + * Because the Request timeout encompasses the BackendRequest timeout, the value of + * BackendRequest must be <= the value of Request timeout. + * * * Support: Extended */ @@ -33601,22 +23755,26 @@ export namespace gateway { * If the gateway has not been able to respond before this deadline is met, the gateway * MUST return a timeout error. * + * * For example, setting the `rules.timeouts.request` field to the value `10s` in an * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds * to complete. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * This timeout is intended to cover as close to the whole request-response transaction * as possible although an implementation MAY choose to start the timeout after the entire * request stream has been received instead of immediately after the transaction is * initiated by the client. * - * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this - * field is unspecified, request timeout behavior is implementation-specific. + * + * When this field is unspecified, request timeout behavior is implementation-specific. + * * * Support: Extended */ @@ -33626,6 +23784,7 @@ export namespace gateway { /** * Timeouts defines the timeouts that can be configured for an HTTP request. * + * * Support: Extended */ export interface HTTPRouteSpecRulesTimeoutsPatch { @@ -33634,19 +23793,21 @@ export namespace gateway { * to a backend. This covers the time from when the request first starts being * sent from the gateway to when the full response has been received from the backend. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * An entire client HTTP transaction with a gateway, covered by the Request timeout, * may result in more than one call from the gateway to the destination backend, * for example, if automatic retries are supported. * - * The value of BackendRequest must be a Gateway API Duration string as defined by - * GEP-2257. When this field is unspecified, its behavior is implementation-specific; - * when specified, the value of BackendRequest must be no more than the value of the - * Request timeout (since the Request timeout encompasses the BackendRequest timeout). + * + * Because the Request timeout encompasses the BackendRequest timeout, the value of + * BackendRequest must be <= the value of Request timeout. + * * * Support: Extended */ @@ -33656,22 +23817,26 @@ export namespace gateway { * If the gateway has not been able to respond before this deadline is met, the gateway * MUST return a timeout error. * + * * For example, setting the `rules.timeouts.request` field to the value `10s` in an * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds * to complete. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * This timeout is intended to cover as close to the whole request-response transaction * as possible although an implementation MAY choose to start the timeout after the entire * request stream has been received instead of immediately after the transaction is * initiated by the client. * - * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this - * field is unspecified, request timeout behavior is implementation-specific. + * + * When this field is unspecified, request timeout behavior is implementation-specific. + * * * Support: Extended */ @@ -33690,11 +23855,13 @@ export namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -33711,19 +23878,23 @@ export namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -33733,12 +23904,15 @@ export namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -33749,6 +23923,22 @@ export namespace gateway { /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface HTTPRouteStatusParentsConditions { /** @@ -33781,6 +23971,10 @@ export namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } @@ -33796,23 +23990,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -33820,6 +24019,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -33827,10 +24027,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -33838,6 +24040,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -33845,6 +24048,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -33854,15 +24058,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -33871,6 +24078,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -33878,6 +24086,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -33885,10 +24094,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -33898,6 +24109,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -33905,257 +24117,80 @@ export namespace gateway { } - export namespace v1alpha1 { + export namespace v1alpha2 { /** - * XBackendTrafficPolicy defines the configuration for how traffic to a - * target backend should be handled. + * BackendLBPolicy provides a way to define load balancing rules + * for a backend. */ - export interface XBackendTrafficPolicy { + export interface BackendLBPolicy { /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">; + apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - kind?: pulumi.Input<"XBackendTrafficPolicy">; + kind?: pulumi.Input<"BackendLBPolicy">; /** * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata */ metadata?: pulumi.Input; - spec?: pulumi.Input; - status?: pulumi.Input; + spec?: pulumi.Input; + status?: pulumi.Input; } /** - * Spec defines the desired state of BackendTrafficPolicy. + * Spec defines the desired state of BackendLBPolicy. */ - export interface XBackendTrafficPolicySpec { - retryConstraint?: pulumi.Input; - sessionPersistence?: pulumi.Input; + export interface BackendLBPolicySpec { + sessionPersistence?: pulumi.Input; /** - * TargetRefs identifies API object(s) to apply this policy to. - * Currently, Backends (A grouping of like endpoints such as Service, - * ServiceImport, or any implementation-specific backendRef) are the only - * valid API target references. - * - * Currently, a TargetRef can not be scoped to a specific port on a - * Service. + * TargetRef identifies an API object to apply policy to. + * Currently, Backends (i.e. Service, ServiceImport, or any + * implementation-specific backendRef) are the only valid API + * target references. */ - targetRefs?: pulumi.Input[]>; + targetRefs?: pulumi.Input[]>; } /** - * Spec defines the desired state of BackendTrafficPolicy. + * Spec defines the desired state of BackendLBPolicy. */ - export interface XBackendTrafficPolicySpecPatch { - retryConstraint?: pulumi.Input; - sessionPersistence?: pulumi.Input; + export interface BackendLBPolicySpecPatch { + sessionPersistence?: pulumi.Input; /** - * TargetRefs identifies API object(s) to apply this policy to. - * Currently, Backends (A grouping of like endpoints such as Service, - * ServiceImport, or any implementation-specific backendRef) are the only - * valid API target references. - * - * Currently, a TargetRef can not be scoped to a specific port on a - * Service. + * TargetRef identifies an API object to apply policy to. + * Currently, Backends (i.e. Service, ServiceImport, or any + * implementation-specific backendRef) are the only valid API + * target references. */ - targetRefs?: pulumi.Input[]>; - } - - /** - * RetryConstraint defines the configuration for when to allow or prevent - * further retries to a target backend, by dynamically calculating a 'retry - * budget'. This budget is calculated based on the percentage of incoming - * traffic composed of retries over a given time interval. Once the budget - * is exceeded, additional retries will be rejected. - * - * For example, if the retry budget interval is 10 seconds, there have been - * 1000 active requests in the past 10 seconds, and the allowed percentage - * of requests that can be retried is 20% (the default), then 200 of those - * requests may be composed of retries. Active requests will only be - * considered for the duration of the interval when calculating the retry - * budget. Retrying the same original request multiple times within the - * retry budget interval will lead to each retry being counted towards - * calculating the budget. - * - * Configuring a RetryConstraint in BackendTrafficPolicy is compatible with - * HTTPRoute Retry settings for each HTTPRouteRule that targets the same - * backend. While the HTTPRouteRule Retry stanza can specify whether a - * request will be retried, and the number of retry attempts each client - * may perform, RetryConstraint helps prevent cascading failures such as - * retry storms during periods of consistent failures. - * - * After the retry budget has been exceeded, additional retries to the - * backend MUST return a 503 response to the client. - * - * Additional configurations for defining a constraint on retries MAY be - * defined in the future. - * - * Support: Extended - */ - export interface XBackendTrafficPolicySpecRetryConstraint { - budget?: pulumi.Input; - minRetryRate?: pulumi.Input; - } - - /** - * Budget holds the details of the retry budget configuration. - */ - export interface XBackendTrafficPolicySpecRetryConstraintBudget { - /** - * Interval defines the duration in which requests will be considered - * for calculating the budget for retries. - * - * Support: Extended - */ - interval?: pulumi.Input; - /** - * Percent defines the maximum percentage of active requests that may - * be made up of retries. - * - * Support: Extended - */ - percent?: pulumi.Input; - } - - /** - * Budget holds the details of the retry budget configuration. - */ - export interface XBackendTrafficPolicySpecRetryConstraintBudgetPatch { - /** - * Interval defines the duration in which requests will be considered - * for calculating the budget for retries. - * - * Support: Extended - */ - interval?: pulumi.Input; - /** - * Percent defines the maximum percentage of active requests that may - * be made up of retries. - * - * Support: Extended - */ - percent?: pulumi.Input; - } - - /** - * MinRetryRate defines the minimum rate of retries that will be allowable - * over a specified duration of time. - * - * The effective overall minimum rate of retries targeting the backend - * service may be much higher, as there can be any number of clients which - * are applying this setting locally. - * - * This ensures that requests can still be retried during periods of low - * traffic, where the budget for retries may be calculated as a very low - * value. - * - * Support: Extended - */ - export interface XBackendTrafficPolicySpecRetryConstraintMinRetryRate { - /** - * Count specifies the number of requests per time interval. - * - * Support: Extended - */ - count?: pulumi.Input; - /** - * Interval specifies the divisor of the rate of requests, the amount of - * time during which the given count of requests occur. - * - * Support: Extended - */ - interval?: pulumi.Input; - } - - /** - * MinRetryRate defines the minimum rate of retries that will be allowable - * over a specified duration of time. - * - * The effective overall minimum rate of retries targeting the backend - * service may be much higher, as there can be any number of clients which - * are applying this setting locally. - * - * This ensures that requests can still be retried during periods of low - * traffic, where the budget for retries may be calculated as a very low - * value. - * - * Support: Extended - */ - export interface XBackendTrafficPolicySpecRetryConstraintMinRetryRatePatch { - /** - * Count specifies the number of requests per time interval. - * - * Support: Extended - */ - count?: pulumi.Input; - /** - * Interval specifies the divisor of the rate of requests, the amount of - * time during which the given count of requests occur. - * - * Support: Extended - */ - interval?: pulumi.Input; - } - - /** - * RetryConstraint defines the configuration for when to allow or prevent - * further retries to a target backend, by dynamically calculating a 'retry - * budget'. This budget is calculated based on the percentage of incoming - * traffic composed of retries over a given time interval. Once the budget - * is exceeded, additional retries will be rejected. - * - * For example, if the retry budget interval is 10 seconds, there have been - * 1000 active requests in the past 10 seconds, and the allowed percentage - * of requests that can be retried is 20% (the default), then 200 of those - * requests may be composed of retries. Active requests will only be - * considered for the duration of the interval when calculating the retry - * budget. Retrying the same original request multiple times within the - * retry budget interval will lead to each retry being counted towards - * calculating the budget. - * - * Configuring a RetryConstraint in BackendTrafficPolicy is compatible with - * HTTPRoute Retry settings for each HTTPRouteRule that targets the same - * backend. While the HTTPRouteRule Retry stanza can specify whether a - * request will be retried, and the number of retry attempts each client - * may perform, RetryConstraint helps prevent cascading failures such as - * retry storms during periods of consistent failures. - * - * After the retry budget has been exceeded, additional retries to the - * backend MUST return a 503 response to the client. - * - * Additional configurations for defining a constraint on retries MAY be - * defined in the future. - * - * Support: Extended - */ - export interface XBackendTrafficPolicySpecRetryConstraintPatch { - budget?: pulumi.Input; - minRetryRate?: pulumi.Input; + targetRefs?: pulumi.Input[]>; } /** * SessionPersistence defines and configures session persistence * for the backend. * + * * Support: Extended */ - export interface XBackendTrafficPolicySpecSessionPersistence { + export interface BackendLBPolicySpecSessionPersistence { /** * AbsoluteTimeout defines the absolute timeout of the persistent * session. Once the AbsoluteTimeout duration has elapsed, the * session becomes invalid. * + * * Support: Extended */ absoluteTimeout?: pulumi.Input; - cookieConfig?: pulumi.Input; + cookieConfig?: pulumi.Input; /** * IdleTimeout defines the idle timeout of the persistent session. * Once the session has been idle for more than the specified * IdleTimeout duration, the session becomes invalid. * + * * Support: Extended */ idleTimeout?: pulumi.Input; @@ -34165,6 +24200,7 @@ export namespace gateway { * should avoid reusing session names to prevent unintended * consequences, such as rejection or unpredictable behavior. * + * * Support: Implementation-specific */ sessionName?: pulumi.Input; @@ -34173,8 +24209,10 @@ export namespace gateway { * the use a header or cookie. Defaults to cookie based session * persistence. * + * * Support: Core for "Cookie" type * + * * Support: Extended for "Header" type */ type?: pulumi.Input; @@ -34184,9 +24222,10 @@ export namespace gateway { * CookieConfig provides configuration settings that are specific * to cookie-based session persistence. * + * * Support: Core */ - export interface XBackendTrafficPolicySpecSessionPersistenceCookieConfig { + export interface BackendLBPolicySpecSessionPersistenceCookieConfig { /** * LifetimeType specifies whether the cookie has a permanent or * session-based lifetime. A permanent cookie persists until its @@ -34194,18 +24233,20 @@ export namespace gateway { * attributes, while a session cookie is deleted when the current * session ends. * + * * When set to "Permanent", AbsoluteTimeout indicates the * cookie's lifetime via the Expires or Max-Age cookie attributes * and is required. * + * * When set to "Session", AbsoluteTimeout indicates the * absolute lifetime of the cookie tracked by the gateway and * is optional. * - * Defaults to "Session". * * Support: Core for "Session" type * + * * Support: Extended for "Permanent" type */ lifetimeType?: pulumi.Input; @@ -34215,9 +24256,10 @@ export namespace gateway { * CookieConfig provides configuration settings that are specific * to cookie-based session persistence. * + * * Support: Core */ - export interface XBackendTrafficPolicySpecSessionPersistenceCookieConfigPatch { + export interface BackendLBPolicySpecSessionPersistenceCookieConfigPatch { /** * LifetimeType specifies whether the cookie has a permanent or * session-based lifetime. A permanent cookie persists until its @@ -34225,18 +24267,20 @@ export namespace gateway { * attributes, while a session cookie is deleted when the current * session ends. * + * * When set to "Permanent", AbsoluteTimeout indicates the * cookie's lifetime via the Expires or Max-Age cookie attributes * and is required. * + * * When set to "Session", AbsoluteTimeout indicates the * absolute lifetime of the cookie tracked by the gateway and * is optional. * - * Defaults to "Session". * * Support: Core for "Session" type * + * * Support: Extended for "Permanent" type */ lifetimeType?: pulumi.Input; @@ -34246,23 +24290,26 @@ export namespace gateway { * SessionPersistence defines and configures session persistence * for the backend. * + * * Support: Extended */ - export interface XBackendTrafficPolicySpecSessionPersistencePatch { + export interface BackendLBPolicySpecSessionPersistencePatch { /** * AbsoluteTimeout defines the absolute timeout of the persistent * session. Once the AbsoluteTimeout duration has elapsed, the * session becomes invalid. * + * * Support: Extended */ absoluteTimeout?: pulumi.Input; - cookieConfig?: pulumi.Input; + cookieConfig?: pulumi.Input; /** * IdleTimeout defines the idle timeout of the persistent session. * Once the session has been idle for more than the specified * IdleTimeout duration, the session becomes invalid. * + * * Support: Extended */ idleTimeout?: pulumi.Input; @@ -34272,6 +24319,7 @@ export namespace gateway { * should avoid reusing session names to prevent unintended * consequences, such as rejection or unpredictable behavior. * + * * Support: Implementation-specific */ sessionName?: pulumi.Input; @@ -34280,8 +24328,10 @@ export namespace gateway { * the use a header or cookie. Defaults to cookie based session * persistence. * + * * Support: Core for "Cookie" type * + * * Support: Extended for "Header" type */ type?: pulumi.Input; @@ -34294,7 +24344,7 @@ export namespace gateway { * policy attachment model works, and a sample Policy resource, refer to * the policy attachment documentation for Gateway API. */ - export interface XBackendTrafficPolicySpecTargetRefs { + export interface BackendLBPolicySpecTargetRefs { /** * Group is the group of the target resource. */ @@ -34316,7 +24366,7 @@ export namespace gateway { * policy attachment model works, and a sample Policy resource, refer to * the policy attachment documentation for Gateway API. */ - export interface XBackendTrafficPolicySpecTargetRefsPatch { + export interface BackendLBPolicySpecTargetRefsPatch { /** * Group is the group of the target resource. */ @@ -34332,9 +24382,9 @@ export namespace gateway { } /** - * Status defines the current state of BackendTrafficPolicy. + * Status defines the current state of BackendLBPolicy. */ - export interface XBackendTrafficPolicyStatus { + export interface BackendLBPolicyStatus { /** * Ancestors is a list of ancestor resources (usually Gateways) that are * associated with the policy, and the status of the policy with respect to @@ -34343,22 +24393,27 @@ export namespace gateway { * the controller first sees the policy and SHOULD update the entry as * appropriate when the relevant ancestor is modified. * + * * Note that choosing the relevant ancestor is left to the Policy designers; * an important part of Policy design is designing the right object level at * which to namespace this status. * + * * Note also that implementations MUST ONLY populate ancestor status for * the Ancestor resources they are responsible for. Implementations MUST * use the ControllerName field to uniquely identify the entries in this list * that they are responsible for. * + * * Note that to achieve this, the list of PolicyAncestorStatus structs * MUST be treated as a map with a composite key, made up of the AncestorRef * and ControllerName fields combined. * + * * A maximum of 16 ancestors will be represented in this list. An empty list * means the Policy is not relevant for any ancestors. * + * * If this slice is full, implementations MUST NOT add further entries. * Instead they MUST consider the policy unimplementable and signal that * on any related resources such as the ancestor that would be referenced @@ -34366,13 +24421,14 @@ export namespace gateway { * additional Gateways would be able to reference the Service targeted by * the BackendTLSPolicy. */ - ancestors?: pulumi.Input[]>; + ancestors?: pulumi.Input[]>; } /** * PolicyAncestorStatus describes the status of a route with respect to an * associated Ancestor. * + * * Ancestors refer to objects that are either the Target of a policy or above it * in terms of object hierarchy. For example, if a policy targets a Service, the * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and @@ -34381,43 +24437,51 @@ export namespace gateway { * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers * have a _very_ good reason otherwise. * + * * In the context of policy attachment, the Ancestor is used to distinguish which * resource results in a distinct application of this policy. For example, if a policy * targets a Service, it may have a distinct result per attached Gateway. * + * * Policies targeting the same resource may have different effects depending on the * ancestors of those resources. For example, different Gateways targeting the same * Service may have different capabilities, especially if they have different underlying * implementations. * + * * For example, in BackendTLSPolicy, the Policy attaches to a Service that is * used as a backend in a HTTPRoute that is itself attached to a Gateway. * In this case, the relevant object for status is the Gateway, and that is the * ancestor object referred to in this status. * + * * Note that a parent is also an ancestor, so for objects where the parent is the * relevant object for status, this struct SHOULD still be used. * + * * This struct is intended to be used in a slice that's effectively a map, * with a composite key made up of the AncestorRef and the ControllerName. */ - export interface XBackendTrafficPolicyStatusAncestors { - ancestorRef?: pulumi.Input; + export interface BackendLBPolicyStatusAncestors { + ancestorRef?: pulumi.Input; /** * Conditions describes the status of the Policy with respect to the given Ancestor. */ - conditions?: pulumi.Input[]>; + conditions?: pulumi.Input[]>; /** * ControllerName is a domain/path string that indicates the name of the * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -34429,30 +24493,35 @@ export namespace gateway { * AncestorRef corresponds with a ParentRef in the spec that this * PolicyAncestorStatus struct describes the status of. */ - export interface XBackendTrafficPolicyStatusAncestorsAncestorRef { + export interface BackendLBPolicyStatusAncestorsAncestorRef { /** * Group is the group of the referent. * When unspecified, "gateway.networking.k8s.io" is inferred. * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -34460,6 +24529,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -34467,10 +24537,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -34478,6 +24550,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -34485,6 +24558,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -34494,15 +24568,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -34511,6 +24588,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -34518,6 +24596,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -34525,10 +24604,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -34538,6 +24619,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -34545,8 +24627,24 @@ export namespace gateway { /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ - export interface XBackendTrafficPolicyStatusAncestorsConditions { + export interface BackendLBPolicyStatusAncestorsConditions { /** * lastTransitionTime is the last time the condition transitioned from one status to another. * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. @@ -34577,533 +24675,868 @@ export namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } /** - * XListenerSet defines a set of additional listeners to attach to an existing Gateway. - * This resource provides a mechanism to merge multiple listeners into a single Gateway. + * GRPCRoute provides a way to route gRPC requests. This includes the capability + * to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. + * Filters can be used to specify additional processing steps. Backends specify + * where matching requests will be routed. * - * The parent Gateway must explicitly allow ListenerSet attachment through its - * AllowedListeners configuration. By default, Gateways do not allow ListenerSet - * attachment. * - * Routes can attach to a ListenerSet by specifying it as a parentRef, and can - * optionally target specific listeners using the sectionName field. + * GRPCRoute falls under extended support within the Gateway API. Within the + * following specification, the word "MUST" indicates that an implementation + * supporting GRPCRoute must conform to the indicated requirement, but an + * implementation not supporting this route type need not follow the requirement + * unless explicitly indicated. * - * Policy Attachment: - * - Policies that attach to a ListenerSet apply to all listeners defined in that resource - * - Policies do not impact listeners in the parent Gateway - * - Different ListenerSets attached to the same Gateway can have different policies - * - If an implementation cannot apply a policy to specific listeners, it should reject the policy * - * ReferenceGrant Semantics: - * - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets - * - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners - * - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant + * Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST + * accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via + * ALPN. If the implementation does not support this, then it MUST set the + * "Accepted" condition to "False" for the affected listener with a reason of + * "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections + * with an upgrade from HTTP/1. * - * Gateway Integration: - * - The parent Gateway's status will include an "AttachedListenerSets" condition - * - This condition will be: - * - True: when AllowedListeners is set and at least one child ListenerSet is attached - * - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false - * - Unknown: when no AllowedListeners config is present + * + * Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST + * support HTTP/2 over cleartext TCP (h2c, + * https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial + * upgrade from HTTP/1.1, i.e. with prior knowledge + * (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation + * does not support this, then it MUST set the "Accepted" condition to "False" + * for the affected listener with a reason of "UnsupportedProtocol". + * Implementations MAY also accept HTTP/2 connections with an upgrade from + * HTTP/1, i.e. without prior knowledge. */ - export interface XListenerSet { + export interface GRPCRoute { /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">; + apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - kind?: pulumi.Input<"XListenerSet">; + kind?: pulumi.Input<"GRPCRoute">; /** * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata */ metadata?: pulumi.Input; - spec?: pulumi.Input; - status?: pulumi.Input; + spec?: pulumi.Input; + status?: pulumi.Input; } /** - * Spec defines the desired state of ListenerSet. + * Spec defines the desired state of GRPCRoute. */ - export interface XListenerSetSpec { + export interface GRPCRouteSpec { /** - * Listeners associated with this ListenerSet. Listeners define - * logical endpoints that are bound on this referenced parent Gateway's addresses. + * Hostnames defines a set of hostnames to match against the GRPC + * Host header to select a GRPCRoute to process the request. This matches + * the RFC 1123 definition of a hostname with 2 notable exceptions: * - * Listeners in a `Gateway` and their attached `ListenerSets` are concatenated - * as a list when programming the underlying infrastructure. Each listener - * name does not need to be unique across the Gateway and ListenerSets. - * See ListenerEntry.Name for more details. * - * Implementations MUST treat the parent Gateway as having the merged - * list of all listeners from itself and attached ListenerSets using - * the following precedence: + * 1. IPs are not allowed. + * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + * label MUST appear by itself as the first label. * - * 1. "parent" Gateway - * 2. ListenerSet ordered by creation time (oldest first) - * 3. ListenerSet ordered alphabetically by "{namespace}/{name}". * - * An implementation MAY reject listeners by setting the ListenerEntryStatus - * `Accepted` condition to False with the Reason `TooManyListeners` + * If a hostname is specified by both the Listener and GRPCRoute, there + * MUST be at least one intersecting hostname for the GRPCRoute to be + * attached to the Listener. For example: * - * If a listener has a conflict, this will be reported in the - * Status.ListenerEntryStatus setting the `Conflicted` condition to True. * - * Implementations SHOULD be cautious about what information from the - * parent or siblings are reported to avoid accidentally leaking - * sensitive information that the child would not otherwise have access - * to. This can include contents of secrets etc. - */ - listeners?: pulumi.Input[]>; - parentRef?: pulumi.Input; - } - - export interface XListenerSetSpecListeners { - allowedRoutes?: pulumi.Input; - /** - * Hostname specifies the virtual hostname to match for protocol types that - * define this concept. When unspecified, all hostnames are matched. This - * field is ignored for protocols that don't require hostname based - * matching. + * * A Listener with `test.example.com` as the hostname matches GRPCRoutes + * that have either not specified any hostnames, or have specified at + * least one of `test.example.com` or `*.example.com`. + * * A Listener with `*.example.com` as the hostname matches GRPCRoutes + * that have either not specified any hostnames or have specified at least + * one hostname that matches the Listener hostname. For example, + * `test.example.com` and `*.example.com` would both match. On the other + * hand, `example.com` and `test.example.net` would not match. * - * Implementations MUST apply Hostname matching appropriately for each of - * the following protocols: - * - * * TLS: The Listener Hostname MUST match the SNI. - * * HTTP: The Listener Hostname MUST match the Host header of the request. - * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP - * protocol layers as described above. If an implementation does not - * ensure that both the SNI and Host header match the Listener hostname, - * it MUST clearly document that. - * - * For HTTPRoute and TLSRoute resources, there is an interaction with the - * `spec.hostnames` array. When both listener and route specify hostnames, - * there MUST be an intersection between the values for a Route to be - * accepted. For more information, refer to the Route specific Hostnames - * documentation. * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - */ - hostname?: pulumi.Input; - /** - * Name is the name of the Listener. This name MUST be unique within a - * ListenerSet. * - * Name is not required to be unique across a Gateway and ListenerSets. - * Routes can attach to a Listener by having a ListenerSet as a parentRef - * and setting the SectionName - */ - name?: pulumi.Input; - /** - * Port is the network port. Multiple listeners may use the - * same port, subject to the Listener compatibility rules. * - * If the port is not set or specified as zero, the implementation will assign - * a unique port. If the implementation does not support dynamic port - * assignment, it MUST set `Accepted` condition to `False` with the - * `UnsupportedPort` reason. - */ - port?: pulumi.Input; - /** - * Protocol specifies the network protocol this listener expects to receive. - */ - protocol?: pulumi.Input; - tls?: pulumi.Input; - } - - /** - * AllowedRoutes defines the types of routes that MAY be attached to a - * Listener and the trusted namespaces where those Route resources MAY be - * present. - * - * Although a client request may match multiple route rules, only one rule - * may ultimately receive the request. Matching precedence MUST be - * determined in order of the following criteria: - * - * * The most specific match as defined by the Route type. - * * The oldest Route based on creation timestamp. For example, a Route with - * a creation timestamp of "2020-09-08 01:02:03" is given precedence over - * a Route with a creation timestamp of "2020-09-08 01:02:04". - * * If everything else is equivalent, the Route appearing first in - * alphabetical order (namespace/name) should be given precedence. For - * example, foo/bar is given precedence over foo/baz. - * - * All valid rules within a Route attached to this Listener should be - * implemented. Invalid Route rules can be ignored (sometimes that will mean - * the full Route). If a Route rule transitions from valid to invalid, - * support for that Route rule should be dropped to ensure consistency. For - * example, even if a filter specified by a Route rule is invalid, the rest - * of the rules within that Route should still be supported. - */ - export interface XListenerSetSpecListenersAllowedRoutes { - /** - * Kinds specifies the groups and kinds of Routes that are allowed to bind - * to this Gateway Listener. When unspecified or empty, the kinds of Routes - * selected are determined using the Listener protocol. + * If both the Listener and GRPCRoute have specified hostnames, any + * GRPCRoute hostnames that do not match the Listener hostname MUST be + * ignored. For example, if a Listener specified `*.example.com`, and the + * GRPCRoute specified `test.example.com` and `test.example.net`, + * `test.example.net` MUST NOT be considered for a match. + * + * + * If both the Listener and GRPCRoute have specified hostnames, and none + * match with the criteria above, then the GRPCRoute MUST NOT be accepted by + * the implementation. The implementation MUST raise an 'Accepted' Condition + * with a status of `False` in the corresponding RouteParentStatus. + * + * + * If a Route (A) of type HTTPRoute or GRPCRoute is attached to a + * Listener and that listener already has another Route (B) of the other + * type attached and the intersection of the hostnames of A and B is + * non-empty, then the implementation MUST accept exactly one of these two + * routes, determined by the following criteria, in order: + * + * + * * The oldest Route based on creation timestamp. + * * The Route appearing first in alphabetical order by + * "{namespace}/{name}". + * + * + * The rejected Route MUST raise an 'Accepted' condition with a status of + * 'False' in the corresponding RouteParentStatus. * - * A RouteGroupKind MUST correspond to kinds of Routes that are compatible - * with the application protocol specified in the Listener's Protocol field. - * If an implementation does not support or recognize this resource type, it - * MUST set the "ResolvedRefs" condition to False for this Listener with the - * "InvalidRouteKinds" reason. * * Support: Core */ - kinds?: pulumi.Input[]>; - namespaces?: pulumi.Input; + hostnames?: pulumi.Input[]>; + /** + * ParentRefs references the resources (usually Gateways) that a Route wants + * to be attached to. Note that the referenced parent resource needs to + * allow this for the attachment to be complete. For Gateways, that means + * the Gateway needs to allow attachment from Routes of this kind and + * namespace. For Services, that means the Service must either be in the same + * namespace for a "producer" route, or the mesh implementation must support + * and allow "consumer" routes for the referenced Service. ReferenceGrant is + * not applicable for governing ParentRefs to Services - it is not possible to + * create a "producer" route for a Service in a different namespace from the + * Route. + * + * + * There are two kinds of parent resources with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * This API may be extended in the future to support additional kinds of parent + * resources. + * + * + * ParentRefs must be _distinct_. This means either that: + * + * + * * They select different objects. If this is the case, then parentRef + * entries are distinct. In terms of fields, this means that the + * multi-part key defined by `group`, `kind`, `namespace`, and `name` must + * be unique across all parentRef entries in the Route. + * * They do not select different objects, but for each optional field used, + * each ParentRef that selects the same object must set the same set of + * optional fields to different values. If one ParentRef sets a + * combination of optional fields, all must set the same combination. + * + * + * Some examples: + * + * + * * If one ParentRef sets `sectionName`, all ParentRefs referencing the + * same object must also set `sectionName`. + * * If one ParentRef sets `port`, all ParentRefs referencing the same + * object must also set `port`. + * * If one ParentRef sets `sectionName` and `port`, all ParentRefs + * referencing the same object must also set `sectionName` and `port`. + * + * + * It is possible to separately reference multiple distinct objects that may + * be collapsed by an implementation. For example, some implementations may + * choose to merge compatible Gateway Listeners together. If that is the + * case, the list of routes attached to those resources should also be + * merged. + * + * + * Note that for ParentRefs that cross namespace boundaries, there are specific + * rules. Cross-namespace references are only valid if they are explicitly + * allowed by something in the namespace they are referring to. For example, + * Gateway has the AllowedRoutes field, and ReferenceGrant provides a + * generic way to enable other kinds of cross-namespace reference. + * + * + * + * ParentRefs from a Route to a Service in the same namespace are "producer" + * routes, which apply default routing rules to inbound connections from + * any namespace to the Service. + * + * + * ParentRefs from a Route to a Service in a different namespace are + * "consumer" routes, and these routing rules are only applied to outbound + * connections originating from the same namespace as the Route, for which + * the intended destination of the connections are a Service targeted as a + * ParentRef of the Route. + */ + parentRefs?: pulumi.Input[]>; + /** + * Rules are a list of GRPC matchers, filters and actions. + */ + rules?: pulumi.Input[]>; } /** - * RouteGroupKind indicates the group and kind of a Route resource. - */ - export interface XListenerSetSpecListenersAllowedRoutesKinds { - /** - * Group is the group of the Route. - */ - group?: pulumi.Input; - /** - * Kind is the kind of the Route. - */ - kind?: pulumi.Input; - } - - /** - * RouteGroupKind indicates the group and kind of a Route resource. - */ - export interface XListenerSetSpecListenersAllowedRoutesKindsPatch { - /** - * Group is the group of the Route. - */ - group?: pulumi.Input; - /** - * Kind is the kind of the Route. - */ - kind?: pulumi.Input; - } - - /** - * Namespaces indicates namespaces from which Routes may be attached to this - * Listener. This is restricted to the namespace of this Gateway by default. + * ParentReference identifies an API object (usually a Gateway) that can be considered + * a parent of this resource (usually a route). There are two kinds of parent resources + * with "Core" support: * - * Support: Core - */ - export interface XListenerSetSpecListenersAllowedRoutesNamespaces { - /** - * From indicates where Routes will be selected for this Gateway. Possible - * values are: - * - * * All: Routes in all namespaces may be used by this Gateway. - * * Selector: Routes in namespaces selected by the selector may be used by - * this Gateway. - * * Same: Only Routes in the same namespace may be used by this Gateway. - * - * Support: Core - */ - from?: pulumi.Input; - selector?: pulumi.Input; - } - - /** - * Namespaces indicates namespaces from which Routes may be attached to this - * Listener. This is restricted to the namespace of this Gateway by default. * - * Support: Core - */ - export interface XListenerSetSpecListenersAllowedRoutesNamespacesPatch { - /** - * From indicates where Routes will be selected for this Gateway. Possible - * values are: - * - * * All: Routes in all namespaces may be used by this Gateway. - * * Selector: Routes in namespaces selected by the selector may be used by - * this Gateway. - * * Same: Only Routes in the same namespace may be used by this Gateway. - * - * Support: Core - */ - from?: pulumi.Input; - selector?: pulumi.Input; - } - - /** - * Selector must be specified when From is set to "Selector". In that case, - * only Routes in Namespaces matching this Selector will be selected by this - * Gateway. This field is ignored for other values of "From". + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) * - * Support: Core - */ - export interface XListenerSetSpecListenersAllowedRoutesNamespacesSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface XListenerSetSpecListenersAllowedRoutesNamespacesSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface XListenerSetSpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * Selector must be specified when From is set to "Selector". In that case, - * only Routes in Namespaces matching this Selector will be selected by this - * Gateway. This field is ignored for other values of "From". * - * Support: Core - */ - export interface XListenerSetSpecListenersAllowedRoutesNamespacesSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * AllowedRoutes defines the types of routes that MAY be attached to a - * Listener and the trusted namespaces where those Route resources MAY be - * present. + * This API may be extended in the future to support additional kinds of parent + * resources. * - * Although a client request may match multiple route rules, only one rule - * may ultimately receive the request. Matching precedence MUST be - * determined in order of the following criteria: - * - * * The most specific match as defined by the Route type. - * * The oldest Route based on creation timestamp. For example, a Route with - * a creation timestamp of "2020-09-08 01:02:03" is given precedence over - * a Route with a creation timestamp of "2020-09-08 01:02:04". - * * If everything else is equivalent, the Route appearing first in - * alphabetical order (namespace/name) should be given precedence. For - * example, foo/bar is given precedence over foo/baz. - * - * All valid rules within a Route attached to this Listener should be - * implemented. Invalid Route rules can be ignored (sometimes that will mean - * the full Route). If a Route rule transitions from valid to invalid, - * support for that Route rule should be dropped to ensure consistency. For - * example, even if a filter specified by a Route rule is invalid, the rest - * of the rules within that Route should still be supported. - */ - export interface XListenerSetSpecListenersAllowedRoutesPatch { - /** - * Kinds specifies the groups and kinds of Routes that are allowed to bind - * to this Gateway Listener. When unspecified or empty, the kinds of Routes - * selected are determined using the Listener protocol. - * - * A RouteGroupKind MUST correspond to kinds of Routes that are compatible - * with the application protocol specified in the Listener's Protocol field. - * If an implementation does not support or recognize this resource type, it - * MUST set the "ResolvedRefs" condition to False for this Listener with the - * "InvalidRouteKinds" reason. - * - * Support: Core - */ - kinds?: pulumi.Input[]>; - namespaces?: pulumi.Input; - } - - export interface XListenerSetSpecListenersPatch { - allowedRoutes?: pulumi.Input; - /** - * Hostname specifies the virtual hostname to match for protocol types that - * define this concept. When unspecified, all hostnames are matched. This - * field is ignored for protocols that don't require hostname based - * matching. - * - * Implementations MUST apply Hostname matching appropriately for each of - * the following protocols: - * - * * TLS: The Listener Hostname MUST match the SNI. - * * HTTP: The Listener Hostname MUST match the Host header of the request. - * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP - * protocol layers as described above. If an implementation does not - * ensure that both the SNI and Host header match the Listener hostname, - * it MUST clearly document that. - * - * For HTTPRoute and TLSRoute resources, there is an interaction with the - * `spec.hostnames` array. When both listener and route specify hostnames, - * there MUST be an intersection between the values for a Route to be - * accepted. For more information, refer to the Route specific Hostnames - * documentation. - * - * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted - * as a suffix match. That means that a match for `*.example.com` would match - * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - */ - hostname?: pulumi.Input; - /** - * Name is the name of the Listener. This name MUST be unique within a - * ListenerSet. - * - * Name is not required to be unique across a Gateway and ListenerSets. - * Routes can attach to a Listener by having a ListenerSet as a parentRef - * and setting the SectionName - */ - name?: pulumi.Input; - /** - * Port is the network port. Multiple listeners may use the - * same port, subject to the Listener compatibility rules. - * - * If the port is not set or specified as zero, the implementation will assign - * a unique port. If the implementation does not support dynamic port - * assignment, it MUST set `Accepted` condition to `False` with the - * `UnsupportedPort` reason. - */ - port?: pulumi.Input; - /** - * Protocol specifies the network protocol this listener expects to receive. - */ - protocol?: pulumi.Input; - tls?: pulumi.Input; - } - - /** - * TLS is the TLS configuration for the Listener. This field is required if - * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field - * if the Protocol field is "HTTP", "TCP", or "UDP". - * - * The association of SNIs to Certificate defined in ListenerTLSConfig is - * defined based on the Hostname field for this listener. - * - * The GatewayClass MUST use the longest matching SNI out of all - * available certificates for any TLS handshake. - */ - export interface XListenerSetSpecListenersTls { - /** - * CertificateRefs contains a series of references to Kubernetes objects that - * contains TLS certificates and private keys. These certificates are used to - * establish a TLS handshake for requests that match the hostname of the - * associated listener. - * - * A single CertificateRef to a Kubernetes Secret has "Core" support. - * Implementations MAY choose to support attaching multiple certificates to - * a Listener, but this behavior is implementation-specific. - * - * References to a resource in different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - * - * This field is required to have at least one element when the mode is set - * to "Terminate" (default) and is optional otherwise. - * - * CertificateRefs can reference to standard Kubernetes resources, i.e. - * Secret, or implementation-specific custom resources. - * - * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls - * - * Support: Implementation-specific (More than one reference or other resource types) - */ - certificateRefs?: pulumi.Input[]>; - /** - * Mode defines the TLS behavior for the TLS session initiated by the client. - * There are two possible modes: - * - * - Terminate: The TLS session between the downstream client and the - * Gateway is terminated at the Gateway. This mode requires certificates - * to be specified in some way, such as populating the certificateRefs - * field. - * - Passthrough: The TLS session is NOT terminated by the Gateway. This - * implies that the Gateway can't decipher the TLS stream except for - * the ClientHello message of the TLS protocol. The certificateRefs field - * is ignored in this mode. - * - * Support: Core - */ - mode?: pulumi.Input; - /** - * Options are a list of key/value pairs to enable extended TLS - * configuration for each implementation. For example, configuring the - * minimum TLS version or supported cipher suites. - * - * A set of common keys MAY be defined by the API in the future. To avoid - * any ambiguity, implementation-specific definitions MUST use - * domain-prefixed names, such as `example.com/my-custom-option`. - * Un-prefixed names are reserved for key names defined by Gateway API. - * - * Support: Implementation-specific - */ - options?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * SecretObjectReference identifies an API object including its namespace, - * defaulting to Secret. * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. */ - export interface XListenerSetSpecListenersTlsCertificateRefs { + export interface GRPCRouteSpecParentRefs { + /** + * Group is the group of the referent. + * When unspecified, "gateway.networking.k8s.io" is inferred. + * To set the core API group (such as for a "Service" kind referent), + * Group must be explicitly set to "" (empty string). + * + * + * Support: Core + */ + group?: pulumi.Input; + /** + * Kind is kind of the referent. + * + * + * There are two kinds of parent resources with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * Support for other resources is Implementation-Specific. + */ + kind?: pulumi.Input; + /** + * Name is the name of the referent. + * + * + * Support: Core + */ + name?: pulumi.Input; + /** + * Namespace is the namespace of the referent. When unspecified, this refers + * to the local namespace of the Route. + * + * + * Note that there are specific rules for ParentRefs which cross namespace + * boundaries. Cross-namespace references are only valid if they are explicitly + * allowed by something in the namespace they are referring to. For example: + * Gateway has the AllowedRoutes field, and ReferenceGrant provides a + * generic way to enable any other kind of cross-namespace reference. + * + * + * + * ParentRefs from a Route to a Service in the same namespace are "producer" + * routes, which apply default routing rules to inbound connections from + * any namespace to the Service. + * + * + * ParentRefs from a Route to a Service in a different namespace are + * "consumer" routes, and these routing rules are only applied to outbound + * connections originating from the same namespace as the Route, for which + * the intended destination of the connections are a Service targeted as a + * ParentRef of the Route. + * + * + * + * Support: Core + */ + namespace?: pulumi.Input; + /** + * Port is the network port this Route targets. It can be interpreted + * differently based on the type of parent resource. + * + * + * When the parent resource is a Gateway, this targets all listeners + * listening on the specified port that also support this kind of Route(and + * select this Route). It's not recommended to set `Port` unless the + * networking behaviors specified in a Route must apply to a specific port + * as opposed to a listener(s) whose port(s) may be changed. When both Port + * and SectionName are specified, the name and port of the selected listener + * must match both specified values. + * + * + * + * When the parent resource is a Service, this targets a specific port in the + * Service spec. When both Port (experimental) and SectionName are specified, + * the name and port of the selected port must match both specified values. + * + * + * + * Implementations MAY choose to support other parent resources. + * Implementations supporting other types of parent resources MUST clearly + * document how/if Port is interpreted. + * + * + * For the purpose of status, an attachment is considered successful as + * long as the parent resource accepts it partially. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + * from the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, + * the Route MUST be considered detached from the Gateway. + * + * + * Support: Extended + */ + port?: pulumi.Input; + /** + * SectionName is the name of a section within the target resource. In the + * following resources, SectionName is interpreted as the following: + * + * + * * Gateway: Listener name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * * Service: Port name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * + * + * Implementations MAY choose to support attaching Routes to other resources. + * If that is the case, they MUST clearly document how SectionName is + * interpreted. + * + * + * When unspecified (empty string), this will reference the entire resource. + * For the purpose of status, an attachment is considered successful if at + * least one section in the parent resource accepts it. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + * the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, the + * Route MUST be considered detached from the Gateway. + * + * + * Support: Core + */ + sectionName?: pulumi.Input; + } + + /** + * ParentReference identifies an API object (usually a Gateway) that can be considered + * a parent of this resource (usually a route). There are two kinds of parent resources + * with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * This API may be extended in the future to support additional kinds of parent + * resources. + * + * + * The API object must be valid in the cluster; the Group and Kind must + * be registered in the cluster for this reference to be valid. + */ + export interface GRPCRouteSpecParentRefsPatch { + /** + * Group is the group of the referent. + * When unspecified, "gateway.networking.k8s.io" is inferred. + * To set the core API group (such as for a "Service" kind referent), + * Group must be explicitly set to "" (empty string). + * + * + * Support: Core + */ + group?: pulumi.Input; + /** + * Kind is kind of the referent. + * + * + * There are two kinds of parent resources with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * Support for other resources is Implementation-Specific. + */ + kind?: pulumi.Input; + /** + * Name is the name of the referent. + * + * + * Support: Core + */ + name?: pulumi.Input; + /** + * Namespace is the namespace of the referent. When unspecified, this refers + * to the local namespace of the Route. + * + * + * Note that there are specific rules for ParentRefs which cross namespace + * boundaries. Cross-namespace references are only valid if they are explicitly + * allowed by something in the namespace they are referring to. For example: + * Gateway has the AllowedRoutes field, and ReferenceGrant provides a + * generic way to enable any other kind of cross-namespace reference. + * + * + * + * ParentRefs from a Route to a Service in the same namespace are "producer" + * routes, which apply default routing rules to inbound connections from + * any namespace to the Service. + * + * + * ParentRefs from a Route to a Service in a different namespace are + * "consumer" routes, and these routing rules are only applied to outbound + * connections originating from the same namespace as the Route, for which + * the intended destination of the connections are a Service targeted as a + * ParentRef of the Route. + * + * + * + * Support: Core + */ + namespace?: pulumi.Input; + /** + * Port is the network port this Route targets. It can be interpreted + * differently based on the type of parent resource. + * + * + * When the parent resource is a Gateway, this targets all listeners + * listening on the specified port that also support this kind of Route(and + * select this Route). It's not recommended to set `Port` unless the + * networking behaviors specified in a Route must apply to a specific port + * as opposed to a listener(s) whose port(s) may be changed. When both Port + * and SectionName are specified, the name and port of the selected listener + * must match both specified values. + * + * + * + * When the parent resource is a Service, this targets a specific port in the + * Service spec. When both Port (experimental) and SectionName are specified, + * the name and port of the selected port must match both specified values. + * + * + * + * Implementations MAY choose to support other parent resources. + * Implementations supporting other types of parent resources MUST clearly + * document how/if Port is interpreted. + * + * + * For the purpose of status, an attachment is considered successful as + * long as the parent resource accepts it partially. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + * from the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, + * the Route MUST be considered detached from the Gateway. + * + * + * Support: Extended + */ + port?: pulumi.Input; + /** + * SectionName is the name of a section within the target resource. In the + * following resources, SectionName is interpreted as the following: + * + * + * * Gateway: Listener name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * * Service: Port name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * + * + * Implementations MAY choose to support attaching Routes to other resources. + * If that is the case, they MUST clearly document how SectionName is + * interpreted. + * + * + * When unspecified (empty string), this will reference the entire resource. + * For the purpose of status, an attachment is considered successful if at + * least one section in the parent resource accepts it. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + * the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, the + * Route MUST be considered detached from the Gateway. + * + * + * Support: Core + */ + sectionName?: pulumi.Input; + } + + /** + * Spec defines the desired state of GRPCRoute. + */ + export interface GRPCRouteSpecPatch { + /** + * Hostnames defines a set of hostnames to match against the GRPC + * Host header to select a GRPCRoute to process the request. This matches + * the RFC 1123 definition of a hostname with 2 notable exceptions: + * + * + * 1. IPs are not allowed. + * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + * label MUST appear by itself as the first label. + * + * + * If a hostname is specified by both the Listener and GRPCRoute, there + * MUST be at least one intersecting hostname for the GRPCRoute to be + * attached to the Listener. For example: + * + * + * * A Listener with `test.example.com` as the hostname matches GRPCRoutes + * that have either not specified any hostnames, or have specified at + * least one of `test.example.com` or `*.example.com`. + * * A Listener with `*.example.com` as the hostname matches GRPCRoutes + * that have either not specified any hostnames or have specified at least + * one hostname that matches the Listener hostname. For example, + * `test.example.com` and `*.example.com` would both match. On the other + * hand, `example.com` and `test.example.net` would not match. + * + * + * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + * as a suffix match. That means that a match for `*.example.com` would match + * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + * + * + * If both the Listener and GRPCRoute have specified hostnames, any + * GRPCRoute hostnames that do not match the Listener hostname MUST be + * ignored. For example, if a Listener specified `*.example.com`, and the + * GRPCRoute specified `test.example.com` and `test.example.net`, + * `test.example.net` MUST NOT be considered for a match. + * + * + * If both the Listener and GRPCRoute have specified hostnames, and none + * match with the criteria above, then the GRPCRoute MUST NOT be accepted by + * the implementation. The implementation MUST raise an 'Accepted' Condition + * with a status of `False` in the corresponding RouteParentStatus. + * + * + * If a Route (A) of type HTTPRoute or GRPCRoute is attached to a + * Listener and that listener already has another Route (B) of the other + * type attached and the intersection of the hostnames of A and B is + * non-empty, then the implementation MUST accept exactly one of these two + * routes, determined by the following criteria, in order: + * + * + * * The oldest Route based on creation timestamp. + * * The Route appearing first in alphabetical order by + * "{namespace}/{name}". + * + * + * The rejected Route MUST raise an 'Accepted' condition with a status of + * 'False' in the corresponding RouteParentStatus. + * + * + * Support: Core + */ + hostnames?: pulumi.Input[]>; + /** + * ParentRefs references the resources (usually Gateways) that a Route wants + * to be attached to. Note that the referenced parent resource needs to + * allow this for the attachment to be complete. For Gateways, that means + * the Gateway needs to allow attachment from Routes of this kind and + * namespace. For Services, that means the Service must either be in the same + * namespace for a "producer" route, or the mesh implementation must support + * and allow "consumer" routes for the referenced Service. ReferenceGrant is + * not applicable for governing ParentRefs to Services - it is not possible to + * create a "producer" route for a Service in a different namespace from the + * Route. + * + * + * There are two kinds of parent resources with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * This API may be extended in the future to support additional kinds of parent + * resources. + * + * + * ParentRefs must be _distinct_. This means either that: + * + * + * * They select different objects. If this is the case, then parentRef + * entries are distinct. In terms of fields, this means that the + * multi-part key defined by `group`, `kind`, `namespace`, and `name` must + * be unique across all parentRef entries in the Route. + * * They do not select different objects, but for each optional field used, + * each ParentRef that selects the same object must set the same set of + * optional fields to different values. If one ParentRef sets a + * combination of optional fields, all must set the same combination. + * + * + * Some examples: + * + * + * * If one ParentRef sets `sectionName`, all ParentRefs referencing the + * same object must also set `sectionName`. + * * If one ParentRef sets `port`, all ParentRefs referencing the same + * object must also set `port`. + * * If one ParentRef sets `sectionName` and `port`, all ParentRefs + * referencing the same object must also set `sectionName` and `port`. + * + * + * It is possible to separately reference multiple distinct objects that may + * be collapsed by an implementation. For example, some implementations may + * choose to merge compatible Gateway Listeners together. If that is the + * case, the list of routes attached to those resources should also be + * merged. + * + * + * Note that for ParentRefs that cross namespace boundaries, there are specific + * rules. Cross-namespace references are only valid if they are explicitly + * allowed by something in the namespace they are referring to. For example, + * Gateway has the AllowedRoutes field, and ReferenceGrant provides a + * generic way to enable other kinds of cross-namespace reference. + * + * + * + * ParentRefs from a Route to a Service in the same namespace are "producer" + * routes, which apply default routing rules to inbound connections from + * any namespace to the Service. + * + * + * ParentRefs from a Route to a Service in a different namespace are + * "consumer" routes, and these routing rules are only applied to outbound + * connections originating from the same namespace as the Route, for which + * the intended destination of the connections are a Service targeted as a + * ParentRef of the Route. + */ + parentRefs?: pulumi.Input[]>; + /** + * Rules are a list of GRPC matchers, filters and actions. + */ + rules?: pulumi.Input[]>; + } + + /** + * GRPCRouteRule defines the semantics for matching a gRPC request based on + * conditions (matches), processing it (filters), and forwarding the request to + * an API object (backendRefs). + */ + export interface GRPCRouteSpecRules { + /** + * BackendRefs defines the backend(s) where matching requests should be + * sent. + * + * + * Failure behavior here depends on how many BackendRefs are specified and + * how many are invalid. + * + * + * If *all* entries in BackendRefs are invalid, and there are also no filters + * specified in this route rule, *all* traffic which matches this rule MUST + * receive an `UNAVAILABLE` status. + * + * + * See the GRPCBackendRef definition for the rules about what makes a single + * GRPCBackendRef invalid. + * + * + * When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for + * requests that would have otherwise been routed to an invalid backend. If + * multiple backends are specified, and some are invalid, the proportion of + * requests that would otherwise have been routed to an invalid backend + * MUST receive an `UNAVAILABLE` status. + * + * + * For example, if two backends are specified with equal weights, and one is + * invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. + * Implementations may choose how that 50 percent is determined. + * + * + * Support: Core for Kubernetes Service + * + * + * Support: Implementation-specific for any other resource + * + * + * Support for weight: Core + */ + backendRefs?: pulumi.Input[]>; + /** + * Filters define the filters that are applied to requests that match + * this rule. + * + * + * The effects of ordering of multiple behaviors are currently unspecified. + * This can change in the future based on feedback during the alpha stage. + * + * + * Conformance-levels at this level are defined based on the type of filter: + * + * + * - ALL core filters MUST be supported by all implementations that support + * GRPCRoute. + * - Implementers are encouraged to support extended filters. + * - Implementation-specific custom filters have no API guarantees across + * implementations. + * + * + * Specifying the same filter multiple times is not supported unless explicitly + * indicated in the filter. + * + * + * If an implementation can not support a combination of filters, it must clearly + * document that limitation. In cases where incompatible or unsupported + * filters are specified and cause the `Accepted` condition to be set to status + * `False`, implementations may use the `IncompatibleFilters` reason to specify + * this configuration error. + * + * + * Support: Core + */ + filters?: pulumi.Input[]>; + /** + * Matches define conditions used for matching the rule against incoming + * gRPC requests. Each match is independent, i.e. this rule will be matched + * if **any** one of the matches is satisfied. + * + * + * For example, take the following matches configuration: + * + * + * ``` + * matches: + * - method: + * service: foo.bar + * headers: + * values: + * version: 2 + * - method: + * service: foo.bar.v2 + * ``` + * + * + * For a request to match against this rule, it MUST satisfy + * EITHER of the two conditions: + * + * + * - service of foo.bar AND contains the header `version: 2` + * - service of foo.bar.v2 + * + * + * See the documentation for GRPCRouteMatch on how to specify multiple + * match conditions to be ANDed together. + * + * + * If no matches are specified, the implementation MUST match every gRPC request. + * + * + * Proxy or Load Balancer routing configuration generated from GRPCRoutes + * MUST prioritize rules based on the following criteria, continuing on + * ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. + * Precedence MUST be given to the rule with the largest number of: + * + * + * * Characters in a matching non-wildcard hostname. + * * Characters in a matching hostname. + * * Characters in a matching service. + * * Characters in a matching method. + * * Header matches. + * + * + * If ties still exist across multiple Routes, matching precedence MUST be + * determined in order of the following criteria, continuing on ties: + * + * + * * The oldest Route based on creation timestamp. + * * The Route appearing first in alphabetical order by + * "{namespace}/{name}". + * + * + * If ties still exist within the Route that has been given precedence, + * matching precedence MUST be granted to the first matching rule meeting + * the above criteria. + */ + matches?: pulumi.Input[]>; + sessionPersistence?: pulumi.Input; + } + + /** + * GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. + * + * + * Note that when a namespace different than the local namespace is specified, a + * ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * + * + * + * When the BackendRef points to a Kubernetes Service, implementations SHOULD + * honor the appProtocol field if it is set for the target Service Port. + * + * + * Implementations supporting appProtocol SHOULD recognize the Kubernetes + * Standard Application Protocols defined in KEP-3726. + * + * + * If a Service appProtocol isn't specified, an implementation MAY infer the + * backend protocol through its own means. Implementations MAY infer the + * protocol from the Route type referring to the backend Service. + * + * + * If a Route is not able to send traffic to the backend using the specified + * protocol then the backend is considered invalid. Implementations MUST set the + * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * + */ + export interface GRPCRouteSpecRulesBackendRefs { + /** + * Filters defined at this level MUST be executed if and only if the + * request is being forwarded to the backend defined here. + * + * + * Support: Implementation-specific (For broader support of filters, use the + * Filters field in GRPCRouteRule.) + */ + filters?: pulumi.Input[]>; /** * Group is the group of the referent. For example, "gateway.networking.k8s.io". * When unspecified or empty string, core API group is inferred. */ group?: pulumi.Input; /** - * Kind is kind of the referent. For example "Secret". + * Kind is the Kubernetes resource kind of the referent. For example + * "Service". + * + * + * Defaults to "Service" when not specified. + * + * + * ExternalName services can refer to CNAME DNS records that may live + * outside of the cluster and as such are difficult to reason about in + * terms of conformance. They also may not be safe to forward to (see + * CVE-2021-25740 for more information). Implementations SHOULD NOT + * support ExternalName Services. + * + * + * Support: Core (Services with a type other than ExternalName) + * + * + * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; /** @@ -35111,38 +25544,510 @@ export namespace gateway { */ name?: pulumi.Input; /** - * Namespace is the namespace of the referenced object. When unspecified, the local + * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; + /** + * Port specifies the destination port number to use for this resource. + * Port is required when the referent is a Kubernetes Service. In this + * case, the port number is the service port number, not the target port. + * For other resources, destination port might be derived from the referent + * resource or this field. + */ + port?: pulumi.Input; + /** + * Weight specifies the proportion of requests forwarded to the referenced + * backend. This is computed as weight/(sum of all weights in this + * BackendRefs list). For non-zero values, there may be some epsilon from + * the exact proportion defined here depending on the precision an + * implementation supports. Weight is not a percentage and the sum of + * weights does not need to equal 100. + * + * + * If only one backend is specified and it has a weight greater than 0, 100% + * of the traffic is forwarded to that backend. If weight is set to 0, no + * traffic should be forwarded for this entry. If unspecified, weight + * defaults to 1. + * + * + * Support for this field varies based on the context where used. + */ + weight?: pulumi.Input; } /** - * SecretObjectReference identifies an API object including its namespace, - * defaulting to Secret. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. + * GRPCRouteFilter defines processing steps that must be completed during the + * request or response lifecycle. GRPCRouteFilters are meant as an extension + * point to express processing that may be done in Gateway implementations. Some + * examples include request or response modification, implementing + * authentication strategies, rate-limiting, and traffic shaping. API + * guarantee/conformance is defined based on the type of the filter. */ - export interface XListenerSetSpecListenersTlsCertificateRefsPatch { + export interface GRPCRouteSpecRulesBackendRefsFilters { + extensionRef?: pulumi.Input; + requestHeaderModifier?: pulumi.Input; + requestMirror?: pulumi.Input; + responseHeaderModifier?: pulumi.Input; + /** + * Type identifies the type of filter to apply. As with other API fields, + * types are classified into three conformance levels: + * + * + * - Core: Filter types and their corresponding configuration defined by + * "Support: Core" in this package, e.g. "RequestHeaderModifier". All + * implementations supporting GRPCRoute MUST support core filters. + * + * + * - Extended: Filter types and their corresponding configuration defined by + * "Support: Extended" in this package, e.g. "RequestMirror". Implementers + * are encouraged to support extended filters. + * + * + * - Implementation-specific: Filters that are defined and supported by specific vendors. + * In the future, filters showing convergence in behavior across multiple + * implementations will be considered for inclusion in extended or core + * conformance levels. Filter-specific configuration for such filters + * is specified using the ExtensionRef field. `Type` MUST be set to + * "ExtensionRef" for custom filters. + * + * + * Implementers are encouraged to define custom implementation types to + * extend the core API with implementation-specific behavior. + * + * + * If a reference to a custom filter type cannot be resolved, the filter + * MUST NOT be skipped. Instead, requests that would have been processed by + * that filter MUST receive a HTTP error response. + */ + type?: pulumi.Input; + } + + /** + * ExtensionRef is an optional, implementation-specific extension to the + * "filter" behavior. For example, resource "myroutefilter" in group + * "networking.example.net"). ExtensionRef MUST NOT be used for core and + * extended filters. + * + * + * Support: Implementation-specific + * + * + * This filter can be used multiple times within the same rule. + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersExtensionRef { /** * Group is the group of the referent. For example, "gateway.networking.k8s.io". * When unspecified or empty string, core API group is inferred. */ group?: pulumi.Input; /** - * Kind is kind of the referent. For example "Secret". + * Kind is kind of the referent. For example "HTTPRoute" or "Service". + */ + kind?: pulumi.Input; + /** + * Name is the name of the referent. + */ + name?: pulumi.Input; + } + + /** + * ExtensionRef is an optional, implementation-specific extension to the + * "filter" behavior. For example, resource "myroutefilter" in group + * "networking.example.net"). ExtensionRef MUST NOT be used for core and + * extended filters. + * + * + * Support: Implementation-specific + * + * + * This filter can be used multiple times within the same rule. + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersExtensionRefPatch { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group?: pulumi.Input; + /** + * Kind is kind of the referent. For example "HTTPRoute" or "Service". + */ + kind?: pulumi.Input; + /** + * Name is the name of the referent. + */ + name?: pulumi.Input; + } + + /** + * GRPCRouteFilter defines processing steps that must be completed during the + * request or response lifecycle. GRPCRouteFilters are meant as an extension + * point to express processing that may be done in Gateway implementations. Some + * examples include request or response modification, implementing + * authentication strategies, rate-limiting, and traffic shaping. API + * guarantee/conformance is defined based on the type of the filter. + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersPatch { + extensionRef?: pulumi.Input; + requestHeaderModifier?: pulumi.Input; + requestMirror?: pulumi.Input; + responseHeaderModifier?: pulumi.Input; + /** + * Type identifies the type of filter to apply. As with other API fields, + * types are classified into three conformance levels: + * + * + * - Core: Filter types and their corresponding configuration defined by + * "Support: Core" in this package, e.g. "RequestHeaderModifier". All + * implementations supporting GRPCRoute MUST support core filters. + * + * + * - Extended: Filter types and their corresponding configuration defined by + * "Support: Extended" in this package, e.g. "RequestMirror". Implementers + * are encouraged to support extended filters. + * + * + * - Implementation-specific: Filters that are defined and supported by specific vendors. + * In the future, filters showing convergence in behavior across multiple + * implementations will be considered for inclusion in extended or core + * conformance levels. Filter-specific configuration for such filters + * is specified using the ExtensionRef field. `Type` MUST be set to + * "ExtensionRef" for custom filters. + * + * + * Implementers are encouraged to define custom implementation types to + * extend the core API with implementation-specific behavior. + * + * + * If a reference to a custom filter type cannot be resolved, the filter + * MUST NOT be skipped. Instead, requests that would have been processed by + * that filter MUST receive a HTTP error response. + */ + type?: pulumi.Input; + } + + /** + * RequestHeaderModifier defines a schema for a filter that modifies request + * headers. + * + * + * Support: Core + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifier { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add?: pulumi.Input[]>; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove?: pulumi.Input[]>; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set?: pulumi.Input[]>; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + + /** + * RequestHeaderModifier defines a schema for a filter that modifies request + * headers. + * + * + * Support: Core + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add?: pulumi.Input[]>; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove?: pulumi.Input[]>; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set?: pulumi.Input[]>; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + + /** + * RequestMirror defines a schema for a filter that mirrors requests. + * Requests are sent to the specified destination, but responses from + * that destination are ignored. + * + * + * This filter can be used multiple times within the same rule. Note that + * not all implementations will be able to support mirroring to multiple + * backends. + * + * + * Support: Extended + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirror { + backendRef?: pulumi.Input; + } + + /** + * BackendRef references a resource where mirrored requests are sent. + * + * + * Mirrored requests must be sent only to a single destination endpoint + * within this BackendRef, irrespective of how many endpoints are present + * within this BackendRef. + * + * + * If the referent cannot be found, this BackendRef is invalid and must be + * dropped from the Gateway. The controller must ensure the "ResolvedRefs" + * condition on the Route status is set to `status: False` and not configure + * this backend in the underlying implementation. + * + * + * If there is a cross-namespace reference to an *existing* object + * that is not allowed by a ReferenceGrant, the controller must ensure the + * "ResolvedRefs" condition on the Route is set to `status: False`, + * with the "RefNotPermitted" reason and not configure this backend in the + * underlying implementation. + * + * + * In either error case, the Message of the `ResolvedRefs` Condition + * should be used to provide more detail about the problem. + * + * + * Support: Extended for Kubernetes Service + * + * + * Support: Implementation-specific for any other resource + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group?: pulumi.Input; + /** + * Kind is the Kubernetes resource kind of the referent. For example + * "Service". + * + * + * Defaults to "Service" when not specified. + * + * + * ExternalName services can refer to CNAME DNS records that may live + * outside of the cluster and as such are difficult to reason about in + * terms of conformance. They also may not be safe to forward to (see + * CVE-2021-25740 for more information). Implementations SHOULD NOT + * support ExternalName Services. + * + * + * Support: Core (Services with a type other than ExternalName) + * + * + * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; /** @@ -35150,99 +26055,85 @@ export namespace gateway { */ name?: pulumi.Input; /** - * Namespace is the namespace of the referenced object. When unspecified, the local + * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; + /** + * Port specifies the destination port number to use for this resource. + * Port is required when the referent is a Kubernetes Service. In this + * case, the port number is the service port number, not the target port. + * For other resources, destination port might be derived from the referent + * resource or this field. + */ + port?: pulumi.Input; } /** - * TLS is the TLS configuration for the Listener. This field is required if - * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field - * if the Protocol field is "HTTP", "TCP", or "UDP". + * BackendRef references a resource where mirrored requests are sent. * - * The association of SNIs to Certificate defined in ListenerTLSConfig is - * defined based on the Hostname field for this listener. * - * The GatewayClass MUST use the longest matching SNI out of all - * available certificates for any TLS handshake. + * Mirrored requests must be sent only to a single destination endpoint + * within this BackendRef, irrespective of how many endpoints are present + * within this BackendRef. + * + * + * If the referent cannot be found, this BackendRef is invalid and must be + * dropped from the Gateway. The controller must ensure the "ResolvedRefs" + * condition on the Route status is set to `status: False` and not configure + * this backend in the underlying implementation. + * + * + * If there is a cross-namespace reference to an *existing* object + * that is not allowed by a ReferenceGrant, the controller must ensure the + * "ResolvedRefs" condition on the Route is set to `status: False`, + * with the "RefNotPermitted" reason and not configure this backend in the + * underlying implementation. + * + * + * In either error case, the Message of the `ResolvedRefs` Condition + * should be used to provide more detail about the problem. + * + * + * Support: Extended for Kubernetes Service + * + * + * Support: Implementation-specific for any other resource */ - export interface XListenerSetSpecListenersTlsPatch { + export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch { /** - * CertificateRefs contains a series of references to Kubernetes objects that - * contains TLS certificates and private keys. These certificates are used to - * establish a TLS handshake for requests that match the hostname of the - * associated listener. - * - * A single CertificateRef to a Kubernetes Secret has "Core" support. - * Implementations MAY choose to support attaching multiple certificates to - * a Listener, but this behavior is implementation-specific. - * - * References to a resource in different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - * - * This field is required to have at least one element when the mode is set - * to "Terminate" (default) and is optional otherwise. - * - * CertificateRefs can reference to standard Kubernetes resources, i.e. - * Secret, or implementation-specific custom resources. - * - * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls - * - * Support: Implementation-specific (More than one reference or other resource types) - */ - certificateRefs?: pulumi.Input[]>; - /** - * Mode defines the TLS behavior for the TLS session initiated by the client. - * There are two possible modes: - * - * - Terminate: The TLS session between the downstream client and the - * Gateway is terminated at the Gateway. This mode requires certificates - * to be specified in some way, such as populating the certificateRefs - * field. - * - Passthrough: The TLS session is NOT terminated by the Gateway. This - * implies that the Gateway can't decipher the TLS stream except for - * the ClientHello message of the TLS protocol. The certificateRefs field - * is ignored in this mode. - * - * Support: Core - */ - mode?: pulumi.Input; - /** - * Options are a list of key/value pairs to enable extended TLS - * configuration for each implementation. For example, configuring the - * minimum TLS version or supported cipher suites. - * - * A set of common keys MAY be defined by the API in the future. To avoid - * any ambiguity, implementation-specific definitions MUST use - * domain-prefixed names, such as `example.com/my-custom-option`. - * Un-prefixed names are reserved for key names defined by Gateway API. - * - * Support: Implementation-specific - */ - options?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * ParentRef references the Gateway that the listeners are attached to. - */ - export interface XListenerSetSpecParentRef { - /** - * Group is the group of the referent. + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. */ group?: pulumi.Input; /** - * Kind is kind of the referent. For example "Gateway". + * Kind is the Kubernetes resource kind of the referent. For example + * "Service". + * + * + * Defaults to "Service" when not specified. + * + * + * ExternalName services can refer to CNAME DNS records that may live + * outside of the cluster and as such are difficult to reason about in + * terms of conformance. They also may not be safe to forward to (see + * CVE-2021-25740 for more information). Implementations SHOULD NOT + * support ExternalName Services. + * + * + * Support: Core (Services with a type other than ExternalName) + * + * + * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; /** @@ -35250,23 +26141,353 @@ export namespace gateway { */ name?: pulumi.Input; /** - * Namespace is the namespace of the referent. If not present, - * the namespace of the referent is assumed to be the same as - * the namespace of the referring object. + * Namespace is the namespace of the backend. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core */ namespace?: pulumi.Input; + /** + * Port specifies the destination port number to use for this resource. + * Port is required when the referent is a Kubernetes Service. In this + * case, the port number is the service port number, not the target port. + * For other resources, destination port might be derived from the referent + * resource or this field. + */ + port?: pulumi.Input; } /** - * ParentRef references the Gateway that the listeners are attached to. + * RequestMirror defines a schema for a filter that mirrors requests. + * Requests are sent to the specified destination, but responses from + * that destination are ignored. + * + * + * This filter can be used multiple times within the same rule. Note that + * not all implementations will be able to support mirroring to multiple + * backends. + * + * + * Support: Extended */ - export interface XListenerSetSpecParentRefPatch { + export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorPatch { + backendRef?: pulumi.Input; + } + + /** + * ResponseHeaderModifier defines a schema for a filter that modifies response + * headers. + * + * + * Support: Extended + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifier { /** - * Group is the group of the referent. + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add?: pulumi.Input[]>; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove?: pulumi.Input[]>; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set?: pulumi.Input[]>; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + + /** + * ResponseHeaderModifier defines a schema for a filter that modifies response + * headers. + * + * + * Support: Extended + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add?: pulumi.Input[]>; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove?: pulumi.Input[]>; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set?: pulumi.Input[]>; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + + /** + * GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. + * + * + * Note that when a namespace different than the local namespace is specified, a + * ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * + * + * + * When the BackendRef points to a Kubernetes Service, implementations SHOULD + * honor the appProtocol field if it is set for the target Service Port. + * + * + * Implementations supporting appProtocol SHOULD recognize the Kubernetes + * Standard Application Protocols defined in KEP-3726. + * + * + * If a Service appProtocol isn't specified, an implementation MAY infer the + * backend protocol through its own means. Implementations MAY infer the + * protocol from the Route type referring to the backend Service. + * + * + * If a Route is not able to send traffic to the backend using the specified + * protocol then the backend is considered invalid. Implementations MUST set the + * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * + */ + export interface GRPCRouteSpecRulesBackendRefsPatch { + /** + * Filters defined at this level MUST be executed if and only if the + * request is being forwarded to the backend defined here. + * + * + * Support: Implementation-specific (For broader support of filters, use the + * Filters field in GRPCRouteRule.) + */ + filters?: pulumi.Input[]>; + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. */ group?: pulumi.Input; /** - * Kind is kind of the referent. For example "Gateway". + * Kind is the Kubernetes resource kind of the referent. For example + * "Service". + * + * + * Defaults to "Service" when not specified. + * + * + * ExternalName services can refer to CNAME DNS records that may live + * outside of the cluster and as such are difficult to reason about in + * terms of conformance. They also may not be safe to forward to (see + * CVE-2021-25740 for more information). Implementations SHOULD NOT + * support ExternalName Services. + * + * + * Support: Core (Services with a type other than ExternalName) + * + * + * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; /** @@ -35274,165 +26495,1479 @@ export namespace gateway { */ name?: pulumi.Input; /** - * Namespace is the namespace of the referent. If not present, - * the namespace of the referent is assumed to be the same as - * the namespace of the referring object. + * Namespace is the namespace of the backend. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core */ namespace?: pulumi.Input; - } - - /** - * Spec defines the desired state of ListenerSet. - */ - export interface XListenerSetSpecPatch { /** - * Listeners associated with this ListenerSet. Listeners define - * logical endpoints that are bound on this referenced parent Gateway's addresses. - * - * Listeners in a `Gateway` and their attached `ListenerSets` are concatenated - * as a list when programming the underlying infrastructure. Each listener - * name does not need to be unique across the Gateway and ListenerSets. - * See ListenerEntry.Name for more details. - * - * Implementations MUST treat the parent Gateway as having the merged - * list of all listeners from itself and attached ListenerSets using - * the following precedence: - * - * 1. "parent" Gateway - * 2. ListenerSet ordered by creation time (oldest first) - * 3. ListenerSet ordered alphabetically by "{namespace}/{name}". - * - * An implementation MAY reject listeners by setting the ListenerEntryStatus - * `Accepted` condition to False with the Reason `TooManyListeners` - * - * If a listener has a conflict, this will be reported in the - * Status.ListenerEntryStatus setting the `Conflicted` condition to True. - * - * Implementations SHOULD be cautious about what information from the - * parent or siblings are reported to avoid accidentally leaking - * sensitive information that the child would not otherwise have access - * to. This can include contents of secrets etc. - */ - listeners?: pulumi.Input[]>; - parentRef?: pulumi.Input; - } - - /** - * Status defines the current state of ListenerSet. - */ - export interface XListenerSetStatus { - /** - * Conditions describe the current conditions of the ListenerSet. - * - * Implementations MUST express ListenerSet conditions using the - * `ListenerSetConditionType` and `ListenerSetConditionReason` - * constants so that operators and tools can converge on a common - * vocabulary to describe ListenerSet state. - * - * Known condition types are: - * - * * "Accepted" - * * "Programmed" - */ - conditions?: pulumi.Input[]>; - /** - * Listeners provide status for each unique listener port defined in the Spec. - */ - listeners?: pulumi.Input[]>; - } - - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - export interface XListenerSetStatusConditions { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime?: pulumi.Input; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message?: pulumi.Input; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration?: pulumi.Input; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason?: pulumi.Input; - /** - * status of the condition, one of True, False, Unknown. - */ - status?: pulumi.Input; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type?: pulumi.Input; - } - - /** - * ListenerStatus is the status associated with a Listener. - */ - export interface XListenerSetStatusListeners { - /** - * AttachedRoutes represents the total number of Routes that have been - * successfully attached to this Listener. - * - * Successful attachment of a Route to a Listener is based solely on the - * combination of the AllowedRoutes field on the corresponding Listener - * and the Route's ParentRefs field. A Route is successfully attached to - * a Listener when it is selected by the Listener's AllowedRoutes field - * AND the Route has a valid ParentRef selecting the whole Gateway - * resource or a specific Listener as a parent resource (more detail on - * attachment semantics can be found in the documentation on the various - * Route kinds ParentRefs fields). Listener or Route status does not impact - * successful attachment, i.e. the AttachedRoutes field count MUST be set - * for Listeners with condition Accepted: false and MUST count successfully - * attached Routes that may themselves have Accepted: false conditions. - * - * Uses for this field include troubleshooting Route attachment and - * measuring blast radius/impact of changes to a Listener. - */ - attachedRoutes?: pulumi.Input; - /** - * Conditions describe the current condition of this listener. - */ - conditions?: pulumi.Input[]>; - /** - * Name is the name of the Listener that this status corresponds to. - */ - name?: pulumi.Input; - /** - * Port is the network port the listener is configured to listen on. + * Port specifies the destination port number to use for this resource. + * Port is required when the referent is a Kubernetes Service. In this + * case, the port number is the service port number, not the target port. + * For other resources, destination port might be derived from the referent + * resource or this field. */ port?: pulumi.Input; /** - * SupportedKinds is the list indicating the Kinds supported by this - * listener. This MUST represent the kinds an implementation supports for - * that Listener configuration. + * Weight specifies the proportion of requests forwarded to the referenced + * backend. This is computed as weight/(sum of all weights in this + * BackendRefs list). For non-zero values, there may be some epsilon from + * the exact proportion defined here depending on the precision an + * implementation supports. Weight is not a percentage and the sum of + * weights does not need to equal 100. * - * If kinds are specified in Spec that are not supported, they MUST NOT - * appear in this list and an implementation MUST set the "ResolvedRefs" - * condition to "False" with the "InvalidRouteKinds" reason. If both valid - * and invalid Route kinds are specified, the implementation MUST - * reference the valid Route kinds that have been specified. + * + * If only one backend is specified and it has a weight greater than 0, 100% + * of the traffic is forwarded to that backend. If weight is set to 0, no + * traffic should be forwarded for this entry. If unspecified, weight + * defaults to 1. + * + * + * Support for this field varies based on the context where used. */ - supportedKinds?: pulumi.Input[]>; + weight?: pulumi.Input; + } + + /** + * GRPCRouteFilter defines processing steps that must be completed during the + * request or response lifecycle. GRPCRouteFilters are meant as an extension + * point to express processing that may be done in Gateway implementations. Some + * examples include request or response modification, implementing + * authentication strategies, rate-limiting, and traffic shaping. API + * guarantee/conformance is defined based on the type of the filter. + */ + export interface GRPCRouteSpecRulesFilters { + extensionRef?: pulumi.Input; + requestHeaderModifier?: pulumi.Input; + requestMirror?: pulumi.Input; + responseHeaderModifier?: pulumi.Input; + /** + * Type identifies the type of filter to apply. As with other API fields, + * types are classified into three conformance levels: + * + * + * - Core: Filter types and their corresponding configuration defined by + * "Support: Core" in this package, e.g. "RequestHeaderModifier". All + * implementations supporting GRPCRoute MUST support core filters. + * + * + * - Extended: Filter types and their corresponding configuration defined by + * "Support: Extended" in this package, e.g. "RequestMirror". Implementers + * are encouraged to support extended filters. + * + * + * - Implementation-specific: Filters that are defined and supported by specific vendors. + * In the future, filters showing convergence in behavior across multiple + * implementations will be considered for inclusion in extended or core + * conformance levels. Filter-specific configuration for such filters + * is specified using the ExtensionRef field. `Type` MUST be set to + * "ExtensionRef" for custom filters. + * + * + * Implementers are encouraged to define custom implementation types to + * extend the core API with implementation-specific behavior. + * + * + * If a reference to a custom filter type cannot be resolved, the filter + * MUST NOT be skipped. Instead, requests that would have been processed by + * that filter MUST receive a HTTP error response. + */ + type?: pulumi.Input; + } + + /** + * ExtensionRef is an optional, implementation-specific extension to the + * "filter" behavior. For example, resource "myroutefilter" in group + * "networking.example.net"). ExtensionRef MUST NOT be used for core and + * extended filters. + * + * + * Support: Implementation-specific + * + * + * This filter can be used multiple times within the same rule. + */ + export interface GRPCRouteSpecRulesFiltersExtensionRef { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group?: pulumi.Input; + /** + * Kind is kind of the referent. For example "HTTPRoute" or "Service". + */ + kind?: pulumi.Input; + /** + * Name is the name of the referent. + */ + name?: pulumi.Input; + } + + /** + * ExtensionRef is an optional, implementation-specific extension to the + * "filter" behavior. For example, resource "myroutefilter" in group + * "networking.example.net"). ExtensionRef MUST NOT be used for core and + * extended filters. + * + * + * Support: Implementation-specific + * + * + * This filter can be used multiple times within the same rule. + */ + export interface GRPCRouteSpecRulesFiltersExtensionRefPatch { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group?: pulumi.Input; + /** + * Kind is kind of the referent. For example "HTTPRoute" or "Service". + */ + kind?: pulumi.Input; + /** + * Name is the name of the referent. + */ + name?: pulumi.Input; + } + + /** + * GRPCRouteFilter defines processing steps that must be completed during the + * request or response lifecycle. GRPCRouteFilters are meant as an extension + * point to express processing that may be done in Gateway implementations. Some + * examples include request or response modification, implementing + * authentication strategies, rate-limiting, and traffic shaping. API + * guarantee/conformance is defined based on the type of the filter. + */ + export interface GRPCRouteSpecRulesFiltersPatch { + extensionRef?: pulumi.Input; + requestHeaderModifier?: pulumi.Input; + requestMirror?: pulumi.Input; + responseHeaderModifier?: pulumi.Input; + /** + * Type identifies the type of filter to apply. As with other API fields, + * types are classified into three conformance levels: + * + * + * - Core: Filter types and their corresponding configuration defined by + * "Support: Core" in this package, e.g. "RequestHeaderModifier". All + * implementations supporting GRPCRoute MUST support core filters. + * + * + * - Extended: Filter types and their corresponding configuration defined by + * "Support: Extended" in this package, e.g. "RequestMirror". Implementers + * are encouraged to support extended filters. + * + * + * - Implementation-specific: Filters that are defined and supported by specific vendors. + * In the future, filters showing convergence in behavior across multiple + * implementations will be considered for inclusion in extended or core + * conformance levels. Filter-specific configuration for such filters + * is specified using the ExtensionRef field. `Type` MUST be set to + * "ExtensionRef" for custom filters. + * + * + * Implementers are encouraged to define custom implementation types to + * extend the core API with implementation-specific behavior. + * + * + * If a reference to a custom filter type cannot be resolved, the filter + * MUST NOT be skipped. Instead, requests that would have been processed by + * that filter MUST receive a HTTP error response. + */ + type?: pulumi.Input; + } + + /** + * RequestHeaderModifier defines a schema for a filter that modifies request + * headers. + * + * + * Support: Core + */ + export interface GRPCRouteSpecRulesFiltersRequestHeaderModifier { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add?: pulumi.Input[]>; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove?: pulumi.Input[]>; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set?: pulumi.Input[]>; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierAdd { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierAddPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + + /** + * RequestHeaderModifier defines a schema for a filter that modifies request + * headers. + * + * + * Support: Core + */ + export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierPatch { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add?: pulumi.Input[]>; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove?: pulumi.Input[]>; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set?: pulumi.Input[]>; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierSet { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierSetPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + + /** + * RequestMirror defines a schema for a filter that mirrors requests. + * Requests are sent to the specified destination, but responses from + * that destination are ignored. + * + * + * This filter can be used multiple times within the same rule. Note that + * not all implementations will be able to support mirroring to multiple + * backends. + * + * + * Support: Extended + */ + export interface GRPCRouteSpecRulesFiltersRequestMirror { + backendRef?: pulumi.Input; + } + + /** + * BackendRef references a resource where mirrored requests are sent. + * + * + * Mirrored requests must be sent only to a single destination endpoint + * within this BackendRef, irrespective of how many endpoints are present + * within this BackendRef. + * + * + * If the referent cannot be found, this BackendRef is invalid and must be + * dropped from the Gateway. The controller must ensure the "ResolvedRefs" + * condition on the Route status is set to `status: False` and not configure + * this backend in the underlying implementation. + * + * + * If there is a cross-namespace reference to an *existing* object + * that is not allowed by a ReferenceGrant, the controller must ensure the + * "ResolvedRefs" condition on the Route is set to `status: False`, + * with the "RefNotPermitted" reason and not configure this backend in the + * underlying implementation. + * + * + * In either error case, the Message of the `ResolvedRefs` Condition + * should be used to provide more detail about the problem. + * + * + * Support: Extended for Kubernetes Service + * + * + * Support: Implementation-specific for any other resource + */ + export interface GRPCRouteSpecRulesFiltersRequestMirrorBackendRef { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group?: pulumi.Input; + /** + * Kind is the Kubernetes resource kind of the referent. For example + * "Service". + * + * + * Defaults to "Service" when not specified. + * + * + * ExternalName services can refer to CNAME DNS records that may live + * outside of the cluster and as such are difficult to reason about in + * terms of conformance. They also may not be safe to forward to (see + * CVE-2021-25740 for more information). Implementations SHOULD NOT + * support ExternalName Services. + * + * + * Support: Core (Services with a type other than ExternalName) + * + * + * Support: Implementation-specific (Services with type ExternalName) + */ + kind?: pulumi.Input; + /** + * Name is the name of the referent. + */ + name?: pulumi.Input; + /** + * Namespace is the namespace of the backend. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace?: pulumi.Input; + /** + * Port specifies the destination port number to use for this resource. + * Port is required when the referent is a Kubernetes Service. In this + * case, the port number is the service port number, not the target port. + * For other resources, destination port might be derived from the referent + * resource or this field. + */ + port?: pulumi.Input; + } + + /** + * BackendRef references a resource where mirrored requests are sent. + * + * + * Mirrored requests must be sent only to a single destination endpoint + * within this BackendRef, irrespective of how many endpoints are present + * within this BackendRef. + * + * + * If the referent cannot be found, this BackendRef is invalid and must be + * dropped from the Gateway. The controller must ensure the "ResolvedRefs" + * condition on the Route status is set to `status: False` and not configure + * this backend in the underlying implementation. + * + * + * If there is a cross-namespace reference to an *existing* object + * that is not allowed by a ReferenceGrant, the controller must ensure the + * "ResolvedRefs" condition on the Route is set to `status: False`, + * with the "RefNotPermitted" reason and not configure this backend in the + * underlying implementation. + * + * + * In either error case, the Message of the `ResolvedRefs` Condition + * should be used to provide more detail about the problem. + * + * + * Support: Extended for Kubernetes Service + * + * + * Support: Implementation-specific for any other resource + */ + export interface GRPCRouteSpecRulesFiltersRequestMirrorBackendRefPatch { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group?: pulumi.Input; + /** + * Kind is the Kubernetes resource kind of the referent. For example + * "Service". + * + * + * Defaults to "Service" when not specified. + * + * + * ExternalName services can refer to CNAME DNS records that may live + * outside of the cluster and as such are difficult to reason about in + * terms of conformance. They also may not be safe to forward to (see + * CVE-2021-25740 for more information). Implementations SHOULD NOT + * support ExternalName Services. + * + * + * Support: Core (Services with a type other than ExternalName) + * + * + * Support: Implementation-specific (Services with type ExternalName) + */ + kind?: pulumi.Input; + /** + * Name is the name of the referent. + */ + name?: pulumi.Input; + /** + * Namespace is the namespace of the backend. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace?: pulumi.Input; + /** + * Port specifies the destination port number to use for this resource. + * Port is required when the referent is a Kubernetes Service. In this + * case, the port number is the service port number, not the target port. + * For other resources, destination port might be derived from the referent + * resource or this field. + */ + port?: pulumi.Input; + } + + /** + * RequestMirror defines a schema for a filter that mirrors requests. + * Requests are sent to the specified destination, but responses from + * that destination are ignored. + * + * + * This filter can be used multiple times within the same rule. Note that + * not all implementations will be able to support mirroring to multiple + * backends. + * + * + * Support: Extended + */ + export interface GRPCRouteSpecRulesFiltersRequestMirrorPatch { + backendRef?: pulumi.Input; + } + + /** + * ResponseHeaderModifier defines a schema for a filter that modifies response + * headers. + * + * + * Support: Extended + */ + export interface GRPCRouteSpecRulesFiltersResponseHeaderModifier { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add?: pulumi.Input[]>; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove?: pulumi.Input[]>; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set?: pulumi.Input[]>; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierAdd { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierAddPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + + /** + * ResponseHeaderModifier defines a schema for a filter that modifies response + * headers. + * + * + * Support: Extended + */ + export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierPatch { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add?: pulumi.Input[]>; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove?: pulumi.Input[]>; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set?: pulumi.Input[]>; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierSet { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierSetPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Value is the value of HTTP Header to be matched. + */ + value?: pulumi.Input; + } + + /** + * GRPCRouteMatch defines the predicate used to match requests to a given + * action. Multiple match types are ANDed together, i.e. the match will + * evaluate to true only if all conditions are satisfied. + * + * + * For example, the match below will match a gRPC request only if its service + * is `foo` AND it contains the `version: v1` header: + * + * + * ``` + * matches: + * - method: + * type: Exact + * service: "foo" + * headers: + * - name: "version" + * value "v1" + * + * + * ``` + */ + export interface GRPCRouteSpecRulesMatches { + /** + * Headers specifies gRPC request header matchers. Multiple match values are + * ANDed together, meaning, a request MUST match all the specified headers + * to select the route. + */ + headers?: pulumi.Input[]>; + method?: pulumi.Input; + } + + /** + * GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request + * headers. + */ + export interface GRPCRouteSpecRulesMatchesHeaders { + /** + * Name is the name of the gRPC Header to be matched. + * + * + * If multiple entries specify equivalent header names, only the first + * entry with an equivalent name MUST be considered for a match. Subsequent + * entries with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Type specifies how to match against the value of the header. + */ + type?: pulumi.Input; + /** + * Value is the value of the gRPC Header to be matched. + */ + value?: pulumi.Input; + } + + /** + * GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request + * headers. + */ + export interface GRPCRouteSpecRulesMatchesHeadersPatch { + /** + * Name is the name of the gRPC Header to be matched. + * + * + * If multiple entries specify equivalent header names, only the first + * entry with an equivalent name MUST be considered for a match. Subsequent + * entries with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name?: pulumi.Input; + /** + * Type specifies how to match against the value of the header. + */ + type?: pulumi.Input; + /** + * Value is the value of the gRPC Header to be matched. + */ + value?: pulumi.Input; + } + + /** + * Method specifies a gRPC request service/method matcher. If this field is + * not specified, all services and methods will match. + */ + export interface GRPCRouteSpecRulesMatchesMethod { + /** + * Value of the method to match against. If left empty or omitted, will + * match all services. + * + * + * At least one of Service and Method MUST be a non-empty string. + */ + method?: pulumi.Input; + /** + * Value of the service to match against. If left empty or omitted, will + * match any service. + * + * + * At least one of Service and Method MUST be a non-empty string. + */ + service?: pulumi.Input; + /** + * Type specifies how to match against the service and/or method. + * Support: Core (Exact with service and method specified) + * + * + * Support: Implementation-specific (Exact with method specified but no service specified) + * + * + * Support: Implementation-specific (RegularExpression) + */ + type?: pulumi.Input; + } + + /** + * Method specifies a gRPC request service/method matcher. If this field is + * not specified, all services and methods will match. + */ + export interface GRPCRouteSpecRulesMatchesMethodPatch { + /** + * Value of the method to match against. If left empty or omitted, will + * match all services. + * + * + * At least one of Service and Method MUST be a non-empty string. + */ + method?: pulumi.Input; + /** + * Value of the service to match against. If left empty or omitted, will + * match any service. + * + * + * At least one of Service and Method MUST be a non-empty string. + */ + service?: pulumi.Input; + /** + * Type specifies how to match against the service and/or method. + * Support: Core (Exact with service and method specified) + * + * + * Support: Implementation-specific (Exact with method specified but no service specified) + * + * + * Support: Implementation-specific (RegularExpression) + */ + type?: pulumi.Input; + } + + /** + * GRPCRouteMatch defines the predicate used to match requests to a given + * action. Multiple match types are ANDed together, i.e. the match will + * evaluate to true only if all conditions are satisfied. + * + * + * For example, the match below will match a gRPC request only if its service + * is `foo` AND it contains the `version: v1` header: + * + * + * ``` + * matches: + * - method: + * type: Exact + * service: "foo" + * headers: + * - name: "version" + * value "v1" + * + * + * ``` + */ + export interface GRPCRouteSpecRulesMatchesPatch { + /** + * Headers specifies gRPC request header matchers. Multiple match values are + * ANDed together, meaning, a request MUST match all the specified headers + * to select the route. + */ + headers?: pulumi.Input[]>; + method?: pulumi.Input; + } + + /** + * GRPCRouteRule defines the semantics for matching a gRPC request based on + * conditions (matches), processing it (filters), and forwarding the request to + * an API object (backendRefs). + */ + export interface GRPCRouteSpecRulesPatch { + /** + * BackendRefs defines the backend(s) where matching requests should be + * sent. + * + * + * Failure behavior here depends on how many BackendRefs are specified and + * how many are invalid. + * + * + * If *all* entries in BackendRefs are invalid, and there are also no filters + * specified in this route rule, *all* traffic which matches this rule MUST + * receive an `UNAVAILABLE` status. + * + * + * See the GRPCBackendRef definition for the rules about what makes a single + * GRPCBackendRef invalid. + * + * + * When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for + * requests that would have otherwise been routed to an invalid backend. If + * multiple backends are specified, and some are invalid, the proportion of + * requests that would otherwise have been routed to an invalid backend + * MUST receive an `UNAVAILABLE` status. + * + * + * For example, if two backends are specified with equal weights, and one is + * invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. + * Implementations may choose how that 50 percent is determined. + * + * + * Support: Core for Kubernetes Service + * + * + * Support: Implementation-specific for any other resource + * + * + * Support for weight: Core + */ + backendRefs?: pulumi.Input[]>; + /** + * Filters define the filters that are applied to requests that match + * this rule. + * + * + * The effects of ordering of multiple behaviors are currently unspecified. + * This can change in the future based on feedback during the alpha stage. + * + * + * Conformance-levels at this level are defined based on the type of filter: + * + * + * - ALL core filters MUST be supported by all implementations that support + * GRPCRoute. + * - Implementers are encouraged to support extended filters. + * - Implementation-specific custom filters have no API guarantees across + * implementations. + * + * + * Specifying the same filter multiple times is not supported unless explicitly + * indicated in the filter. + * + * + * If an implementation can not support a combination of filters, it must clearly + * document that limitation. In cases where incompatible or unsupported + * filters are specified and cause the `Accepted` condition to be set to status + * `False`, implementations may use the `IncompatibleFilters` reason to specify + * this configuration error. + * + * + * Support: Core + */ + filters?: pulumi.Input[]>; + /** + * Matches define conditions used for matching the rule against incoming + * gRPC requests. Each match is independent, i.e. this rule will be matched + * if **any** one of the matches is satisfied. + * + * + * For example, take the following matches configuration: + * + * + * ``` + * matches: + * - method: + * service: foo.bar + * headers: + * values: + * version: 2 + * - method: + * service: foo.bar.v2 + * ``` + * + * + * For a request to match against this rule, it MUST satisfy + * EITHER of the two conditions: + * + * + * - service of foo.bar AND contains the header `version: 2` + * - service of foo.bar.v2 + * + * + * See the documentation for GRPCRouteMatch on how to specify multiple + * match conditions to be ANDed together. + * + * + * If no matches are specified, the implementation MUST match every gRPC request. + * + * + * Proxy or Load Balancer routing configuration generated from GRPCRoutes + * MUST prioritize rules based on the following criteria, continuing on + * ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. + * Precedence MUST be given to the rule with the largest number of: + * + * + * * Characters in a matching non-wildcard hostname. + * * Characters in a matching hostname. + * * Characters in a matching service. + * * Characters in a matching method. + * * Header matches. + * + * + * If ties still exist across multiple Routes, matching precedence MUST be + * determined in order of the following criteria, continuing on ties: + * + * + * * The oldest Route based on creation timestamp. + * * The Route appearing first in alphabetical order by + * "{namespace}/{name}". + * + * + * If ties still exist within the Route that has been given precedence, + * matching precedence MUST be granted to the first matching rule meeting + * the above criteria. + */ + matches?: pulumi.Input[]>; + sessionPersistence?: pulumi.Input; + } + + /** + * SessionPersistence defines and configures session persistence + * for the route rule. + * + * + * Support: Extended + */ + export interface GRPCRouteSpecRulesSessionPersistence { + /** + * AbsoluteTimeout defines the absolute timeout of the persistent + * session. Once the AbsoluteTimeout duration has elapsed, the + * session becomes invalid. + * + * + * Support: Extended + */ + absoluteTimeout?: pulumi.Input; + cookieConfig?: pulumi.Input; + /** + * IdleTimeout defines the idle timeout of the persistent session. + * Once the session has been idle for more than the specified + * IdleTimeout duration, the session becomes invalid. + * + * + * Support: Extended + */ + idleTimeout?: pulumi.Input; + /** + * SessionName defines the name of the persistent session token + * which may be reflected in the cookie or the header. Users + * should avoid reusing session names to prevent unintended + * consequences, such as rejection or unpredictable behavior. + * + * + * Support: Implementation-specific + */ + sessionName?: pulumi.Input; + /** + * Type defines the type of session persistence such as through + * the use a header or cookie. Defaults to cookie based session + * persistence. + * + * + * Support: Core for "Cookie" type + * + * + * Support: Extended for "Header" type + */ + type?: pulumi.Input; + } + + /** + * CookieConfig provides configuration settings that are specific + * to cookie-based session persistence. + * + * + * Support: Core + */ + export interface GRPCRouteSpecRulesSessionPersistenceCookieConfig { + /** + * LifetimeType specifies whether the cookie has a permanent or + * session-based lifetime. A permanent cookie persists until its + * specified expiry time, defined by the Expires or Max-Age cookie + * attributes, while a session cookie is deleted when the current + * session ends. + * + * + * When set to "Permanent", AbsoluteTimeout indicates the + * cookie's lifetime via the Expires or Max-Age cookie attributes + * and is required. + * + * + * When set to "Session", AbsoluteTimeout indicates the + * absolute lifetime of the cookie tracked by the gateway and + * is optional. + * + * + * Support: Core for "Session" type + * + * + * Support: Extended for "Permanent" type + */ + lifetimeType?: pulumi.Input; + } + + /** + * CookieConfig provides configuration settings that are specific + * to cookie-based session persistence. + * + * + * Support: Core + */ + export interface GRPCRouteSpecRulesSessionPersistenceCookieConfigPatch { + /** + * LifetimeType specifies whether the cookie has a permanent or + * session-based lifetime. A permanent cookie persists until its + * specified expiry time, defined by the Expires or Max-Age cookie + * attributes, while a session cookie is deleted when the current + * session ends. + * + * + * When set to "Permanent", AbsoluteTimeout indicates the + * cookie's lifetime via the Expires or Max-Age cookie attributes + * and is required. + * + * + * When set to "Session", AbsoluteTimeout indicates the + * absolute lifetime of the cookie tracked by the gateway and + * is optional. + * + * + * Support: Core for "Session" type + * + * + * Support: Extended for "Permanent" type + */ + lifetimeType?: pulumi.Input; + } + + /** + * SessionPersistence defines and configures session persistence + * for the route rule. + * + * + * Support: Extended + */ + export interface GRPCRouteSpecRulesSessionPersistencePatch { + /** + * AbsoluteTimeout defines the absolute timeout of the persistent + * session. Once the AbsoluteTimeout duration has elapsed, the + * session becomes invalid. + * + * + * Support: Extended + */ + absoluteTimeout?: pulumi.Input; + cookieConfig?: pulumi.Input; + /** + * IdleTimeout defines the idle timeout of the persistent session. + * Once the session has been idle for more than the specified + * IdleTimeout duration, the session becomes invalid. + * + * + * Support: Extended + */ + idleTimeout?: pulumi.Input; + /** + * SessionName defines the name of the persistent session token + * which may be reflected in the cookie or the header. Users + * should avoid reusing session names to prevent unintended + * consequences, such as rejection or unpredictable behavior. + * + * + * Support: Implementation-specific + */ + sessionName?: pulumi.Input; + /** + * Type defines the type of session persistence such as through + * the use a header or cookie. Defaults to cookie based session + * persistence. + * + * + * Support: Core for "Cookie" type + * + * + * Support: Extended for "Header" type + */ + type?: pulumi.Input; + } + + /** + * Status defines the current state of GRPCRoute. + */ + export interface GRPCRouteStatus { + /** + * Parents is a list of parent resources (usually Gateways) that are + * associated with the route, and the status of the route with respect to + * each parent. When this route attaches to a parent, the controller that + * manages the parent must add an entry to this list when the controller + * first sees the route and should update the entry as appropriate when the + * route or gateway is modified. + * + * + * Note that parent references that cannot be resolved by an implementation + * of this API will not be added to this list. Implementations of this API + * can only populate Route status for the Gateways/parent resources they are + * responsible for. + * + * + * A maximum of 32 Gateways will be represented in this list. An empty list + * means the route has not been attached to any Gateway. + */ + parents?: pulumi.Input[]>; + } + + /** + * RouteParentStatus describes the status of a route with respect to an + * associated Parent. + */ + export interface GRPCRouteStatusParents { + /** + * Conditions describes the status of the route with respect to the Gateway. + * Note that the route's availability is also subject to the Gateway's own + * status conditions and listener status. + * + * + * If the Route's ParentRef specifies an existing Gateway that supports + * Routes of this kind AND that Gateway's controller has sufficient access, + * then that Gateway's controller MUST set the "Accepted" condition on the + * Route, to indicate whether the route has been accepted or rejected by the + * Gateway, and why. + * + * + * A Route MUST be considered "Accepted" if at least one of the Route's + * rules is implemented by the Gateway. + * + * + * There are a number of cases where the "Accepted" condition may not be set + * due to lack of controller visibility, that includes when: + * + * + * * The Route refers to a non-existent parent. + * * The Route is of a type that the controller does not support. + * * The Route is in a namespace the controller does not have access to. + */ + conditions?: pulumi.Input[]>; + /** + * ControllerName is a domain/path string that indicates the name of the + * controller that wrote this status. This corresponds with the + * controllerName field on GatewayClass. + * + * + * Example: "example.net/gateway-controller". + * + * + * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + * valid Kubernetes names + * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + * + * + * Controllers MUST populate this field when writing status. Controllers should ensure that + * entries to status populated with their ControllerName are cleaned up when they are no + * longer necessary. + */ + controllerName?: pulumi.Input; + parentRef?: pulumi.Input; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ - export interface XListenerSetStatusListenersConditions { + export interface GRPCRouteStatusParentsConditions { /** * lastTransitionTime is the last time the condition transitioned from one status to another. * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. @@ -35463,234 +27998,391 @@ export namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } /** - * RouteGroupKind indicates the group and kind of a Route resource. + * ParentRef corresponds with a ParentRef in the spec that this + * RouteParentStatus struct describes the status of. */ - export interface XListenerSetStatusListenersSupportedKinds { + export interface GRPCRouteStatusParentsParentRef { /** - * Group is the group of the Route. + * Group is the group of the referent. + * When unspecified, "gateway.networking.k8s.io" is inferred. + * To set the core API group (such as for a "Service" kind referent), + * Group must be explicitly set to "" (empty string). + * + * + * Support: Core */ group?: pulumi.Input; /** - * Kind is the kind of the Route. + * Kind is kind of the referent. + * + * + * There are two kinds of parent resources with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; + /** + * Name is the name of the referent. + * + * + * Support: Core + */ + name?: pulumi.Input; + /** + * Namespace is the namespace of the referent. When unspecified, this refers + * to the local namespace of the Route. + * + * + * Note that there are specific rules for ParentRefs which cross namespace + * boundaries. Cross-namespace references are only valid if they are explicitly + * allowed by something in the namespace they are referring to. For example: + * Gateway has the AllowedRoutes field, and ReferenceGrant provides a + * generic way to enable any other kind of cross-namespace reference. + * + * + * + * ParentRefs from a Route to a Service in the same namespace are "producer" + * routes, which apply default routing rules to inbound connections from + * any namespace to the Service. + * + * + * ParentRefs from a Route to a Service in a different namespace are + * "consumer" routes, and these routing rules are only applied to outbound + * connections originating from the same namespace as the Route, for which + * the intended destination of the connections are a Service targeted as a + * ParentRef of the Route. + * + * + * + * Support: Core + */ + namespace?: pulumi.Input; + /** + * Port is the network port this Route targets. It can be interpreted + * differently based on the type of parent resource. + * + * + * When the parent resource is a Gateway, this targets all listeners + * listening on the specified port that also support this kind of Route(and + * select this Route). It's not recommended to set `Port` unless the + * networking behaviors specified in a Route must apply to a specific port + * as opposed to a listener(s) whose port(s) may be changed. When both Port + * and SectionName are specified, the name and port of the selected listener + * must match both specified values. + * + * + * + * When the parent resource is a Service, this targets a specific port in the + * Service spec. When both Port (experimental) and SectionName are specified, + * the name and port of the selected port must match both specified values. + * + * + * + * Implementations MAY choose to support other parent resources. + * Implementations supporting other types of parent resources MUST clearly + * document how/if Port is interpreted. + * + * + * For the purpose of status, an attachment is considered successful as + * long as the parent resource accepts it partially. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + * from the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, + * the Route MUST be considered detached from the Gateway. + * + * + * Support: Extended + */ + port?: pulumi.Input; + /** + * SectionName is the name of a section within the target resource. In the + * following resources, SectionName is interpreted as the following: + * + * + * * Gateway: Listener name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * * Service: Port name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * + * + * Implementations MAY choose to support attaching Routes to other resources. + * If that is the case, they MUST clearly document how SectionName is + * interpreted. + * + * + * When unspecified (empty string), this will reference the entire resource. + * For the purpose of status, an attachment is considered successful if at + * least one section in the parent resource accepts it. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + * the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, the + * Route MUST be considered detached from the Gateway. + * + * + * Support: Core + */ + sectionName?: pulumi.Input; } /** - * XMesh defines mesh-wide characteristics of a GAMMA-compliant service mesh. + * ReferenceGrant identifies kinds of resources in other namespaces that are + * trusted to reference the specified kinds of resources in the same namespace + * as the policy. + * + * + * Each ReferenceGrant can be used to represent a unique trust relationship. + * Additional Reference Grants can be used to add to the set of trusted + * sources of inbound references for the namespace they are defined within. + * + * + * A ReferenceGrant is required for all cross-namespace references in Gateway API + * (with the exception of cross-namespace Route-Gateway attachment, which is + * governed by the AllowedRoutes configuration on the Gateway, and cross-namespace + * Service ParentRefs on a "consumer" mesh Route, which defines routing rules + * applicable only to workloads in the Route namespace). ReferenceGrants allowing + * a reference from a Route to a Service are only applicable to BackendRefs. + * + * + * ReferenceGrant is a form of runtime verification allowing users to assert + * which cross-namespace object references are permitted. Implementations that + * support ReferenceGrant MUST NOT permit cross-namespace references which have + * no grant, and MUST respond to the removal of a grant by revoking the access + * that the grant allowed. */ - export interface XMesh { + export interface ReferenceGrant { /** * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ - apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">; + apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">; /** * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ - kind?: pulumi.Input<"XMesh">; + kind?: pulumi.Input<"ReferenceGrant">; /** * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata */ metadata?: pulumi.Input; - spec?: pulumi.Input; - status?: pulumi.Input; + spec?: pulumi.Input; } /** - * Spec defines the desired state of XMesh. + * Spec defines the desired state of ReferenceGrant. */ - export interface XMeshSpec { + export interface ReferenceGrantSpec { /** - * ControllerName is the name of a controller that is managing Gateway API - * resources for mesh traffic management. The value of this field MUST be a - * domain prefixed path. + * From describes the trusted namespaces and kinds that can reference the + * resources described in "To". Each entry in this list MUST be considered + * to be an additional place that references can be valid from, or to put + * this another way, entries MUST be combined using OR. * - * Example: "example.com/awesome-mesh". - * - * This field is not mutable and cannot be empty. * * Support: Core */ - controllerName?: pulumi.Input; + from?: pulumi.Input[]>; /** - * Description optionally provides a human-readable description of a Mesh. + * To describes the resources that may be referenced by the resources + * described in "From". Each entry in this list MUST be considered to be an + * additional place that references can be valid to, or to put this another + * way, entries MUST be combined using OR. + * + * + * Support: Core */ - description?: pulumi.Input; - parametersRef?: pulumi.Input; + to?: pulumi.Input[]>; } /** - * ParametersRef is an optional reference to a resource that contains - * implementation-specific configuration for this Mesh. If no - * implementation-specific parameters are needed, this field MUST be - * omitted. - * - * ParametersRef can reference a standard Kubernetes resource, i.e. - * ConfigMap, or an implementation-specific custom resource. The resource - * can be cluster-scoped or namespace-scoped. - * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the Mesh MUST be rejected - * with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. - * - * Support: Implementation-specific + * ReferenceGrantFrom describes trusted namespaces and kinds. */ - export interface XMeshSpecParametersRef { + export interface ReferenceGrantSpecFrom { /** * Group is the group of the referent. + * When empty, the Kubernetes core API group is inferred. + * + * + * Support: Core */ group?: pulumi.Input; /** - * Kind is kind of the referent. + * Kind is the kind of the referent. Although implementations may support + * additional resources, the following types are part of the "Core" + * support level for this field. + * + * + * When used to permit a SecretObjectReference: + * + * + * * Gateway + * + * + * When used to permit a BackendObjectReference: + * + * + * * GRPCRoute + * * HTTPRoute + * * TCPRoute + * * TLSRoute + * * UDPRoute */ kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; /** * Namespace is the namespace of the referent. - * This field is required when referring to a Namespace-scoped resource and - * MUST be unset when referring to a Cluster-scoped resource. + * + * + * Support: Core */ namespace?: pulumi.Input; } /** - * ParametersRef is an optional reference to a resource that contains - * implementation-specific configuration for this Mesh. If no - * implementation-specific parameters are needed, this field MUST be - * omitted. - * - * ParametersRef can reference a standard Kubernetes resource, i.e. - * ConfigMap, or an implementation-specific custom resource. The resource - * can be cluster-scoped or namespace-scoped. - * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the Mesh MUST be rejected - * with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. - * - * Support: Implementation-specific + * ReferenceGrantFrom describes trusted namespaces and kinds. */ - export interface XMeshSpecParametersRefPatch { + export interface ReferenceGrantSpecFromPatch { /** * Group is the group of the referent. + * When empty, the Kubernetes core API group is inferred. + * + * + * Support: Core */ group?: pulumi.Input; /** - * Kind is kind of the referent. + * Kind is the kind of the referent. Although implementations may support + * additional resources, the following types are part of the "Core" + * support level for this field. + * + * + * When used to permit a SecretObjectReference: + * + * + * * Gateway + * + * + * When used to permit a BackendObjectReference: + * + * + * * GRPCRoute + * * HTTPRoute + * * TCPRoute + * * TLSRoute + * * UDPRoute */ kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; /** * Namespace is the namespace of the referent. - * This field is required when referring to a Namespace-scoped resource and - * MUST be unset when referring to a Cluster-scoped resource. + * + * + * Support: Core */ namespace?: pulumi.Input; } /** - * Spec defines the desired state of XMesh. + * Spec defines the desired state of ReferenceGrant. */ - export interface XMeshSpecPatch { + export interface ReferenceGrantSpecPatch { /** - * ControllerName is the name of a controller that is managing Gateway API - * resources for mesh traffic management. The value of this field MUST be a - * domain prefixed path. + * From describes the trusted namespaces and kinds that can reference the + * resources described in "To". Each entry in this list MUST be considered + * to be an additional place that references can be valid from, or to put + * this another way, entries MUST be combined using OR. * - * Example: "example.com/awesome-mesh". - * - * This field is not mutable and cannot be empty. * * Support: Core */ - controllerName?: pulumi.Input; + from?: pulumi.Input[]>; /** - * Description optionally provides a human-readable description of a Mesh. - */ - description?: pulumi.Input; - parametersRef?: pulumi.Input; - } - - /** - * Status defines the current state of XMesh. - */ - export interface XMeshStatus { - /** - * Conditions is the current status from the controller for - * this Mesh. + * To describes the resources that may be referenced by the resources + * described in "From". Each entry in this list MUST be considered to be an + * additional place that references can be valid to, or to put this another + * way, entries MUST be combined using OR. * - * Controllers should prefer to publish conditions using values - * of MeshConditionType for the type of each Condition. + * + * Support: Core */ - conditions?: pulumi.Input[]>; - /** - * SupportedFeatures is the set of features the Mesh support. - * It MUST be sorted in ascending alphabetical order by the Name key. - */ - supportedFeatures?: pulumi.Input[]>; + to?: pulumi.Input[]>; } /** - * Condition contains details for one aspect of the current state of this API Resource. + * ReferenceGrantTo describes what Kinds are allowed as targets of the + * references. */ - export interface XMeshStatusConditions { + export interface ReferenceGrantSpecTo { /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + * Group is the group of the referent. + * When empty, the Kubernetes core API group is inferred. + * + * + * Support: Core */ - lastTransitionTime?: pulumi.Input; + group?: pulumi.Input; /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. + * Kind is the kind of the referent. Although implementations may support + * additional resources, the following types are part of the "Core" + * support level for this field: + * + * + * * Secret when used to permit a SecretObjectReference + * * Service when used to permit a BackendObjectReference */ - message?: pulumi.Input; + kind?: pulumi.Input; /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration?: pulumi.Input; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason?: pulumi.Input; - /** - * status of the condition, one of True, False, Unknown. - */ - status?: pulumi.Input; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type?: pulumi.Input; - } - - export interface XMeshStatusSupportedFeatures { - /** - * FeatureName is used to describe distinct features that are covered by - * conformance tests. + * Name is the name of the referent. When unspecified, this policy + * refers to all resources of the specified Group and Kind in the local + * namespace. */ name?: pulumi.Input; } - } + /** + * ReferenceGrantTo describes what Kinds are allowed as targets of the + * references. + */ + export interface ReferenceGrantSpecToPatch { + /** + * Group is the group of the referent. + * When empty, the Kubernetes core API group is inferred. + * + * + * Support: Core + */ + group?: pulumi.Input; + /** + * Kind is the kind of the referent. Although implementations may support + * additional resources, the following types are part of the "Core" + * support level for this field: + * + * + * * Secret when used to permit a SecretObjectReference + * * Service when used to permit a BackendObjectReference + */ + kind?: pulumi.Input; + /** + * Name is the name of the referent. When unspecified, this policy + * refers to all resources of the specified Group and Kind in the local + * namespace. + */ + name?: pulumi.Input; + } - export namespace v1alpha2 { /** * TCPRoute provides a way to route TCP requests. When combined with a Gateway * listener, it can be used to forward connections on the port specified by the @@ -35729,16 +28421,21 @@ export namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -35748,8 +28445,10 @@ export namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -35757,12 +28456,14 @@ export namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -35770,10 +28471,12 @@ export namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -35785,21 +28488,6 @@ export namespace gateway { * Rules are a list of TCP matchers and actions. */ rules?: pulumi.Input[]>; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways?: pulumi.Input; } /** @@ -35807,12 +28495,15 @@ export namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -35823,23 +28514,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -35847,6 +28543,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -35854,10 +28551,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -35865,6 +28564,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -35872,6 +28572,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -35881,15 +28582,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -35898,6 +28602,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -35905,6 +28610,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -35912,10 +28618,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -35925,6 +28633,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -35935,12 +28644,15 @@ export namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -35951,23 +28663,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -35975,6 +28692,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -35982,10 +28700,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -35993,6 +28713,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -36000,6 +28721,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -36009,15 +28731,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -36026,6 +28751,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -36033,6 +28759,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -36040,10 +28767,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -36053,6 +28782,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -36074,16 +28804,21 @@ export namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -36093,8 +28828,10 @@ export namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -36102,12 +28839,14 @@ export namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -36115,10 +28854,12 @@ export namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -36130,21 +28871,6 @@ export namespace gateway { * Rules are a list of TCP matchers and actions. */ rules?: pulumi.Input[]>; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways?: pulumi.Input; } /** @@ -36153,54 +28879,62 @@ export namespace gateway { export interface TCPRouteSpecRules { /** * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or a + * sent. If unspecified or invalid (refers to a non-existent resource or a * Service with no endpoints), the underlying implementation MUST actively * reject connection attempts to this backend. Connection rejections must * respect weight; if an invalid backend is requested to have 80% of * connections, then 80% of connections must be rejected instead. * + * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Extended */ backendRefs?: pulumi.Input[]>; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name?: pulumi.Input; } /** * BackendRef defines how a Route should forward a request to a Kubernetes * resource. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. * * + * + * + * * Note that when the BackendTLSPolicy object is enabled by the implementation, * there are some extra rules about validity to consider here. See the fields * where this struct is used for more information about the exact behavior. @@ -36215,16 +28949,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -36236,11 +28974,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -36260,11 +29000,13 @@ export namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight?: pulumi.Input; @@ -36274,27 +29016,37 @@ export namespace gateway { * BackendRef defines how a Route should forward a request to a Kubernetes * resource. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. * * + * + * + * * Note that when the BackendTLSPolicy object is enabled by the implementation, * there are some extra rules about validity to consider here. See the fields * where this struct is used for more information about the exact behavior. @@ -36309,16 +29061,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -36330,11 +29086,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -36354,11 +29112,13 @@ export namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight?: pulumi.Input; @@ -36370,27 +29130,25 @@ export namespace gateway { export interface TCPRouteSpecRulesPatch { /** * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or a + * sent. If unspecified or invalid (refers to a non-existent resource or a * Service with no endpoints), the underlying implementation MUST actively * reject connection attempts to this backend. Connection rejections must * respect weight; if an invalid backend is requested to have 80% of * connections, then 80% of connections must be rejected instead. * + * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Extended */ backendRefs?: pulumi.Input[]>; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name?: pulumi.Input; } /** @@ -36405,11 +29163,13 @@ export namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -36426,19 +29186,23 @@ export namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -36448,12 +29212,15 @@ export namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -36464,6 +29231,22 @@ export namespace gateway { /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface TCPRouteStatusParentsConditions { /** @@ -36496,6 +29279,10 @@ export namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } @@ -36511,23 +29298,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -36535,6 +29327,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -36542,10 +29335,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -36553,6 +29348,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -36560,6 +29356,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -36569,15 +29366,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -36586,6 +29386,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -36593,6 +29394,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -36600,10 +29402,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -36613,6 +29417,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -36623,6 +29428,7 @@ export namespace gateway { * to match against TLS-specific metadata. This allows more flexibility * in matching streams for a given TLS listener. * + * * If you need to forward traffic to a single target for a TLS listener, you * could choose to use a TCPRoute with a TLS listener. */ @@ -36652,14 +29458,17 @@ export namespace gateway { * SNI attribute of TLS ClientHello message in TLS handshake. This matches * the RFC 1123 definition of a hostname with 2 notable exceptions: * + * * 1. IPs are not allowed in SNI names per RFC 6066. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label must appear by itself as the first label. * + * * If a hostname is specified by both the Listener and TLSRoute, there * must be at least one intersecting hostname for the TLSRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches TLSRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -36669,17 +29478,20 @@ export namespace gateway { * `test.example.com` and `*.example.com` would both match. On the other * hand, `example.com` and `test.example.net` would not match. * + * * If both the Listener and TLSRoute have specified hostnames, any * TLSRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * TLSRoute specified `test.example.com` and `test.example.net`, * `test.example.net` must not be considered for a match. * + * * If both the Listener and TLSRoute have specified hostnames, and none * match with the criteria above, then the TLSRoute is not accepted. The * implementation must raise an 'Accepted' Condition with a status of * `False` in the corresponding RouteParentStatus. * + * * Support: Core */ hostnames?: pulumi.Input[]>; @@ -36695,16 +29507,21 @@ export namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -36714,8 +29531,10 @@ export namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -36723,12 +29542,14 @@ export namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -36736,10 +29557,12 @@ export namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -36751,21 +29574,6 @@ export namespace gateway { * Rules are a list of TLS matchers and actions. */ rules?: pulumi.Input[]>; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways?: pulumi.Input; } /** @@ -36773,12 +29581,15 @@ export namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -36789,23 +29600,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -36813,6 +29629,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -36820,10 +29637,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -36831,6 +29650,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -36838,6 +29658,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -36847,15 +29668,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -36864,6 +29688,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -36871,6 +29696,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -36878,10 +29704,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -36891,6 +29719,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -36901,12 +29730,15 @@ export namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -36917,23 +29749,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -36941,6 +29778,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -36948,10 +29786,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -36959,6 +29799,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -36966,6 +29807,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -36975,15 +29817,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -36992,6 +29837,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -36999,6 +29845,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -37006,10 +29853,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -37019,6 +29868,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -37033,14 +29883,17 @@ export namespace gateway { * SNI attribute of TLS ClientHello message in TLS handshake. This matches * the RFC 1123 definition of a hostname with 2 notable exceptions: * + * * 1. IPs are not allowed in SNI names per RFC 6066. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label must appear by itself as the first label. * + * * If a hostname is specified by both the Listener and TLSRoute, there * must be at least one intersecting hostname for the TLSRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches TLSRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -37050,17 +29903,20 @@ export namespace gateway { * `test.example.com` and `*.example.com` would both match. On the other * hand, `example.com` and `test.example.net` would not match. * + * * If both the Listener and TLSRoute have specified hostnames, any * TLSRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * TLSRoute specified `test.example.com` and `test.example.net`, * `test.example.net` must not be considered for a match. * + * * If both the Listener and TLSRoute have specified hostnames, and none * match with the criteria above, then the TLSRoute is not accepted. The * implementation must raise an 'Accepted' Condition with a status of * `False` in the corresponding RouteParentStatus. * + * * Support: Core */ hostnames?: pulumi.Input[]>; @@ -37076,16 +29932,21 @@ export namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -37095,8 +29956,10 @@ export namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -37104,12 +29967,14 @@ export namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -37117,10 +29982,12 @@ export namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -37132,21 +29999,6 @@ export namespace gateway { * Rules are a list of TLS matchers and actions. */ rules?: pulumi.Input[]>; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways?: pulumi.Input; } /** @@ -37155,7 +30007,7 @@ export namespace gateway { export interface TLSRouteSpecRules { /** * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or + * sent. If unspecified or invalid (refers to a non-existent resource or * a Service with no endpoints), the rule performs no forwarding; if no * filters are specified that would result in a response being sent, the * underlying implementation must actively reject request attempts to this @@ -37164,48 +30016,56 @@ export namespace gateway { * requested to have 80% of requests, then 80% of requests must be rejected * instead. * + * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Extended */ backendRefs?: pulumi.Input[]>; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name?: pulumi.Input; } /** * BackendRef defines how a Route should forward a request to a Kubernetes * resource. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. * * + * + * + * * Note that when the BackendTLSPolicy object is enabled by the implementation, * there are some extra rules about validity to consider here. See the fields * where this struct is used for more information about the exact behavior. @@ -37220,16 +30080,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -37241,11 +30105,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -37265,11 +30131,13 @@ export namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight?: pulumi.Input; @@ -37279,27 +30147,37 @@ export namespace gateway { * BackendRef defines how a Route should forward a request to a Kubernetes * resource. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. * * + * + * + * * Note that when the BackendTLSPolicy object is enabled by the implementation, * there are some extra rules about validity to consider here. See the fields * where this struct is used for more information about the exact behavior. @@ -37314,16 +30192,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -37335,11 +30217,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -37359,11 +30243,13 @@ export namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight?: pulumi.Input; @@ -37375,7 +30261,7 @@ export namespace gateway { export interface TLSRouteSpecRulesPatch { /** * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or + * sent. If unspecified or invalid (refers to a non-existent resource or * a Service with no endpoints), the rule performs no forwarding; if no * filters are specified that would result in a response being sent, the * underlying implementation must actively reject request attempts to this @@ -37384,21 +30270,19 @@ export namespace gateway { * requested to have 80% of requests, then 80% of requests must be rejected * instead. * + * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Extended */ backendRefs?: pulumi.Input[]>; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name?: pulumi.Input; } /** @@ -37413,11 +30297,13 @@ export namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -37434,19 +30320,23 @@ export namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -37456,12 +30346,15 @@ export namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -37472,6 +30365,22 @@ export namespace gateway { /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface TLSRouteStatusParentsConditions { /** @@ -37504,6 +30413,10 @@ export namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } @@ -37519,23 +30432,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -37543,6 +30461,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -37550,10 +30469,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -37561,6 +30482,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -37568,6 +30490,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -37577,15 +30500,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -37594,6 +30520,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -37601,6 +30528,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -37608,10 +30536,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -37621,6 +30551,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -37664,16 +30595,21 @@ export namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -37683,8 +30619,10 @@ export namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -37692,12 +30630,14 @@ export namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -37705,10 +30645,12 @@ export namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -37720,21 +30662,6 @@ export namespace gateway { * Rules are a list of UDP matchers and actions. */ rules?: pulumi.Input[]>; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways?: pulumi.Input; } /** @@ -37742,12 +30669,15 @@ export namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -37758,23 +30688,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -37782,6 +30717,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -37789,10 +30725,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -37800,6 +30738,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -37807,6 +30746,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -37816,15 +30756,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -37833,6 +30776,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -37840,6 +30784,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -37847,10 +30792,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -37860,6 +30807,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -37870,12 +30818,15 @@ export namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -37886,23 +30837,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -37910,6 +30866,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -37917,10 +30874,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -37928,6 +30887,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -37935,6 +30895,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -37944,15 +30905,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -37961,6 +30925,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -37968,6 +30933,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -37975,10 +30941,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -37988,6 +30956,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -38009,16 +30978,21 @@ export namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -38028,8 +31002,10 @@ export namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -38037,12 +31013,14 @@ export namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -38050,10 +31028,12 @@ export namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -38065,21 +31045,6 @@ export namespace gateway { * Rules are a list of UDP matchers and actions. */ rules?: pulumi.Input[]>; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways?: pulumi.Input; } /** @@ -38088,54 +31053,62 @@ export namespace gateway { export interface UDPRouteSpecRules { /** * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or a + * sent. If unspecified or invalid (refers to a non-existent resource or a * Service with no endpoints), the underlying implementation MUST actively * reject connection attempts to this backend. Packet drops must * respect weight; if an invalid backend is requested to have 80% of * the packets, then 80% of packets must be dropped instead. * + * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Extended */ backendRefs?: pulumi.Input[]>; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name?: pulumi.Input; } /** * BackendRef defines how a Route should forward a request to a Kubernetes * resource. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. * * + * + * + * * Note that when the BackendTLSPolicy object is enabled by the implementation, * there are some extra rules about validity to consider here. See the fields * where this struct is used for more information about the exact behavior. @@ -38150,16 +31123,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -38171,11 +31148,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -38195,11 +31174,13 @@ export namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight?: pulumi.Input; @@ -38209,27 +31190,37 @@ export namespace gateway { * BackendRef defines how a Route should forward a request to a Kubernetes * resource. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. * * + * + * + * * Note that when the BackendTLSPolicy object is enabled by the implementation, * there are some extra rules about validity to consider here. See the fields * where this struct is used for more information about the exact behavior. @@ -38244,16 +31235,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -38265,11 +31260,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -38289,11 +31286,13 @@ export namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight?: pulumi.Input; @@ -38305,27 +31304,25 @@ export namespace gateway { export interface UDPRouteSpecRulesPatch { /** * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or a + * sent. If unspecified or invalid (refers to a non-existent resource or a * Service with no endpoints), the underlying implementation MUST actively * reject connection attempts to this backend. Packet drops must * respect weight; if an invalid backend is requested to have 80% of * the packets, then 80% of packets must be dropped instead. * + * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Extended */ backendRefs?: pulumi.Input[]>; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name?: pulumi.Input; } /** @@ -38340,11 +31337,13 @@ export namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -38361,19 +31360,23 @@ export namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -38383,12 +31386,15 @@ export namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -38399,6 +31405,22 @@ export namespace gateway { /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface UDPRouteStatusParentsConditions { /** @@ -38431,6 +31453,10 @@ export namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } @@ -38446,23 +31472,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -38470,6 +31501,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -38477,10 +31509,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -38488,6 +31522,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -38495,6 +31530,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -38504,15 +31540,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -38521,6 +31560,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -38528,6 +31568,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -38535,10 +31576,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -38548,6 +31591,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -38581,19 +31625,6 @@ export namespace gateway { * Spec defines the desired state of BackendTLSPolicy. */ export interface BackendTLSPolicySpec { - /** - * Options are a list of key/value pairs to enable extended TLS - * configuration for each implementation. For example, configuring the - * minimum TLS version or supported cipher suites. - * - * A set of common keys MAY be defined by the API in the future. To avoid - * any ambiguity, implementation-specific definitions MUST use - * domain-prefixed names, such as `example.com/my-custom-option`. - * Un-prefixed names are reserved for key names defined by Gateway API. - * - * Support: Implementation-specific - */ - options?: pulumi.Input<{[key: string]: pulumi.Input}>; /** * TargetRefs identifies an API object to apply the policy to. * Only Services have Extended support. Implementations MAY support @@ -38602,32 +31633,10 @@ export namespace gateway { * by default, but this default may change in the future to provide * a more granular application of the policy. * - * TargetRefs must be _distinct_. This means either that: - * - * * They select different targets. If this is the case, then targetRef - * entries are distinct. In terms of fields, this means that the - * multi-part key defined by `group`, `kind`, and `name` must - * be unique across all targetRef entries in the BackendTLSPolicy. - * * They select different sectionNames in the same target. - * - * When more than one BackendTLSPolicy selects the same target and - * sectionName, implementations MUST determine precedence using the - * following criteria, continuing on ties: - * - * * The older policy by creation timestamp takes precedence. For - * example, a policy with a creation timestamp of "2021-07-15 - * 01:02:03" MUST be given precedence over a policy with a - * creation timestamp of "2021-07-15 01:02:04". - * * The policy appearing first in alphabetical order by {name}. - * For example, a policy named `bar` is given precedence over a - * policy named `baz`. - * - * For any BackendTLSPolicy that does not take precedence, the - * implementation MUST ensure the `Accepted` Condition is set to - * `status: False`, with Reason `Conflicted`. * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ targetRefs?: pulumi.Input[]>; @@ -38638,19 +31647,6 @@ export namespace gateway { * Spec defines the desired state of BackendTLSPolicy. */ export interface BackendTLSPolicySpecPatch { - /** - * Options are a list of key/value pairs to enable extended TLS - * configuration for each implementation. For example, configuring the - * minimum TLS version or supported cipher suites. - * - * A set of common keys MAY be defined by the API in the future. To avoid - * any ambiguity, implementation-specific definitions MUST use - * domain-prefixed names, such as `example.com/my-custom-option`. - * Un-prefixed names are reserved for key names defined by Gateway API. - * - * Support: Implementation-specific - */ - options?: pulumi.Input<{[key: string]: pulumi.Input}>; /** * TargetRefs identifies an API object to apply the policy to. * Only Services have Extended support. Implementations MAY support @@ -38659,32 +31655,10 @@ export namespace gateway { * by default, but this default may change in the future to provide * a more granular application of the policy. * - * TargetRefs must be _distinct_. This means either that: - * - * * They select different targets. If this is the case, then targetRef - * entries are distinct. In terms of fields, this means that the - * multi-part key defined by `group`, `kind`, and `name` must - * be unique across all targetRef entries in the BackendTLSPolicy. - * * They select different sectionNames in the same target. - * - * When more than one BackendTLSPolicy selects the same target and - * sectionName, implementations MUST determine precedence using the - * following criteria, continuing on ties: - * - * * The older policy by creation timestamp takes precedence. For - * example, a policy with a creation timestamp of "2021-07-15 - * 01:02:03" MUST be given precedence over a policy with a - * creation timestamp of "2021-07-15 01:02:04". - * * The policy appearing first in alphabetical order by {name}. - * For example, a policy named `bar` is given precedence over a - * policy named `baz`. - * - * For any BackendTLSPolicy that does not take precedence, the - * implementation MUST ensure the `Accepted` Condition is set to - * `status: False`, with Reason `Conflicted`. * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ targetRefs?: pulumi.Input[]>; @@ -38698,6 +31672,7 @@ export namespace gateway { * mode works, and a sample Policy resource, refer to the policy attachment * documentation for Gateway API. * + * * Note: This should only be used for direct policy attachment when references * to SectionName are actually needed. In all other cases, * LocalPolicyTargetReference should be used. @@ -38720,10 +31695,12 @@ export namespace gateway { * unspecified, this targetRef targets the entire resource. In the following * resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name * * HTTPRoute: HTTPRouteRule name * * Service: Port name * + * * If a SectionName is specified, but does not exist on the targeted object, * the Policy must fail to attach, and the policy implementation should record * a `ResolvedRefs` or similar Condition in the Policy's status. @@ -38738,6 +31715,7 @@ export namespace gateway { * mode works, and a sample Policy resource, refer to the policy attachment * documentation for Gateway API. * + * * Note: This should only be used for direct policy attachment when references * to SectionName are actually needed. In all other cases, * LocalPolicyTargetReference should be used. @@ -38760,10 +31738,12 @@ export namespace gateway { * unspecified, this targetRef targets the entire resource. In the following * resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name * * HTTPRoute: HTTPRouteRule name * * Service: Port name * + * * If a SectionName is specified, but does not exist on the targeted object, * the Policy must fail to attach, and the policy implementation should record * a `ResolvedRefs` or similar Condition in the Policy's status. @@ -38780,81 +31760,55 @@ export namespace gateway { * contain a PEM-encoded TLS CA certificate bundle, which is used to * validate a TLS handshake between the Gateway and backend Pod. * + * * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, - * not both. If CACertificateRefs is empty or unspecified, the configuration for + * not both. If CACertifcateRefs is empty or unspecified, the configuration for * WellKnownCACertificates MUST be honored instead if supported by the implementation. * - * A CACertificateRef is invalid if: * - * * It refers to a resource that cannot be resolved (e.g., the referenced resource - * does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key - * named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef` - * and the Message of the Condition must indicate which reference is invalid and why. + * References to a resource in a different namespace are invalid for the + * moment, although we will revisit this in the future. * - * * It refers to an unknown or unsupported kind of resource. In this case, the Reason - * must be set to `InvalidKind` and the Message of the Condition must explain which - * kind of resource is unknown or unsupported. - * - * * It refers to a resource in another namespace. This may change in future - * spec updates. - * - * Implementations MAY choose to perform further validation of the certificate - * content (e.g., checking expiry or enforcing specific formats). In such cases, - * an implementation-specific Reason and Message must be set for the invalid reference. - * - * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on - * the BackendTLSPolicy is set to `status: False`, with a Reason and Message - * that indicate the cause of the error. Connections using an invalid - * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error - * response. If ALL CACertificateRefs are invalid, the implementation MUST also - * ensure the `Accepted` Condition on the BackendTLSPolicy is set to - * `status: False`, with a Reason `NoValidCACertificate`. * * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support. * Implementations MAY choose to support attaching multiple certificates to * a backend, but this behavior is implementation-specific. * + * * Support: Core - An optional single reference to a Kubernetes ConfigMap, * with the CA certificate in a key named `ca.crt`. * - * Support: Implementation-specific - More than one reference, other kinds - * of resources, or a single reference that includes multiple certificates. + * + * Support: Implementation-specific (More than one reference, or other kinds + * of resources). */ caCertificateRefs?: pulumi.Input[]>; /** * Hostname is used for two purposes in the connection between Gateways and * backends: * + * * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). * 2. Hostname MUST be used for authentication and MUST match the certificate - * served by the matching backend, unless SubjectAltNames is specified. - * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection - * but MUST NOT be used for authentication. If you want to use the value - * of the Hostname field for authentication, you MUST add it to the SubjectAltNames list. + * served by the matching backend. + * * * Support: Core */ hostname?: pulumi.Input; - /** - * SubjectAltNames contains one or more Subject Alternative Names. - * When specified the certificate served from the backend MUST - * have at least one Subject Alternate Name matching one of the specified SubjectAltNames. - * - * Support: Extended - */ - subjectAltNames?: pulumi.Input[]>; /** * WellKnownCACertificates specifies whether system CA certificates may be used in * the TLS handshake between the gateway and backend pod. * + * * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs * must be specified with at least one entry for a valid configuration. Only one of - * CACertificateRefs or WellKnownCACertificates may be specified, not both. - * If an implementation does not support the WellKnownCACertificates field, or - * the supplied value is not recognized, the implementation MUST ensure the - * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with - * a Reason `Invalid`. + * CACertificateRefs or WellKnownCACertificates may be specified, not both. If an + * implementation does not support the WellKnownCACertificates field or the value + * supplied is not supported, the Status Conditions on the Policy MUST be + * updated to include an Accepted: False Condition with Reason: Invalid. + * * * Support: Implementation-specific */ @@ -38867,6 +31821,7 @@ export namespace gateway { * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. * + * * References to objects with invalid Group and Kind are not valid, and must * be rejected by the implementation, with appropriate Conditions set * on the containing object. @@ -38893,6 +31848,7 @@ export namespace gateway { * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. * + * * References to objects with invalid Group and Kind are not valid, and must * be rejected by the implementation, with appropriate Conditions set * on the containing object. @@ -38922,143 +31878,61 @@ export namespace gateway { * contain a PEM-encoded TLS CA certificate bundle, which is used to * validate a TLS handshake between the Gateway and backend Pod. * + * * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, - * not both. If CACertificateRefs is empty or unspecified, the configuration for + * not both. If CACertifcateRefs is empty or unspecified, the configuration for * WellKnownCACertificates MUST be honored instead if supported by the implementation. * - * A CACertificateRef is invalid if: * - * * It refers to a resource that cannot be resolved (e.g., the referenced resource - * does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key - * named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef` - * and the Message of the Condition must indicate which reference is invalid and why. + * References to a resource in a different namespace are invalid for the + * moment, although we will revisit this in the future. * - * * It refers to an unknown or unsupported kind of resource. In this case, the Reason - * must be set to `InvalidKind` and the Message of the Condition must explain which - * kind of resource is unknown or unsupported. - * - * * It refers to a resource in another namespace. This may change in future - * spec updates. - * - * Implementations MAY choose to perform further validation of the certificate - * content (e.g., checking expiry or enforcing specific formats). In such cases, - * an implementation-specific Reason and Message must be set for the invalid reference. - * - * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on - * the BackendTLSPolicy is set to `status: False`, with a Reason and Message - * that indicate the cause of the error. Connections using an invalid - * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error - * response. If ALL CACertificateRefs are invalid, the implementation MUST also - * ensure the `Accepted` Condition on the BackendTLSPolicy is set to - * `status: False`, with a Reason `NoValidCACertificate`. * * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support. * Implementations MAY choose to support attaching multiple certificates to * a backend, but this behavior is implementation-specific. * + * * Support: Core - An optional single reference to a Kubernetes ConfigMap, * with the CA certificate in a key named `ca.crt`. * - * Support: Implementation-specific - More than one reference, other kinds - * of resources, or a single reference that includes multiple certificates. + * + * Support: Implementation-specific (More than one reference, or other kinds + * of resources). */ caCertificateRefs?: pulumi.Input[]>; /** * Hostname is used for two purposes in the connection between Gateways and * backends: * + * * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). * 2. Hostname MUST be used for authentication and MUST match the certificate - * served by the matching backend, unless SubjectAltNames is specified. - * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection - * but MUST NOT be used for authentication. If you want to use the value - * of the Hostname field for authentication, you MUST add it to the SubjectAltNames list. + * served by the matching backend. + * * * Support: Core */ hostname?: pulumi.Input; - /** - * SubjectAltNames contains one or more Subject Alternative Names. - * When specified the certificate served from the backend MUST - * have at least one Subject Alternate Name matching one of the specified SubjectAltNames. - * - * Support: Extended - */ - subjectAltNames?: pulumi.Input[]>; /** * WellKnownCACertificates specifies whether system CA certificates may be used in * the TLS handshake between the gateway and backend pod. * + * * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs * must be specified with at least one entry for a valid configuration. Only one of - * CACertificateRefs or WellKnownCACertificates may be specified, not both. - * If an implementation does not support the WellKnownCACertificates field, or - * the supplied value is not recognized, the implementation MUST ensure the - * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with - * a Reason `Invalid`. + * CACertificateRefs or WellKnownCACertificates may be specified, not both. If an + * implementation does not support the WellKnownCACertificates field or the value + * supplied is not supported, the Status Conditions on the Policy MUST be + * updated to include an Accepted: False Condition with Reason: Invalid. + * * * Support: Implementation-specific */ wellKnownCACertificates?: pulumi.Input; } - /** - * SubjectAltName represents Subject Alternative Name. - */ - export interface BackendTLSPolicySpecValidationSubjectAltNames { - /** - * Hostname contains Subject Alternative Name specified in DNS name format. - * Required when Type is set to Hostname, ignored otherwise. - * - * Support: Core - */ - hostname?: pulumi.Input; - /** - * Type determines the format of the Subject Alternative Name. Always required. - * - * Support: Core - */ - type?: pulumi.Input; - /** - * URI contains Subject Alternative Name specified in a full URI format. - * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. - * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa". - * Required when Type is set to URI, ignored otherwise. - * - * Support: Core - */ - uri?: pulumi.Input; - } - - /** - * SubjectAltName represents Subject Alternative Name. - */ - export interface BackendTLSPolicySpecValidationSubjectAltNamesPatch { - /** - * Hostname contains Subject Alternative Name specified in DNS name format. - * Required when Type is set to Hostname, ignored otherwise. - * - * Support: Core - */ - hostname?: pulumi.Input; - /** - * Type determines the format of the Subject Alternative Name. Always required. - * - * Support: Core - */ - type?: pulumi.Input; - /** - * URI contains Subject Alternative Name specified in a full URI format. - * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. - * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa". - * Required when Type is set to URI, ignored otherwise. - * - * Support: Core - */ - uri?: pulumi.Input; - } - /** * Status defines the current state of BackendTLSPolicy. */ @@ -39071,22 +31945,27 @@ export namespace gateway { * the controller first sees the policy and SHOULD update the entry as * appropriate when the relevant ancestor is modified. * + * * Note that choosing the relevant ancestor is left to the Policy designers; * an important part of Policy design is designing the right object level at * which to namespace this status. * + * * Note also that implementations MUST ONLY populate ancestor status for * the Ancestor resources they are responsible for. Implementations MUST * use the ControllerName field to uniquely identify the entries in this list * that they are responsible for. * + * * Note that to achieve this, the list of PolicyAncestorStatus structs * MUST be treated as a map with a composite key, made up of the AncestorRef * and ControllerName fields combined. * + * * A maximum of 16 ancestors will be represented in this list. An empty list * means the Policy is not relevant for any ancestors. * + * * If this slice is full, implementations MUST NOT add further entries. * Instead they MUST consider the policy unimplementable and signal that * on any related resources such as the ancestor that would be referenced @@ -39101,6 +31980,7 @@ export namespace gateway { * PolicyAncestorStatus describes the status of a route with respect to an * associated Ancestor. * + * * Ancestors refer to objects that are either the Target of a policy or above it * in terms of object hierarchy. For example, if a policy targets a Service, the * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and @@ -39109,23 +31989,28 @@ export namespace gateway { * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers * have a _very_ good reason otherwise. * + * * In the context of policy attachment, the Ancestor is used to distinguish which * resource results in a distinct application of this policy. For example, if a policy * targets a Service, it may have a distinct result per attached Gateway. * + * * Policies targeting the same resource may have different effects depending on the * ancestors of those resources. For example, different Gateways targeting the same * Service may have different capabilities, especially if they have different underlying * implementations. * + * * For example, in BackendTLSPolicy, the Policy attaches to a Service that is * used as a backend in a HTTPRoute that is itself attached to a Gateway. * In this case, the relevant object for status is the Gateway, and that is the * ancestor object referred to in this status. * + * * Note that a parent is also an ancestor, so for objects where the parent is the * relevant object for status, this struct SHOULD still be used. * + * * This struct is intended to be used in a slice that's effectively a map, * with a composite key made up of the AncestorRef and the ControllerName. */ @@ -39140,12 +32025,15 @@ export namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -39164,23 +32052,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -39188,6 +32081,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -39195,10 +32089,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -39206,6 +32102,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -39213,6 +32110,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -39222,15 +32120,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -39239,6 +32140,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -39246,6 +32148,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -39253,10 +32156,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -39266,6 +32171,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -39273,6 +32179,22 @@ export namespace gateway { /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface BackendTLSPolicyStatusAncestorsConditions { /** @@ -39305,1018 +32227,14 @@ export namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } - /** - * The TLSRoute resource is similar to TCPRoute, but can be configured - * to match against TLS-specific metadata. This allows more flexibility - * in matching streams for a given TLS listener. - * - * If you need to forward traffic to a single target for a TLS listener, you - * could choose to use a TCPRoute with a TLS listener. - */ - export interface TLSRoute { - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha3">; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - kind?: pulumi.Input<"TLSRoute">; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - metadata?: pulumi.Input; - spec?: pulumi.Input; - status?: pulumi.Input; - } - - /** - * Spec defines the desired state of TLSRoute. - */ - export interface TLSRouteSpec { - /** - * Hostnames defines a set of SNI hostnames that should match against the - * SNI attribute of TLS ClientHello message in TLS handshake. This matches - * the RFC 1123 definition of a hostname with 2 notable exceptions: - * - * 1. IPs are not allowed in SNI hostnames per RFC 6066. - * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - * label must appear by itself as the first label. - * - * If a hostname is specified by both the Listener and TLSRoute, there - * must be at least one intersecting hostname for the TLSRoute to be - * attached to the Listener. For example: - * - * * A Listener with `test.example.com` as the hostname matches TLSRoutes - * that have specified at least one of `test.example.com` or - * `*.example.com`. - * * A Listener with `*.example.com` as the hostname matches TLSRoutes - * that have specified at least one hostname that matches the Listener - * hostname. For example, `test.example.com` and `*.example.com` would both - * match. On the other hand, `example.com` and `test.example.net` would not - * match. - * - * If both the Listener and TLSRoute have specified hostnames, any - * TLSRoute hostnames that do not match the Listener hostname MUST be - * ignored. For example, if a Listener specified `*.example.com`, and the - * TLSRoute specified `test.example.com` and `test.example.net`, - * `test.example.net` must not be considered for a match. - * - * If both the Listener and TLSRoute have specified hostnames, and none - * match with the criteria above, then the TLSRoute is not accepted. The - * implementation must raise an 'Accepted' Condition with a status of - * `False` in the corresponding RouteParentStatus. - * - * Support: Core - */ - hostnames?: pulumi.Input[]>; - /** - * ParentRefs references the resources (usually Gateways) that a Route wants - * to be attached to. Note that the referenced parent resource needs to - * allow this for the attachment to be complete. For Gateways, that means - * the Gateway needs to allow attachment from Routes of this kind and - * namespace. For Services, that means the Service must either be in the same - * namespace for a "producer" route, or the mesh implementation must support - * and allow "consumer" routes for the referenced Service. ReferenceGrant is - * not applicable for governing ParentRefs to Services - it is not possible to - * create a "producer" route for a Service in a different namespace from the - * Route. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * This API may be extended in the future to support additional kinds of parent - * resources. - * - * ParentRefs must be _distinct_. This means either that: - * - * * They select different objects. If this is the case, then parentRef - * entries are distinct. In terms of fields, this means that the - * multi-part key defined by `group`, `kind`, `namespace`, and `name` must - * be unique across all parentRef entries in the Route. - * * They do not select different objects, but for each optional field used, - * each ParentRef that selects the same object must set the same set of - * optional fields to different values. If one ParentRef sets a - * combination of optional fields, all must set the same combination. - * - * Some examples: - * - * * If one ParentRef sets `sectionName`, all ParentRefs referencing the - * same object must also set `sectionName`. - * * If one ParentRef sets `port`, all ParentRefs referencing the same - * object must also set `port`. - * * If one ParentRef sets `sectionName` and `port`, all ParentRefs - * referencing the same object must also set `sectionName` and `port`. - * - * It is possible to separately reference multiple distinct objects that may - * be collapsed by an implementation. For example, some implementations may - * choose to merge compatible Gateway Listeners together. If that is the - * case, the list of routes attached to those resources should also be - * merged. - * - * Note that for ParentRefs that cross namespace boundaries, there are specific - * rules. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example, - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable other kinds of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - */ - parentRefs?: pulumi.Input[]>; - /** - * Rules are a list of actions. - */ - rules?: pulumi.Input[]>; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways?: pulumi.Input; - } - - /** - * ParentReference identifies an API object (usually a Gateway) that can be considered - * a parent of this resource (usually a route). There are two kinds of parent resources - * with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * This API may be extended in the future to support additional kinds of parent - * resources. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - */ - export interface TLSRouteSpecParentRefs { - /** - * Group is the group of the referent. - * When unspecified, "gateway.networking.k8s.io" is inferred. - * To set the core API group (such as for a "Service" kind referent), - * Group must be explicitly set to "" (empty string). - * - * Support: Core - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * Support for other resources is Implementation-Specific. - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - * - * Support: Core - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referent. When unspecified, this refers - * to the local namespace of the Route. - * - * Note that there are specific rules for ParentRefs which cross namespace - * boundaries. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example: - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable any other kind of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - * - * - * Support: Core - */ - namespace?: pulumi.Input; - /** - * Port is the network port this Route targets. It can be interpreted - * differently based on the type of parent resource. - * - * When the parent resource is a Gateway, this targets all listeners - * listening on the specified port that also support this kind of Route(and - * select this Route). It's not recommended to set `Port` unless the - * networking behaviors specified in a Route must apply to a specific port - * as opposed to a listener(s) whose port(s) may be changed. When both Port - * and SectionName are specified, the name and port of the selected listener - * must match both specified values. - * - * - * When the parent resource is a Service, this targets a specific port in the - * Service spec. When both Port (experimental) and SectionName are specified, - * the name and port of the selected port must match both specified values. - * - * - * Implementations MAY choose to support other parent resources. - * Implementations supporting other types of parent resources MUST clearly - * document how/if Port is interpreted. - * - * For the purpose of status, an attachment is considered successful as - * long as the parent resource accepts it partially. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - * from the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, - * the Route MUST be considered detached from the Gateway. - * - * Support: Extended - */ - port?: pulumi.Input; - /** - * SectionName is the name of a section within the target resource. In the - * following resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * * Service: Port name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * - * Implementations MAY choose to support attaching Routes to other resources. - * If that is the case, they MUST clearly document how SectionName is - * interpreted. - * - * When unspecified (empty string), this will reference the entire resource. - * For the purpose of status, an attachment is considered successful if at - * least one section in the parent resource accepts it. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - * the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, the - * Route MUST be considered detached from the Gateway. - * - * Support: Core - */ - sectionName?: pulumi.Input; - } - - /** - * ParentReference identifies an API object (usually a Gateway) that can be considered - * a parent of this resource (usually a route). There are two kinds of parent resources - * with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * This API may be extended in the future to support additional kinds of parent - * resources. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - */ - export interface TLSRouteSpecParentRefsPatch { - /** - * Group is the group of the referent. - * When unspecified, "gateway.networking.k8s.io" is inferred. - * To set the core API group (such as for a "Service" kind referent), - * Group must be explicitly set to "" (empty string). - * - * Support: Core - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * Support for other resources is Implementation-Specific. - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - * - * Support: Core - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referent. When unspecified, this refers - * to the local namespace of the Route. - * - * Note that there are specific rules for ParentRefs which cross namespace - * boundaries. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example: - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable any other kind of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - * - * - * Support: Core - */ - namespace?: pulumi.Input; - /** - * Port is the network port this Route targets. It can be interpreted - * differently based on the type of parent resource. - * - * When the parent resource is a Gateway, this targets all listeners - * listening on the specified port that also support this kind of Route(and - * select this Route). It's not recommended to set `Port` unless the - * networking behaviors specified in a Route must apply to a specific port - * as opposed to a listener(s) whose port(s) may be changed. When both Port - * and SectionName are specified, the name and port of the selected listener - * must match both specified values. - * - * - * When the parent resource is a Service, this targets a specific port in the - * Service spec. When both Port (experimental) and SectionName are specified, - * the name and port of the selected port must match both specified values. - * - * - * Implementations MAY choose to support other parent resources. - * Implementations supporting other types of parent resources MUST clearly - * document how/if Port is interpreted. - * - * For the purpose of status, an attachment is considered successful as - * long as the parent resource accepts it partially. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - * from the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, - * the Route MUST be considered detached from the Gateway. - * - * Support: Extended - */ - port?: pulumi.Input; - /** - * SectionName is the name of a section within the target resource. In the - * following resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * * Service: Port name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * - * Implementations MAY choose to support attaching Routes to other resources. - * If that is the case, they MUST clearly document how SectionName is - * interpreted. - * - * When unspecified (empty string), this will reference the entire resource. - * For the purpose of status, an attachment is considered successful if at - * least one section in the parent resource accepts it. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - * the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, the - * Route MUST be considered detached from the Gateway. - * - * Support: Core - */ - sectionName?: pulumi.Input; - } - - /** - * Spec defines the desired state of TLSRoute. - */ - export interface TLSRouteSpecPatch { - /** - * Hostnames defines a set of SNI hostnames that should match against the - * SNI attribute of TLS ClientHello message in TLS handshake. This matches - * the RFC 1123 definition of a hostname with 2 notable exceptions: - * - * 1. IPs are not allowed in SNI hostnames per RFC 6066. - * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - * label must appear by itself as the first label. - * - * If a hostname is specified by both the Listener and TLSRoute, there - * must be at least one intersecting hostname for the TLSRoute to be - * attached to the Listener. For example: - * - * * A Listener with `test.example.com` as the hostname matches TLSRoutes - * that have specified at least one of `test.example.com` or - * `*.example.com`. - * * A Listener with `*.example.com` as the hostname matches TLSRoutes - * that have specified at least one hostname that matches the Listener - * hostname. For example, `test.example.com` and `*.example.com` would both - * match. On the other hand, `example.com` and `test.example.net` would not - * match. - * - * If both the Listener and TLSRoute have specified hostnames, any - * TLSRoute hostnames that do not match the Listener hostname MUST be - * ignored. For example, if a Listener specified `*.example.com`, and the - * TLSRoute specified `test.example.com` and `test.example.net`, - * `test.example.net` must not be considered for a match. - * - * If both the Listener and TLSRoute have specified hostnames, and none - * match with the criteria above, then the TLSRoute is not accepted. The - * implementation must raise an 'Accepted' Condition with a status of - * `False` in the corresponding RouteParentStatus. - * - * Support: Core - */ - hostnames?: pulumi.Input[]>; - /** - * ParentRefs references the resources (usually Gateways) that a Route wants - * to be attached to. Note that the referenced parent resource needs to - * allow this for the attachment to be complete. For Gateways, that means - * the Gateway needs to allow attachment from Routes of this kind and - * namespace. For Services, that means the Service must either be in the same - * namespace for a "producer" route, or the mesh implementation must support - * and allow "consumer" routes for the referenced Service. ReferenceGrant is - * not applicable for governing ParentRefs to Services - it is not possible to - * create a "producer" route for a Service in a different namespace from the - * Route. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * This API may be extended in the future to support additional kinds of parent - * resources. - * - * ParentRefs must be _distinct_. This means either that: - * - * * They select different objects. If this is the case, then parentRef - * entries are distinct. In terms of fields, this means that the - * multi-part key defined by `group`, `kind`, `namespace`, and `name` must - * be unique across all parentRef entries in the Route. - * * They do not select different objects, but for each optional field used, - * each ParentRef that selects the same object must set the same set of - * optional fields to different values. If one ParentRef sets a - * combination of optional fields, all must set the same combination. - * - * Some examples: - * - * * If one ParentRef sets `sectionName`, all ParentRefs referencing the - * same object must also set `sectionName`. - * * If one ParentRef sets `port`, all ParentRefs referencing the same - * object must also set `port`. - * * If one ParentRef sets `sectionName` and `port`, all ParentRefs - * referencing the same object must also set `sectionName` and `port`. - * - * It is possible to separately reference multiple distinct objects that may - * be collapsed by an implementation. For example, some implementations may - * choose to merge compatible Gateway Listeners together. If that is the - * case, the list of routes attached to those resources should also be - * merged. - * - * Note that for ParentRefs that cross namespace boundaries, there are specific - * rules. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example, - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable other kinds of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - */ - parentRefs?: pulumi.Input[]>; - /** - * Rules are a list of actions. - */ - rules?: pulumi.Input[]>; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways?: pulumi.Input; - } - - /** - * TLSRouteRule is the configuration for a given rule. - */ - export interface TLSRouteSpecRules { - /** - * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or - * a Service with no endpoints), the rule performs no forwarding; if no - * filters are specified that would result in a response being sent, the - * underlying implementation must actively reject request attempts to this - * backend, by rejecting the connection or returning a 500 status code. - * Request rejections must respect weight; if an invalid backend is - * requested to have 80% of requests, then 80% of requests must be rejected - * instead. - * - * Support: Core for Kubernetes Service - * - * Support: Extended for Kubernetes ServiceImport - * - * Support: Implementation-specific for any other resource - * - * Support for weight: Extended - */ - backendRefs?: pulumi.Input[]>; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name?: pulumi.Input; - } - - /** - * BackendRef defines how a Route should forward a request to a Kubernetes - * resource. - * - * Note that when a namespace different than the local namespace is specified, a - * ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * - * When the BackendRef points to a Kubernetes Service, implementations SHOULD - * honor the appProtocol field if it is set for the target Service Port. - * - * Implementations supporting appProtocol SHOULD recognize the Kubernetes - * Standard Application Protocols defined in KEP-3726. - * - * If a Service appProtocol isn't specified, an implementation MAY infer the - * backend protocol through its own means. Implementations MAY infer the - * protocol from the Route type referring to the backend Service. - * - * If a Route is not able to send traffic to the backend using the specified - * protocol then the backend is considered invalid. Implementations MUST set the - * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - * - * - * Note that when the BackendTLSPolicy object is enabled by the implementation, - * there are some extra rules about validity to consider here. See the fields - * where this struct is used for more information about the exact behavior. - */ - export interface TLSRouteSpecRulesBackendRefs { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port?: pulumi.Input; - /** - * Weight specifies the proportion of requests forwarded to the referenced - * backend. This is computed as weight/(sum of all weights in this - * BackendRefs list). For non-zero values, there may be some epsilon from - * the exact proportion defined here depending on the precision an - * implementation supports. Weight is not a percentage and the sum of - * weights does not need to equal 100. - * - * If only one backend is specified and it has a weight greater than 0, 100% - * of the traffic is forwarded to that backend. If weight is set to 0, no - * traffic should be forwarded for this entry. If unspecified, weight - * defaults to 1. - * - * Support for this field varies based on the context where used. - */ - weight?: pulumi.Input; - } - - /** - * BackendRef defines how a Route should forward a request to a Kubernetes - * resource. - * - * Note that when a namespace different than the local namespace is specified, a - * ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * - * When the BackendRef points to a Kubernetes Service, implementations SHOULD - * honor the appProtocol field if it is set for the target Service Port. - * - * Implementations supporting appProtocol SHOULD recognize the Kubernetes - * Standard Application Protocols defined in KEP-3726. - * - * If a Service appProtocol isn't specified, an implementation MAY infer the - * backend protocol through its own means. Implementations MAY infer the - * protocol from the Route type referring to the backend Service. - * - * If a Route is not able to send traffic to the backend using the specified - * protocol then the backend is considered invalid. Implementations MUST set the - * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - * - * - * Note that when the BackendTLSPolicy object is enabled by the implementation, - * there are some extra rules about validity to consider here. See the fields - * where this struct is used for more information about the exact behavior. - */ - export interface TLSRouteSpecRulesBackendRefsPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port?: pulumi.Input; - /** - * Weight specifies the proportion of requests forwarded to the referenced - * backend. This is computed as weight/(sum of all weights in this - * BackendRefs list). For non-zero values, there may be some epsilon from - * the exact proportion defined here depending on the precision an - * implementation supports. Weight is not a percentage and the sum of - * weights does not need to equal 100. - * - * If only one backend is specified and it has a weight greater than 0, 100% - * of the traffic is forwarded to that backend. If weight is set to 0, no - * traffic should be forwarded for this entry. If unspecified, weight - * defaults to 1. - * - * Support for this field varies based on the context where used. - */ - weight?: pulumi.Input; - } - - /** - * TLSRouteRule is the configuration for a given rule. - */ - export interface TLSRouteSpecRulesPatch { - /** - * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or - * a Service with no endpoints), the rule performs no forwarding; if no - * filters are specified that would result in a response being sent, the - * underlying implementation must actively reject request attempts to this - * backend, by rejecting the connection or returning a 500 status code. - * Request rejections must respect weight; if an invalid backend is - * requested to have 80% of requests, then 80% of requests must be rejected - * instead. - * - * Support: Core for Kubernetes Service - * - * Support: Extended for Kubernetes ServiceImport - * - * Support: Implementation-specific for any other resource - * - * Support for weight: Extended - */ - backendRefs?: pulumi.Input[]>; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name?: pulumi.Input; - } - - /** - * Status defines the current state of TLSRoute. - */ - export interface TLSRouteStatus { - /** - * Parents is a list of parent resources (usually Gateways) that are - * associated with the route, and the status of the route with respect to - * each parent. When this route attaches to a parent, the controller that - * manages the parent must add an entry to this list when the controller - * first sees the route and should update the entry as appropriate when the - * route or gateway is modified. - * - * Note that parent references that cannot be resolved by an implementation - * of this API will not be added to this list. Implementations of this API - * can only populate Route status for the Gateways/parent resources they are - * responsible for. - * - * A maximum of 32 Gateways will be represented in this list. An empty list - * means the route has not been attached to any Gateway. - */ - parents?: pulumi.Input[]>; - } - - /** - * RouteParentStatus describes the status of a route with respect to an - * associated Parent. - */ - export interface TLSRouteStatusParents { - /** - * Conditions describes the status of the route with respect to the Gateway. - * Note that the route's availability is also subject to the Gateway's own - * status conditions and listener status. - * - * If the Route's ParentRef specifies an existing Gateway that supports - * Routes of this kind AND that Gateway's controller has sufficient access, - * then that Gateway's controller MUST set the "Accepted" condition on the - * Route, to indicate whether the route has been accepted or rejected by the - * Gateway, and why. - * - * A Route MUST be considered "Accepted" if at least one of the Route's - * rules is implemented by the Gateway. - * - * There are a number of cases where the "Accepted" condition may not be set - * due to lack of controller visibility, that includes when: - * - * * The Route refers to a nonexistent parent. - * * The Route is of a type that the controller does not support. - * * The Route is in a namespace the controller does not have access to. - */ - conditions?: pulumi.Input[]>; - /** - * ControllerName is a domain/path string that indicates the name of the - * controller that wrote this status. This corresponds with the - * controllerName field on GatewayClass. - * - * Example: "example.net/gateway-controller". - * - * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - * valid Kubernetes names - * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - * - * Controllers MUST populate this field when writing status. Controllers should ensure that - * entries to status populated with their ControllerName are cleaned up when they are no - * longer necessary. - */ - controllerName?: pulumi.Input; - parentRef?: pulumi.Input; - } - - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - export interface TLSRouteStatusParentsConditions { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime?: pulumi.Input; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message?: pulumi.Input; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration?: pulumi.Input; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason?: pulumi.Input; - /** - * status of the condition, one of True, False, Unknown. - */ - status?: pulumi.Input; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type?: pulumi.Input; - } - - /** - * ParentRef corresponds with a ParentRef in the spec that this - * RouteParentStatus struct describes the status of. - */ - export interface TLSRouteStatusParentsParentRef { - /** - * Group is the group of the referent. - * When unspecified, "gateway.networking.k8s.io" is inferred. - * To set the core API group (such as for a "Service" kind referent), - * Group must be explicitly set to "" (empty string). - * - * Support: Core - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * Support for other resources is Implementation-Specific. - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - * - * Support: Core - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referent. When unspecified, this refers - * to the local namespace of the Route. - * - * Note that there are specific rules for ParentRefs which cross namespace - * boundaries. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example: - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable any other kind of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - * - * - * Support: Core - */ - namespace?: pulumi.Input; - /** - * Port is the network port this Route targets. It can be interpreted - * differently based on the type of parent resource. - * - * When the parent resource is a Gateway, this targets all listeners - * listening on the specified port that also support this kind of Route(and - * select this Route). It's not recommended to set `Port` unless the - * networking behaviors specified in a Route must apply to a specific port - * as opposed to a listener(s) whose port(s) may be changed. When both Port - * and SectionName are specified, the name and port of the selected listener - * must match both specified values. - * - * - * When the parent resource is a Service, this targets a specific port in the - * Service spec. When both Port (experimental) and SectionName are specified, - * the name and port of the selected port must match both specified values. - * - * - * Implementations MAY choose to support other parent resources. - * Implementations supporting other types of parent resources MUST clearly - * document how/if Port is interpreted. - * - * For the purpose of status, an attachment is considered successful as - * long as the parent resource accepts it partially. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - * from the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, - * the Route MUST be considered detached from the Gateway. - * - * Support: Extended - */ - port?: pulumi.Input; - /** - * SectionName is the name of a section within the target resource. In the - * following resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * * Service: Port name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * - * Implementations MAY choose to support attaching Routes to other resources. - * If that is the case, they MUST clearly document how SectionName is - * interpreted. - * - * When unspecified (empty string), this will reference the entire resource. - * For the purpose of status, an attachment is considered successful if at - * least one section in the parent resource accepts it. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - * the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, the - * Route MUST be considered detached from the Gateway. - * - * Support: Core - */ - sectionName?: pulumi.Input; - } - } export namespace v1beta1 { @@ -40345,6 +32263,7 @@ export namespace gateway { * GatewayClass describes a class of Gateways available to the user for creating * Gateway resources. * + * * It is recommended that this resource be used as a template for Gateways. This * means that a Gateway is based on the state of the GatewayClass at the time it * was created and changes to the GatewayClass or associated parameters are not @@ -40353,11 +32272,13 @@ export namespace gateway { * If implementations choose to propagate GatewayClass changes to existing * Gateways, that MUST be clearly documented by the implementation. * + * * Whenever one or more Gateways are using a GatewayClass, implementations SHOULD * add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the * associated GatewayClass. This ensures that a GatewayClass associated with a * Gateway is not deleted while in use. * + * * GatewayClass is a Cluster level resource. */ export interface GatewayClass { @@ -40385,10 +32306,13 @@ export namespace gateway { * ControllerName is the name of the controller that is managing Gateways of * this class. The value of this field MUST be a domain prefixed path. * + * * Example: "example.net/gateway-controller". * + * * This field is not mutable and cannot be empty. * + * * Support: Core */ controllerName?: pulumi.Input; @@ -40404,19 +32328,21 @@ export namespace gateway { * parameters corresponding to the GatewayClass. This is optional if the * controller does not require any additional configuration. * + * * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, * or an implementation-specific custom resource. The resource can be * cluster-scoped or namespace-scoped. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the GatewayClass SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. + * + * If the referent cannot be found, the GatewayClass's "InvalidParameters" + * status condition will be true. + * * * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * + * * Support: Implementation-specific */ export interface GatewayClassSpecParametersRef { @@ -40445,19 +32371,21 @@ export namespace gateway { * parameters corresponding to the GatewayClass. This is optional if the * controller does not require any additional configuration. * + * * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, * or an implementation-specific custom resource. The resource can be * cluster-scoped or namespace-scoped. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the GatewayClass SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. + * + * If the referent cannot be found, the GatewayClass's "InvalidParameters" + * status condition will be true. + * * * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * + * * Support: Implementation-specific */ export interface GatewayClassSpecParametersRefPatch { @@ -40489,10 +32417,13 @@ export namespace gateway { * ControllerName is the name of the controller that is managing Gateways of * this class. The value of this field MUST be a domain prefixed path. * + * * Example: "example.net/gateway-controller". * + * * This field is not mutable and cannot be empty. * + * * Support: Core */ controllerName?: pulumi.Input; @@ -40506,6 +32437,7 @@ export namespace gateway { /** * Status defines the current state of GatewayClass. * + * * Implementations MUST populate status on all GatewayClass resources which * specify their controller name. */ @@ -40514,19 +32446,36 @@ export namespace gateway { * Conditions is the current status from the controller for * this GatewayClass. * + * * Controllers should prefer to publish conditions using values * of GatewayClassConditionType for the type of each Condition. */ conditions?: pulumi.Input[]>; /** * SupportedFeatures is the set of features the GatewayClass support. - * It MUST be sorted in ascending alphabetical order by the Name key. + * It MUST be sorted in ascending alphabetical order. */ - supportedFeatures?: pulumi.Input[]>; + supportedFeatures?: pulumi.Input[]>; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface GatewayClassStatusConditions { /** @@ -40559,18 +32508,14 @@ export namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } - export interface GatewayClassStatusSupportedFeatures { - /** - * FeatureName is used to describe distinct features that are covered by - * conformance tests. - */ - name?: pulumi.Input; - } - /** * Spec defines the desired state of Gateway. */ @@ -40579,7 +32524,8 @@ export namespace gateway { * Addresses requested for this Gateway. This is optional and behavior can * depend on the implementation. If a value is set in the spec and the * requested address is invalid or unavailable, the implementation MUST - * indicate this in an associated entry in GatewayStatus.Conditions. + * indicate this in the associated entry in GatewayStatus.Addresses. + * * * The Addresses field represents a request for the address(es) on the * "outside of the Gateway", that traffic bound for this Gateway will use. @@ -40587,38 +32533,20 @@ export namespace gateway { * other networking infrastructure, or some other address that traffic will * be sent to. * + * * If no Addresses are specified, the implementation MAY schedule the * Gateway in an implementation-specific manner, assigning an appropriate * set of Addresses. * + * * The implementation MUST bind all Listeners to every GatewayAddress that * it assigns to the Gateway and add a corresponding entry in * GatewayStatus.Addresses. * + * * Support: Extended */ addresses?: pulumi.Input[]>; - allowedListeners?: pulumi.Input; - /** - * DefaultScope, when set, configures the Gateway as a default Gateway, - * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute) - * attached to it, according to the scope configured here. - * - * If unset (the default) or set to None, the Gateway will not act as a - * default Gateway; if set, the Gateway will claim any Route with a - * matching scope set in its UseDefaultGateway field, subject to the usual - * rules about which routes the Gateway can attach to. - * - * Think carefully before using this functionality! While the normal rules - * about which Route can apply are still enforced, it is simply easier for - * the wrong Route to be accidentally attached to this Gateway in this - * configuration. If the Gateway operator is not also the operator in - * control of the scope (e.g. namespace) with tight controls and checks on - * what kind of workloads and Routes get added in that scope, we strongly - * recommend not using this just because it seems convenient, and instead - * stick to direct Route attachment. - */ - defaultScope?: pulumi.Input; /** * GatewayClassName used for this Gateway. This is the name of a * GatewayClass resource. @@ -40630,7 +32558,6 @@ export namespace gateway { * logical endpoints that are bound on this Gateway's addresses. * At least one Listener MUST be specified. * - * ## Distinct Listeners * * Each Listener in a set of Listeners (for example, in a single Gateway) * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to @@ -40639,107 +32566,97 @@ export namespace gateway { * from multiple Gateways onto a single data plane, and these rules _also_ * apply in that case). * + * * Practically, this means that each listener in a set MUST have a unique * combination of Port, Protocol, and, if supported by the protocol, Hostname. * - * Some combinations of port, protocol, and TLS settings are considered - * Core support and MUST be supported by implementations based on the objects - * they support: * - * HTTPRoute + * Some combinations of port, protocol, and TLS settings are considered + * Core support and MUST be supported by implementations based on their + * targeted conformance profile: + * + * + * HTTP Profile + * * * 1. HTTPRoute, Port: 80, Protocol: HTTP * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided * - * TLSRoute + * + * TLS Profile + * * * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough * + * * "Distinct" Listeners have the following property: * - * **The implementation can match inbound requests to a single distinct - * Listener**. * - * When multiple Listeners share values for fields (for + * The implementation can match inbound requests to a single distinct + * Listener. When multiple Listeners share values for fields (for * example, two Listeners with the same Port value), the implementation * can match requests to only one of the Listeners using other * Listener fields. * - * When multiple listeners have the same value for the Protocol field, then - * each of the Listeners with matching Protocol values MUST have different - * values for other fields. * - * The set of fields that MUST be different for a Listener differs per protocol. - * The following rules define the rules for what fields MUST be considered for - * Listeners to be distinct with each protocol currently defined in the - * Gateway API spec. + * For example, the following Listener scenarios are distinct: * - * The set of listeners that all share a protocol value MUST have _different_ - * values for _at least one_ of these fields to be distinct: * - * * **HTTP, HTTPS, TLS**: Port, Hostname - * * **TCP, UDP**: Port + * 1. Multiple Listeners with the same Port that all use the "HTTP" + * Protocol that all have unique Hostname values. + * 2. Multiple Listeners with the same Port that use either the "HTTPS" or + * "TLS" Protocol that all have unique Hostname values. + * 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener + * with the same Protocol has the same Port value. * - * One **very** important rule to call out involves what happens when an - * implementation: * - * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol - * Listeners, and - * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP - * Protocol. + * Some fields in the Listener struct have possible values that affect + * whether the Listener is distinct. Hostname is particularly relevant + * for HTTP or HTTPS protocols. * - * In this case all the Listeners that share a port with the - * TCP Listener are not distinct and so MUST NOT be accepted. * - * If an implementation does not support TCP Protocol Listeners, then the - * previous rule does not apply, and the TCP Listeners SHOULD NOT be - * accepted. + * When using the Hostname value to select between same-Port, same-Protocol + * Listeners, the Hostname value must be different on each Listener for the + * Listener to be distinct. * - * Note that the `tls` field is not used for determining if a listener is distinct, because - * Listeners that _only_ differ on TLS config will still conflict in all cases. * - * ### Listeners that are distinct only by Hostname - * - * When the Listeners are distinct based only on Hostname, inbound request + * When the Listeners are distinct based on Hostname, inbound request * hostnames MUST match from the most specific to least specific Hostname * values to choose the correct Listener and its associated set of Routes. * - * Exact matches MUST be processed before wildcard matches, and wildcard - * matches MUST be processed before fallback (empty Hostname value) + * + * Exact matches must be processed before wildcard matches, and wildcard + * matches must be processed before fallback (empty Hostname value) * matches. For example, `"foo.example.com"` takes precedence over * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. * + * * Additionally, if there are multiple wildcard entries, more specific * wildcard entries must be processed before less specific wildcard entries. * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. - * * The precise definition here is that the higher the number of dots in the * hostname to the right of the wildcard character, the higher the precedence. * + * * The wildcard character will match any number of characters _and dots_ to * the left, however, so `"*.example.com"` will match both * `"foo.bar.example.com"` _and_ `"bar.example.com"`. * - * ## Handling indistinct Listeners * * If a set of Listeners contains Listeners that are not distinct, then those - * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted" + * Listeners are Conflicted, and the implementation MUST set the "Conflicted" * condition in the Listener Status to "True". * - * The words "indistinct" and "conflicted" are considered equivalent for the - * purpose of this documentation. * * Implementations MAY choose to accept a Gateway with some Conflicted * Listeners only if they only accept the partial Listener set that contains - * no Conflicted Listeners. + * no Conflicted Listeners. To put this another way, implementations may + * accept a partial Listener set only if they throw out *all* the conflicting + * Listeners. No picking one of the conflicting listeners as the winner. + * This also means that the Gateway must have at least one non-conflicting + * Listener in this case, otherwise it violates the requirement that at + * least one Listener must be present. * - * Specifically, an implementation MAY accept a partial Listener set subject to - * the following rules: - * - * * The implementation MUST NOT pick one conflicting Listener as the winner. - * ALL indistinct Listeners must not be accepted for processing. - * * At least one distinct Listener MUST be present, or else the Gateway effectively - * contains _no_ Listeners, and must be rejected from processing as a whole. * * The implementation MUST set a "ListenersNotValid" condition on the * Gateway Status when the Gateway contains Conflicted Listeners whether or @@ -40748,52 +32665,45 @@ export namespace gateway { * Accepted. Additionally, the Listener status for those listeners SHOULD * indicate which Listeners are conflicted and not Accepted. * - * ## General Listener behavior * - * Note that, for all distinct Listeners, requests SHOULD match at most one Listener. - * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a - * request to "foo.example.com" SHOULD only be routed using routes attached - * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * A Gateway's Listeners are considered "compatible" if: * - * This concept is known as "Listener Isolation", and it is an Extended feature - * of Gateway API. Implementations that do not support Listener Isolation MUST - * clearly document this, and MUST NOT claim support for the - * `GatewayHTTPListenerIsolation` feature. - * - * Implementations that _do_ support Listener Isolation SHOULD claim support - * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated - * conformance tests. - * - * ## Compatible Listeners - * - * A Gateway's Listeners are considered _compatible_ if: * * 1. They are distinct. * 2. The implementation can serve them in compliance with the Addresses * requirement that all Listeners are available on all assigned * addresses. * + * * Compatible combinations in Extended support are expected to vary across * implementations. A combination that is compatible for one implementation * may not be compatible for another. * + * * For example, an implementation that cannot serve both TCP and UDP listeners * on the same address, or cannot mix HTTPS and generic TLS listens on the same port * would not consider those cases compatible, even though they are distinct. * + * + * Note that requests SHOULD match at most one Listener. For example, if + * Listeners are defined for "foo.example.com" and "*.example.com", a + * request to "foo.example.com" SHOULD only be routed using routes attached + * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * This concept is known as "Listener Isolation". Implementations that do + * not support Listener Isolation MUST clearly document this. + * + * * Implementations MAY merge separate Gateways onto a single set of * Addresses if all Listeners across all Gateways are compatible. * - * In a future release the MinItems=1 requirement MAY be dropped. * * Support: Core */ listeners?: pulumi.Input[]>; - tls?: pulumi.Input; } /** - * GatewaySpecAddress describes an address that can be bound to a Gateway. + * GatewayAddress describes an address that can be bound to a Gateway. */ export interface GatewaySpecAddresses { /** @@ -40801,11 +32711,9 @@ export namespace gateway { */ type?: pulumi.Input; /** - * When a value is unspecified, an implementation SHOULD automatically - * assign an address matching the requested type if possible. + * Value of the address. The validity of the values will depend + * on the type and support by the controller. * - * If an implementation does not support an empty value, they MUST set the - * "Programmed" condition in status to False with a reason of "AddressNotAssigned". * * Examples: `1.2.3.4`, `128::1`, `my-ip-address`. */ @@ -40813,7 +32721,7 @@ export namespace gateway { } /** - * GatewaySpecAddress describes an address that can be bound to a Gateway. + * GatewayAddress describes an address that can be bound to a Gateway. */ export interface GatewaySpecAddressesPatch { /** @@ -40821,182 +32729,46 @@ export namespace gateway { */ type?: pulumi.Input; /** - * When a value is unspecified, an implementation SHOULD automatically - * assign an address matching the requested type if possible. + * Value of the address. The validity of the values will depend + * on the type and support by the controller. * - * If an implementation does not support an empty value, they MUST set the - * "Programmed" condition in status to False with a reason of "AddressNotAssigned". * * Examples: `1.2.3.4`, `128::1`, `my-ip-address`. */ value?: pulumi.Input; } - /** - * AllowedListeners defines which ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - export interface GatewaySpecAllowedListeners { - namespaces?: pulumi.Input; - } - - /** - * Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - export interface GatewaySpecAllowedListenersNamespaces { - /** - * From indicates where ListenerSets can attach to this Gateway. Possible - * values are: - * - * * Same: Only ListenerSets in the same namespace may be attached to this Gateway. - * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway. - * * All: ListenerSets in all namespaces may be attached to this Gateway. - * * None: Only listeners defined in the Gateway's spec are allowed - * - * While this feature is experimental, the default value None - */ - from?: pulumi.Input; - selector?: pulumi.Input; - } - - /** - * Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - export interface GatewaySpecAllowedListenersNamespacesPatch { - /** - * From indicates where ListenerSets can attach to this Gateway. Possible - * values are: - * - * * Same: Only ListenerSets in the same namespace may be attached to this Gateway. - * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway. - * * All: ListenerSets in all namespaces may be attached to this Gateway. - * * None: Only listeners defined in the Gateway's spec are allowed - * - * While this feature is experimental, the default value None - */ - from?: pulumi.Input; - selector?: pulumi.Input; - } - - /** - * Selector must be specified when From is set to "Selector". In that case, - * only ListenerSets in Namespaces matching this Selector will be selected by this - * Gateway. This field is ignored for other values of "From". - */ - export interface GatewaySpecAllowedListenersNamespacesSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key?: pulumi.Input; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator?: pulumi.Input; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values?: pulumi.Input[]>; - } - - /** - * Selector must be specified when From is set to "Selector". In that case, - * only ListenerSets in Namespaces matching this Selector will be selected by this - * Gateway. This field is ignored for other values of "From". - */ - export interface GatewaySpecAllowedListenersNamespacesSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions?: pulumi.Input[]>; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels?: pulumi.Input<{[key: string]: pulumi.Input}>; - } - - /** - * AllowedListeners defines which ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - export interface GatewaySpecAllowedListenersPatch { - namespaces?: pulumi.Input; - } - /** * Infrastructure defines infrastructure level attributes about this Gateway instance. * - * Support: Extended + * + * Support: Core */ export interface GatewaySpecInfrastructure { /** * Annotations that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. * + * * An implementation may chose to add additional implementation-specific annotations as they see fit. * + * * Support: Extended */ annotations?: pulumi.Input<{[key: string]: pulumi.Input}>; /** * Labels that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. * For other implementations, this refers to any relevant (implementation specific) "labels" concepts. * + * * An implementation may chose to add additional implementation-specific labels as they see fit. * - * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels - * change, it SHOULD clearly warn about this behavior in documentation. * * Support: Extended */ @@ -41009,16 +32781,14 @@ export namespace gateway { * parameters corresponding to the Gateway. This is optional if the * controller does not require any additional configuration. * + * * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis * + * * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the Gateway SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. * * Support: Implementation-specific */ @@ -41042,16 +32812,14 @@ export namespace gateway { * parameters corresponding to the Gateway. This is optional if the * controller does not require any additional configuration. * + * * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis * + * * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the Gateway SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. * * Support: Implementation-specific */ @@ -41073,30 +32841,34 @@ export namespace gateway { /** * Infrastructure defines infrastructure level attributes about this Gateway instance. * - * Support: Extended + * + * Support: Core */ export interface GatewaySpecInfrastructurePatch { /** * Annotations that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. * + * * An implementation may chose to add additional implementation-specific annotations as they see fit. * + * * Support: Extended */ annotations?: pulumi.Input<{[key: string]: pulumi.Input}>; /** * Labels that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. * For other implementations, this refers to any relevant (implementation specific) "labels" concepts. * + * * An implementation may chose to add additional implementation-specific labels as they see fit. * - * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels - * change, it SHOULD clearly warn about this behavior in documentation. * * Support: Extended */ @@ -41116,36 +32888,18 @@ export namespace gateway { * field is ignored for protocols that don't require hostname based * matching. * + * * Implementations MUST apply Hostname matching appropriately for each of * the following protocols: * + * * * TLS: The Listener Hostname MUST match the SNI. * * HTTP: The Listener Hostname MUST match the Host header of the request. - * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header. - * Note that this does not require the SNI and Host header to be the same. - * The semantics of this are described in more detail below. + * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + * protocol layers as described above. If an implementation does not + * ensure that both the SNI and Host header match the Listener hostname, + * it MUST clearly document that. * - * To ensure security, Section 11.1 of RFC-6066 emphasizes that server - * implementations that rely on SNI hostname matching MUST also verify - * hostnames within the application protocol. - * - * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the - * reuse of a connection by responding with the HTTP 421 Misdirected Request - * status code. This indicates that the origin server has rejected the - * request because it appears to have been misdirected. - * - * To detect misdirected requests, Gateways SHOULD match the authority of - * the requests with all the SNI hostname(s) configured across all the - * Gateway Listeners on the same port and protocol: - * - * * If another Listener has an exact match or more specific wildcard entry, - * the Gateway SHOULD return a 421. - * * If the current Listener (selected by SNI matching during ClientHello) - * does not match the Host: - * * If another Listener does match the Host the Gateway SHOULD return a - * 421. - * * If no other Listener matches the Host, the Gateway MUST return a - * 404. * * For HTTPRoute and TLSRoute resources, there is an interaction with the * `spec.hostnames` array. When both listener and route specify hostnames, @@ -41153,10 +32907,12 @@ export namespace gateway { * accepted. For more information, refer to the Route specific Hostnames * documentation. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * Support: Core */ hostname?: pulumi.Input; @@ -41164,6 +32920,7 @@ export namespace gateway { * Name is the name of the Listener. This name MUST be unique within a * Gateway. * + * * Support: Core */ name?: pulumi.Input; @@ -41171,12 +32928,14 @@ export namespace gateway { * Port is the network port. Multiple listeners may use the * same port, subject to the Listener compatibility rules. * + * * Support: Core */ port?: pulumi.Input; /** * Protocol specifies the network protocol this listener expects to receive. * + * * Support: Core */ protocol?: pulumi.Input; @@ -41188,10 +32947,12 @@ export namespace gateway { * Listener and the trusted namespaces where those Route resources MAY be * present. * + * * Although a client request may match multiple route rules, only one rule * may ultimately receive the request. Matching precedence MUST be * determined in order of the following criteria: * + * * * The most specific match as defined by the Route type. * * The oldest Route based on creation timestamp. For example, a Route with * a creation timestamp of "2020-09-08 01:02:03" is given precedence over @@ -41200,6 +32961,7 @@ export namespace gateway { * alphabetical order (namespace/name) should be given precedence. For * example, foo/bar is given precedence over foo/baz. * + * * All valid rules within a Route attached to this Listener should be * implemented. Invalid Route rules can be ignored (sometimes that will mean * the full Route). If a Route rule transitions from valid to invalid, @@ -41207,6 +32969,7 @@ export namespace gateway { * example, even if a filter specified by a Route rule is invalid, the rest * of the rules within that Route should still be supported. * + * * Support: Core */ export interface GatewaySpecListenersAllowedRoutes { @@ -41215,12 +32978,14 @@ export namespace gateway { * to this Gateway Listener. When unspecified or empty, the kinds of Routes * selected are determined using the Listener protocol. * + * * A RouteGroupKind MUST correspond to kinds of Routes that are compatible * with the application protocol specified in the Listener's Protocol field. * If an implementation does not support or recognize this resource type, it * MUST set the "ResolvedRefs" condition to False for this Listener with the * "InvalidRouteKinds" reason. * + * * Support: Core */ kinds?: pulumi.Input[]>; @@ -41259,6 +33024,7 @@ export namespace gateway { * Namespaces indicates namespaces from which Routes may be attached to this * Listener. This is restricted to the namespace of this Gateway by default. * + * * Support: Core */ export interface GatewaySpecListenersAllowedRoutesNamespaces { @@ -41266,11 +33032,13 @@ export namespace gateway { * From indicates where Routes will be selected for this Gateway. Possible * values are: * + * * * All: Routes in all namespaces may be used by this Gateway. * * Selector: Routes in namespaces selected by the selector may be used by * this Gateway. * * Same: Only Routes in the same namespace may be used by this Gateway. * + * * Support: Core */ from?: pulumi.Input; @@ -41281,6 +33049,7 @@ export namespace gateway { * Namespaces indicates namespaces from which Routes may be attached to this * Listener. This is restricted to the namespace of this Gateway by default. * + * * Support: Core */ export interface GatewaySpecListenersAllowedRoutesNamespacesPatch { @@ -41288,11 +33057,13 @@ export namespace gateway { * From indicates where Routes will be selected for this Gateway. Possible * values are: * + * * * All: Routes in all namespaces may be used by this Gateway. * * Selector: Routes in namespaces selected by the selector may be used by * this Gateway. * * Same: Only Routes in the same namespace may be used by this Gateway. * + * * Support: Core */ from?: pulumi.Input; @@ -41304,6 +33075,7 @@ export namespace gateway { * only Routes in Namespaces matching this Selector will be selected by this * Gateway. This field is ignored for other values of "From". * + * * Support: Core */ export interface GatewaySpecListenersAllowedRoutesNamespacesSelector { @@ -41370,6 +33142,7 @@ export namespace gateway { * only Routes in Namespaces matching this Selector will be selected by this * Gateway. This field is ignored for other values of "From". * + * * Support: Core */ export interface GatewaySpecListenersAllowedRoutesNamespacesSelectorPatch { @@ -41390,10 +33163,12 @@ export namespace gateway { * Listener and the trusted namespaces where those Route resources MAY be * present. * + * * Although a client request may match multiple route rules, only one rule * may ultimately receive the request. Matching precedence MUST be * determined in order of the following criteria: * + * * * The most specific match as defined by the Route type. * * The oldest Route based on creation timestamp. For example, a Route with * a creation timestamp of "2020-09-08 01:02:03" is given precedence over @@ -41402,6 +33177,7 @@ export namespace gateway { * alphabetical order (namespace/name) should be given precedence. For * example, foo/bar is given precedence over foo/baz. * + * * All valid rules within a Route attached to this Listener should be * implemented. Invalid Route rules can be ignored (sometimes that will mean * the full Route). If a Route rule transitions from valid to invalid, @@ -41409,6 +33185,7 @@ export namespace gateway { * example, even if a filter specified by a Route rule is invalid, the rest * of the rules within that Route should still be supported. * + * * Support: Core */ export interface GatewaySpecListenersAllowedRoutesPatch { @@ -41417,12 +33194,14 @@ export namespace gateway { * to this Gateway Listener. When unspecified or empty, the kinds of Routes * selected are determined using the Listener protocol. * + * * A RouteGroupKind MUST correspond to kinds of Routes that are compatible * with the application protocol specified in the Listener's Protocol field. * If an implementation does not support or recognize this resource type, it * MUST set the "ResolvedRefs" condition to False for this Listener with the * "InvalidRouteKinds" reason. * + * * Support: Core */ kinds?: pulumi.Input[]>; @@ -41441,36 +33220,18 @@ export namespace gateway { * field is ignored for protocols that don't require hostname based * matching. * + * * Implementations MUST apply Hostname matching appropriately for each of * the following protocols: * + * * * TLS: The Listener Hostname MUST match the SNI. * * HTTP: The Listener Hostname MUST match the Host header of the request. - * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header. - * Note that this does not require the SNI and Host header to be the same. - * The semantics of this are described in more detail below. + * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + * protocol layers as described above. If an implementation does not + * ensure that both the SNI and Host header match the Listener hostname, + * it MUST clearly document that. * - * To ensure security, Section 11.1 of RFC-6066 emphasizes that server - * implementations that rely on SNI hostname matching MUST also verify - * hostnames within the application protocol. - * - * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the - * reuse of a connection by responding with the HTTP 421 Misdirected Request - * status code. This indicates that the origin server has rejected the - * request because it appears to have been misdirected. - * - * To detect misdirected requests, Gateways SHOULD match the authority of - * the requests with all the SNI hostname(s) configured across all the - * Gateway Listeners on the same port and protocol: - * - * * If another Listener has an exact match or more specific wildcard entry, - * the Gateway SHOULD return a 421. - * * If the current Listener (selected by SNI matching during ClientHello) - * does not match the Host: - * * If another Listener does match the Host the Gateway SHOULD return a - * 421. - * * If no other Listener matches the Host, the Gateway MUST return a - * 404. * * For HTTPRoute and TLSRoute resources, there is an interaction with the * `spec.hostnames` array. When both listener and route specify hostnames, @@ -41478,10 +33239,12 @@ export namespace gateway { * accepted. For more information, refer to the Route specific Hostnames * documentation. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * Support: Core */ hostname?: pulumi.Input; @@ -41489,6 +33252,7 @@ export namespace gateway { * Name is the name of the Listener. This name MUST be unique within a * Gateway. * + * * Support: Core */ name?: pulumi.Input; @@ -41496,12 +33260,14 @@ export namespace gateway { * Port is the network port. Multiple listeners may use the * same port, subject to the Listener compatibility rules. * + * * Support: Core */ port?: pulumi.Input; /** * Protocol specifies the network protocol this listener expects to receive. * + * * Support: Core */ protocol?: pulumi.Input; @@ -41513,12 +33279,15 @@ export namespace gateway { * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field * if the Protocol field is "HTTP", "TCP", or "UDP". * - * The association of SNIs to Certificate defined in ListenerTLSConfig is + * + * The association of SNIs to Certificate defined in GatewayTLSConfig is * defined based on the Hostname field for this listener. * + * * The GatewayClass MUST use the longest matching SNI out of all * available certificates for any TLS handshake. * + * * Support: Core */ export interface GatewaySpecListenersTls { @@ -41528,31 +33297,39 @@ export namespace gateway { * establish a TLS handshake for requests that match the hostname of the * associated listener. * + * * A single CertificateRef to a Kubernetes Secret has "Core" support. * Implementations MAY choose to support attaching multiple certificates to * a Listener, but this behavior is implementation-specific. * + * * References to a resource in different namespace are invalid UNLESS there * is a ReferenceGrant in the target namespace that allows the certificate * to be attached. If a ReferenceGrant does not allow this reference, the * "ResolvedRefs" condition MUST be set to False for this listener with the * "RefNotPermitted" reason. * + * * This field is required to have at least one element when the mode is set * to "Terminate" (default) and is optional otherwise. * + * * CertificateRefs can reference to standard Kubernetes resources, i.e. * Secret, or implementation-specific custom resources. * + * * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls * + * * Support: Implementation-specific (More than one reference or other resource types) */ certificateRefs?: pulumi.Input[]>; + frontendValidation?: pulumi.Input; /** * Mode defines the TLS behavior for the TLS session initiated by the client. * There are two possible modes: * + * * - Terminate: The TLS session between the downstream client and the * Gateway is terminated at the Gateway. This mode requires certificates * to be specified in some way, such as populating the certificateRefs @@ -41562,6 +33339,7 @@ export namespace gateway { * the ClientHello message of the TLS protocol. The certificateRefs field * is ignored in this mode. * + * * Support: Core */ mode?: pulumi.Input; @@ -41570,11 +33348,13 @@ export namespace gateway { * configuration for each implementation. For example, configuring the * minimum TLS version or supported cipher suites. * + * * A set of common keys MAY be defined by the API in the future. To avoid * any ambiguity, implementation-specific definitions MUST use * domain-prefixed names, such as `example.com/my-custom-option`. * Un-prefixed names are reserved for key names defined by Gateway API. * + * * Support: Implementation-specific */ options?: pulumi.Input<{[key: string]: pulumi.Input}>; @@ -41584,9 +33364,11 @@ export namespace gateway { * SecretObjectReference identifies an API object including its namespace, * defaulting to Secret. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. * + * * References to objects with invalid Group and Kind are not valid, and must * be rejected by the implementation, with appropriate Conditions set * on the containing object. @@ -41609,11 +33391,13 @@ export namespace gateway { * Namespace is the namespace of the referenced object. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -41623,9 +33407,11 @@ export namespace gateway { * SecretObjectReference identifies an API object including its namespace, * defaulting to Secret. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. * + * * References to objects with invalid Group and Kind are not valid, and must * be rejected by the implementation, with appropriate Conditions set * on the containing object. @@ -41648,27 +33434,198 @@ export namespace gateway { * Namespace is the namespace of the referenced object. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; } + /** + * FrontendValidation holds configuration information for validating the frontend (client). + * Setting this field will require clients to send a client certificate + * required for validation during the TLS handshake. In browsers this may result in a dialog appearing + * that requests a user to specify the client certificate. + * The maximum depth of a certificate chain accepted in verification is Implementation specific. + * + * + * Support: Extended + */ + export interface GatewaySpecListenersTlsFrontendValidation { + /** + * CACertificateRefs contains one or more references to + * Kubernetes objects that contain TLS certificates of + * the Certificate Authorities that can be used + * as a trust anchor to validate the certificates presented by the client. + * + * + * A single CA certificate reference to a Kubernetes ConfigMap + * has "Core" support. + * Implementations MAY choose to support attaching multiple CA certificates to + * a Listener, but this behavior is implementation-specific. + * + * + * Support: Core - A single reference to a Kubernetes ConfigMap + * with the CA certificate in a key named `ca.crt`. + * + * + * Support: Implementation-specific (More than one reference, or other kinds + * of resources). + * + * + * References to a resource in a different namespace are invalid UNLESS there + * is a ReferenceGrant in the target namespace that allows the certificate + * to be attached. If a ReferenceGrant does not allow this reference, the + * "ResolvedRefs" condition MUST be set to False for this listener with the + * "RefNotPermitted" reason. + */ + caCertificateRefs?: pulumi.Input[]>; + } + + /** + * ObjectReference identifies an API object including its namespace. + * + * + * The API object must be valid in the cluster; the Group and Kind must + * be registered in the cluster for this reference to be valid. + * + * + * References to objects with invalid Group and Kind are not valid, and must + * be rejected by the implementation, with appropriate Conditions set + * on the containing object. + */ + export interface GatewaySpecListenersTlsFrontendValidationCaCertificateRefs { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group?: pulumi.Input; + /** + * Kind is kind of the referent. For example "ConfigMap" or "Service". + */ + kind?: pulumi.Input; + /** + * Name is the name of the referent. + */ + name?: pulumi.Input; + /** + * Namespace is the namespace of the referenced object. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace?: pulumi.Input; + } + + /** + * ObjectReference identifies an API object including its namespace. + * + * + * The API object must be valid in the cluster; the Group and Kind must + * be registered in the cluster for this reference to be valid. + * + * + * References to objects with invalid Group and Kind are not valid, and must + * be rejected by the implementation, with appropriate Conditions set + * on the containing object. + */ + export interface GatewaySpecListenersTlsFrontendValidationCaCertificateRefsPatch { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group?: pulumi.Input; + /** + * Kind is kind of the referent. For example "ConfigMap" or "Service". + */ + kind?: pulumi.Input; + /** + * Name is the name of the referent. + */ + name?: pulumi.Input; + /** + * Namespace is the namespace of the referenced object. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace?: pulumi.Input; + } + + /** + * FrontendValidation holds configuration information for validating the frontend (client). + * Setting this field will require clients to send a client certificate + * required for validation during the TLS handshake. In browsers this may result in a dialog appearing + * that requests a user to specify the client certificate. + * The maximum depth of a certificate chain accepted in verification is Implementation specific. + * + * + * Support: Extended + */ + export interface GatewaySpecListenersTlsFrontendValidationPatch { + /** + * CACertificateRefs contains one or more references to + * Kubernetes objects that contain TLS certificates of + * the Certificate Authorities that can be used + * as a trust anchor to validate the certificates presented by the client. + * + * + * A single CA certificate reference to a Kubernetes ConfigMap + * has "Core" support. + * Implementations MAY choose to support attaching multiple CA certificates to + * a Listener, but this behavior is implementation-specific. + * + * + * Support: Core - A single reference to a Kubernetes ConfigMap + * with the CA certificate in a key named `ca.crt`. + * + * + * Support: Implementation-specific (More than one reference, or other kinds + * of resources). + * + * + * References to a resource in a different namespace are invalid UNLESS there + * is a ReferenceGrant in the target namespace that allows the certificate + * to be attached. If a ReferenceGrant does not allow this reference, the + * "ResolvedRefs" condition MUST be set to False for this listener with the + * "RefNotPermitted" reason. + */ + caCertificateRefs?: pulumi.Input[]>; + } + /** * TLS is the TLS configuration for the Listener. This field is required if * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field * if the Protocol field is "HTTP", "TCP", or "UDP". * - * The association of SNIs to Certificate defined in ListenerTLSConfig is + * + * The association of SNIs to Certificate defined in GatewayTLSConfig is * defined based on the Hostname field for this listener. * + * * The GatewayClass MUST use the longest matching SNI out of all * available certificates for any TLS handshake. * + * * Support: Core */ export interface GatewaySpecListenersTlsPatch { @@ -41678,31 +33635,39 @@ export namespace gateway { * establish a TLS handshake for requests that match the hostname of the * associated listener. * + * * A single CertificateRef to a Kubernetes Secret has "Core" support. * Implementations MAY choose to support attaching multiple certificates to * a Listener, but this behavior is implementation-specific. * + * * References to a resource in different namespace are invalid UNLESS there * is a ReferenceGrant in the target namespace that allows the certificate * to be attached. If a ReferenceGrant does not allow this reference, the * "ResolvedRefs" condition MUST be set to False for this listener with the * "RefNotPermitted" reason. * + * * This field is required to have at least one element when the mode is set * to "Terminate" (default) and is optional otherwise. * + * * CertificateRefs can reference to standard Kubernetes resources, i.e. * Secret, or implementation-specific custom resources. * + * * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls * + * * Support: Implementation-specific (More than one reference or other resource types) */ certificateRefs?: pulumi.Input[]>; + frontendValidation?: pulumi.Input; /** * Mode defines the TLS behavior for the TLS session initiated by the client. * There are two possible modes: * + * * - Terminate: The TLS session between the downstream client and the * Gateway is terminated at the Gateway. This mode requires certificates * to be specified in some way, such as populating the certificateRefs @@ -41712,6 +33677,7 @@ export namespace gateway { * the ClientHello message of the TLS protocol. The certificateRefs field * is ignored in this mode. * + * * Support: Core */ mode?: pulumi.Input; @@ -41720,11 +33686,13 @@ export namespace gateway { * configuration for each implementation. For example, configuring the * minimum TLS version or supported cipher suites. * + * * A set of common keys MAY be defined by the API in the future. To avoid * any ambiguity, implementation-specific definitions MUST use * domain-prefixed names, such as `example.com/my-custom-option`. * Un-prefixed names are reserved for key names defined by Gateway API. * + * * Support: Implementation-specific */ options?: pulumi.Input<{[key: string]: pulumi.Input}>; @@ -41738,7 +33706,8 @@ export namespace gateway { * Addresses requested for this Gateway. This is optional and behavior can * depend on the implementation. If a value is set in the spec and the * requested address is invalid or unavailable, the implementation MUST - * indicate this in an associated entry in GatewayStatus.Conditions. + * indicate this in the associated entry in GatewayStatus.Addresses. + * * * The Addresses field represents a request for the address(es) on the * "outside of the Gateway", that traffic bound for this Gateway will use. @@ -41746,38 +33715,20 @@ export namespace gateway { * other networking infrastructure, or some other address that traffic will * be sent to. * + * * If no Addresses are specified, the implementation MAY schedule the * Gateway in an implementation-specific manner, assigning an appropriate * set of Addresses. * + * * The implementation MUST bind all Listeners to every GatewayAddress that * it assigns to the Gateway and add a corresponding entry in * GatewayStatus.Addresses. * + * * Support: Extended */ addresses?: pulumi.Input[]>; - allowedListeners?: pulumi.Input; - /** - * DefaultScope, when set, configures the Gateway as a default Gateway, - * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute) - * attached to it, according to the scope configured here. - * - * If unset (the default) or set to None, the Gateway will not act as a - * default Gateway; if set, the Gateway will claim any Route with a - * matching scope set in its UseDefaultGateway field, subject to the usual - * rules about which routes the Gateway can attach to. - * - * Think carefully before using this functionality! While the normal rules - * about which Route can apply are still enforced, it is simply easier for - * the wrong Route to be accidentally attached to this Gateway in this - * configuration. If the Gateway operator is not also the operator in - * control of the scope (e.g. namespace) with tight controls and checks on - * what kind of workloads and Routes get added in that scope, we strongly - * recommend not using this just because it seems convenient, and instead - * stick to direct Route attachment. - */ - defaultScope?: pulumi.Input; /** * GatewayClassName used for this Gateway. This is the name of a * GatewayClass resource. @@ -41789,7 +33740,6 @@ export namespace gateway { * logical endpoints that are bound on this Gateway's addresses. * At least one Listener MUST be specified. * - * ## Distinct Listeners * * Each Listener in a set of Listeners (for example, in a single Gateway) * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to @@ -41798,107 +33748,97 @@ export namespace gateway { * from multiple Gateways onto a single data plane, and these rules _also_ * apply in that case). * + * * Practically, this means that each listener in a set MUST have a unique * combination of Port, Protocol, and, if supported by the protocol, Hostname. * - * Some combinations of port, protocol, and TLS settings are considered - * Core support and MUST be supported by implementations based on the objects - * they support: * - * HTTPRoute + * Some combinations of port, protocol, and TLS settings are considered + * Core support and MUST be supported by implementations based on their + * targeted conformance profile: + * + * + * HTTP Profile + * * * 1. HTTPRoute, Port: 80, Protocol: HTTP * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided * - * TLSRoute + * + * TLS Profile + * * * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough * + * * "Distinct" Listeners have the following property: * - * **The implementation can match inbound requests to a single distinct - * Listener**. * - * When multiple Listeners share values for fields (for + * The implementation can match inbound requests to a single distinct + * Listener. When multiple Listeners share values for fields (for * example, two Listeners with the same Port value), the implementation * can match requests to only one of the Listeners using other * Listener fields. * - * When multiple listeners have the same value for the Protocol field, then - * each of the Listeners with matching Protocol values MUST have different - * values for other fields. * - * The set of fields that MUST be different for a Listener differs per protocol. - * The following rules define the rules for what fields MUST be considered for - * Listeners to be distinct with each protocol currently defined in the - * Gateway API spec. + * For example, the following Listener scenarios are distinct: * - * The set of listeners that all share a protocol value MUST have _different_ - * values for _at least one_ of these fields to be distinct: * - * * **HTTP, HTTPS, TLS**: Port, Hostname - * * **TCP, UDP**: Port + * 1. Multiple Listeners with the same Port that all use the "HTTP" + * Protocol that all have unique Hostname values. + * 2. Multiple Listeners with the same Port that use either the "HTTPS" or + * "TLS" Protocol that all have unique Hostname values. + * 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener + * with the same Protocol has the same Port value. * - * One **very** important rule to call out involves what happens when an - * implementation: * - * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol - * Listeners, and - * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP - * Protocol. + * Some fields in the Listener struct have possible values that affect + * whether the Listener is distinct. Hostname is particularly relevant + * for HTTP or HTTPS protocols. * - * In this case all the Listeners that share a port with the - * TCP Listener are not distinct and so MUST NOT be accepted. * - * If an implementation does not support TCP Protocol Listeners, then the - * previous rule does not apply, and the TCP Listeners SHOULD NOT be - * accepted. + * When using the Hostname value to select between same-Port, same-Protocol + * Listeners, the Hostname value must be different on each Listener for the + * Listener to be distinct. * - * Note that the `tls` field is not used for determining if a listener is distinct, because - * Listeners that _only_ differ on TLS config will still conflict in all cases. * - * ### Listeners that are distinct only by Hostname - * - * When the Listeners are distinct based only on Hostname, inbound request + * When the Listeners are distinct based on Hostname, inbound request * hostnames MUST match from the most specific to least specific Hostname * values to choose the correct Listener and its associated set of Routes. * - * Exact matches MUST be processed before wildcard matches, and wildcard - * matches MUST be processed before fallback (empty Hostname value) + * + * Exact matches must be processed before wildcard matches, and wildcard + * matches must be processed before fallback (empty Hostname value) * matches. For example, `"foo.example.com"` takes precedence over * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. * + * * Additionally, if there are multiple wildcard entries, more specific * wildcard entries must be processed before less specific wildcard entries. * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. - * * The precise definition here is that the higher the number of dots in the * hostname to the right of the wildcard character, the higher the precedence. * + * * The wildcard character will match any number of characters _and dots_ to * the left, however, so `"*.example.com"` will match both * `"foo.bar.example.com"` _and_ `"bar.example.com"`. * - * ## Handling indistinct Listeners * * If a set of Listeners contains Listeners that are not distinct, then those - * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted" + * Listeners are Conflicted, and the implementation MUST set the "Conflicted" * condition in the Listener Status to "True". * - * The words "indistinct" and "conflicted" are considered equivalent for the - * purpose of this documentation. * * Implementations MAY choose to accept a Gateway with some Conflicted * Listeners only if they only accept the partial Listener set that contains - * no Conflicted Listeners. + * no Conflicted Listeners. To put this another way, implementations may + * accept a partial Listener set only if they throw out *all* the conflicting + * Listeners. No picking one of the conflicting listeners as the winner. + * This also means that the Gateway must have at least one non-conflicting + * Listener in this case, otherwise it violates the requirement that at + * least one Listener must be present. * - * Specifically, an implementation MAY accept a partial Listener set subject to - * the following rules: - * - * * The implementation MUST NOT pick one conflicting Listener as the winner. - * ALL indistinct Listeners must not be accepted for processing. - * * At least one distinct Listener MUST be present, or else the Gateway effectively - * contains _no_ Listeners, and must be rejected from processing as a whole. * * The implementation MUST set a "ListenersNotValid" condition on the * Gateway Status when the Gateway contains Conflicted Listeners whether or @@ -41907,656 +33847,41 @@ export namespace gateway { * Accepted. Additionally, the Listener status for those listeners SHOULD * indicate which Listeners are conflicted and not Accepted. * - * ## General Listener behavior * - * Note that, for all distinct Listeners, requests SHOULD match at most one Listener. - * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a - * request to "foo.example.com" SHOULD only be routed using routes attached - * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * A Gateway's Listeners are considered "compatible" if: * - * This concept is known as "Listener Isolation", and it is an Extended feature - * of Gateway API. Implementations that do not support Listener Isolation MUST - * clearly document this, and MUST NOT claim support for the - * `GatewayHTTPListenerIsolation` feature. - * - * Implementations that _do_ support Listener Isolation SHOULD claim support - * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated - * conformance tests. - * - * ## Compatible Listeners - * - * A Gateway's Listeners are considered _compatible_ if: * * 1. They are distinct. * 2. The implementation can serve them in compliance with the Addresses * requirement that all Listeners are available on all assigned * addresses. * + * * Compatible combinations in Extended support are expected to vary across * implementations. A combination that is compatible for one implementation * may not be compatible for another. * + * * For example, an implementation that cannot serve both TCP and UDP listeners * on the same address, or cannot mix HTTPS and generic TLS listens on the same port * would not consider those cases compatible, even though they are distinct. * + * + * Note that requests SHOULD match at most one Listener. For example, if + * Listeners are defined for "foo.example.com" and "*.example.com", a + * request to "foo.example.com" SHOULD only be routed using routes attached + * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * This concept is known as "Listener Isolation". Implementations that do + * not support Listener Isolation MUST clearly document this. + * + * * Implementations MAY merge separate Gateways onto a single set of * Addresses if all Listeners across all Gateways are compatible. * - * In a future release the MinItems=1 requirement MAY be dropped. * * Support: Core */ listeners?: pulumi.Input[]>; - tls?: pulumi.Input; - } - - /** - * TLS specifies frontend and backend tls configuration for entire gateway. - * - * Support: Extended - */ - export interface GatewaySpecTls { - backend?: pulumi.Input; - frontend?: pulumi.Input; - } - - /** - * Backend describes TLS configuration for gateway when connecting - * to backends. - * - * Note that this contains only details for the Gateway as a TLS client, - * and does _not_ imply behavior about how to choose which backend should - * get a TLS connection. That is determined by the presence of a BackendTLSPolicy. - * - * Support: Core - */ - export interface GatewaySpecTlsBackend { - clientCertificateRef?: pulumi.Input; - } - - /** - * ClientCertificateRef is a reference to an object that contains a Client - * Certificate and the associated private key. - * - * References to a resource in different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - * - * ClientCertificateRef can reference to standard Kubernetes resources, i.e. - * Secret, or implementation-specific custom resources. - * - * Support: Core - */ - export interface GatewaySpecTlsBackendClientCertificateRef { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. For example "Secret". - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - } - - /** - * ClientCertificateRef is a reference to an object that contains a Client - * Certificate and the associated private key. - * - * References to a resource in different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - * - * ClientCertificateRef can reference to standard Kubernetes resources, i.e. - * Secret, or implementation-specific custom resources. - * - * Support: Core - */ - export interface GatewaySpecTlsBackendClientCertificateRefPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. For example "Secret". - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - } - - /** - * Backend describes TLS configuration for gateway when connecting - * to backends. - * - * Note that this contains only details for the Gateway as a TLS client, - * and does _not_ imply behavior about how to choose which backend should - * get a TLS connection. That is determined by the presence of a BackendTLSPolicy. - * - * Support: Core - */ - export interface GatewaySpecTlsBackendPatch { - clientCertificateRef?: pulumi.Input; - } - - /** - * Frontend describes TLS config when client connects to Gateway. - * Support: Core - */ - export interface GatewaySpecTlsFrontend { - default?: pulumi.Input; - /** - * PerPort specifies tls configuration assigned per port. - * Per port configuration is optional. Once set this configuration overrides - * the default configuration for all Listeners handling HTTPS traffic - * that match this port. - * Each override port requires a unique TLS configuration. - * - * support: Core - */ - perPort?: pulumi.Input[]>; - } - - /** - * Default specifies the default client certificate validation configuration - * for all Listeners handling HTTPS traffic, unless a per-port configuration - * is defined. - * - * support: Core - */ - export interface GatewaySpecTlsFrontendDefault { - validation?: pulumi.Input; - } - - /** - * Default specifies the default client certificate validation configuration - * for all Listeners handling HTTPS traffic, unless a per-port configuration - * is defined. - * - * support: Core - */ - export interface GatewaySpecTlsFrontendDefaultPatch { - validation?: pulumi.Input; - } - - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - export interface GatewaySpecTlsFrontendDefaultValidation { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs?: pulumi.Input[]>; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode?: pulumi.Input; - } - - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - export interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefs { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - } - - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - export interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefsPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - } - - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - export interface GatewaySpecTlsFrontendDefaultValidationPatch { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs?: pulumi.Input[]>; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode?: pulumi.Input; - } - - /** - * Frontend describes TLS config when client connects to Gateway. - * Support: Core - */ - export interface GatewaySpecTlsFrontendPatch { - default?: pulumi.Input; - /** - * PerPort specifies tls configuration assigned per port. - * Per port configuration is optional. Once set this configuration overrides - * the default configuration for all Listeners handling HTTPS traffic - * that match this port. - * Each override port requires a unique TLS configuration. - * - * support: Core - */ - perPort?: pulumi.Input[]>; - } - - export interface GatewaySpecTlsFrontendPerPort { - /** - * The Port indicates the Port Number to which the TLS configuration will be - * applied. This configuration will be applied to all Listeners handling HTTPS - * traffic that match this port. - * - * Support: Core - */ - port?: pulumi.Input; - tls?: pulumi.Input; - } - - export interface GatewaySpecTlsFrontendPerPortPatch { - /** - * The Port indicates the Port Number to which the TLS configuration will be - * applied. This configuration will be applied to all Listeners handling HTTPS - * traffic that match this port. - * - * Support: Core - */ - port?: pulumi.Input; - tls?: pulumi.Input; - } - - /** - * TLS store the configuration that will be applied to all Listeners handling - * HTTPS traffic and matching given port. - * - * Support: Core - */ - export interface GatewaySpecTlsFrontendPerPortTls { - validation?: pulumi.Input; - } - - /** - * TLS store the configuration that will be applied to all Listeners handling - * HTTPS traffic and matching given port. - * - * Support: Core - */ - export interface GatewaySpecTlsFrontendPerPortTlsPatch { - validation?: pulumi.Input; - } - - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - export interface GatewaySpecTlsFrontendPerPortTlsValidation { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs?: pulumi.Input[]>; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode?: pulumi.Input; - } - - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - export interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefs { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - } - - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - export interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefsPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - } - - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - export interface GatewaySpecTlsFrontendPerPortTlsValidationPatch { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs?: pulumi.Input[]>; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode?: pulumi.Input; - } - - /** - * TLS specifies frontend and backend tls configuration for entire gateway. - * - * Support: Extended - */ - export interface GatewaySpecTlsPatch { - backend?: pulumi.Input; - frontend?: pulumi.Input; } /** @@ -42567,9 +33892,11 @@ export namespace gateway { * Addresses lists the network addresses that have been bound to the * Gateway. * + * * This list may differ from the addresses provided in the spec under some * conditions: * + * * * no addresses are specified, all addresses are dynamically assigned * * a combination of specified and dynamic addresses are assigned * * a specified address was unusable (e.g. already in use) @@ -42578,13 +33905,16 @@ export namespace gateway { /** * Conditions describe the current conditions of the Gateway. * + * * Implementations should prefer to express Gateway conditions * using the `GatewayConditionType` and `GatewayConditionReason` * constants so that operators and tools can converge on a common * vocabulary to describe Gateway state. * + * * Known condition types are: * + * * * "Accepted" * * "Programmed" * * "Ready" @@ -42608,6 +33938,7 @@ export namespace gateway { * Value of the address. The validity of the values will depend * on the type and support by the controller. * + * * Examples: `1.2.3.4`, `128::1`, `my-ip-address`. */ value?: pulumi.Input; @@ -42615,6 +33946,22 @@ export namespace gateway { /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface GatewayStatusConditions { /** @@ -42647,6 +33994,10 @@ export namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } @@ -42659,6 +34010,7 @@ export namespace gateway { * AttachedRoutes represents the total number of Routes that have been * successfully attached to this Listener. * + * * Successful attachment of a Route to a Listener is based solely on the * combination of the AllowedRoutes field on the corresponding Listener * and the Route's ParentRefs field. A Route is successfully attached to @@ -42671,6 +34023,7 @@ export namespace gateway { * for Listeners with condition Accepted: false and MUST count successfully * attached Routes that may themselves have Accepted: false conditions. * + * * Uses for this field include troubleshooting Route attachment and * measuring blast radius/impact of changes to a Listener. */ @@ -42688,6 +34041,7 @@ export namespace gateway { * listener. This MUST represent the kinds an implementation supports for * that Listener configuration. * + * * If kinds are specified in Spec that are not supported, they MUST NOT * appear in this list and an implementation MUST set the "ResolvedRefs" * condition to "False" with the "InvalidRouteKinds" reason. If both valid @@ -42699,6 +34053,22 @@ export namespace gateway { /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface GatewayStatusListenersConditions { /** @@ -42731,6 +34101,10 @@ export namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } @@ -42783,17 +34157,21 @@ export namespace gateway { * performing a match and (absent of any applicable header modification * configuration) MUST forward this header unmodified to the backend. * + * * Valid values for Hostnames are determined by RFC 1123 definition of a * hostname with 2 notable exceptions: * + * * 1. IPs are not allowed. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label must appear by itself as the first label. * + * * If a hostname is specified by both the Listener and HTTPRoute, there * must be at least one intersecting hostname for the HTTPRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches HTTPRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -42804,31 +34182,38 @@ export namespace gateway { * all match. On the other hand, `example.com` and `test.example.net` would * not match. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * If both the Listener and HTTPRoute have specified hostnames, any * HTTPRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * HTTPRoute specified `test.example.com` and `test.example.net`, * `test.example.net` must not be considered for a match. * + * * If both the Listener and HTTPRoute have specified hostnames, and none * match with the criteria above, then the HTTPRoute is not accepted. The * implementation must raise an 'Accepted' Condition with a status of * `False` in the corresponding RouteParentStatus. * + * * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. * overlapping wildcard matching and exact matching hostnames), precedence must * be given to rules from the HTTPRoute with the largest number of: * + * * * Characters in a matching non-wildcard hostname. * * Characters in a matching hostname. * + * * If ties exist across multiple Routes, the matching precedence rules for * HTTPRouteMatches takes over. * + * * Support: Core */ hostnames?: pulumi.Input[]>; @@ -42844,16 +34229,21 @@ export namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -42863,8 +34253,10 @@ export namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -42872,12 +34264,14 @@ export namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -42885,10 +34279,12 @@ export namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -42900,21 +34296,6 @@ export namespace gateway { * Rules are a list of HTTP matchers, filters and actions. */ rules?: pulumi.Input[]>; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways?: pulumi.Input; } /** @@ -42922,12 +34303,15 @@ export namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -42938,23 +34322,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -42962,6 +34351,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -42969,10 +34359,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -42980,6 +34372,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -42987,6 +34380,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -42996,15 +34390,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -43013,6 +34410,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -43020,6 +34418,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -43027,10 +34426,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -43040,6 +34441,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -43050,12 +34452,15 @@ export namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -43066,23 +34471,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -43090,6 +34500,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -43097,10 +34508,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -43108,6 +34521,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -43115,6 +34529,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -43124,15 +34539,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -43141,6 +34559,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -43148,6 +34567,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -43155,10 +34575,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -43168,6 +34590,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -43184,17 +34607,21 @@ export namespace gateway { * performing a match and (absent of any applicable header modification * configuration) MUST forward this header unmodified to the backend. * + * * Valid values for Hostnames are determined by RFC 1123 definition of a * hostname with 2 notable exceptions: * + * * 1. IPs are not allowed. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label must appear by itself as the first label. * + * * If a hostname is specified by both the Listener and HTTPRoute, there * must be at least one intersecting hostname for the HTTPRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches HTTPRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -43205,31 +34632,38 @@ export namespace gateway { * all match. On the other hand, `example.com` and `test.example.net` would * not match. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * If both the Listener and HTTPRoute have specified hostnames, any * HTTPRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * HTTPRoute specified `test.example.com` and `test.example.net`, * `test.example.net` must not be considered for a match. * + * * If both the Listener and HTTPRoute have specified hostnames, and none * match with the criteria above, then the HTTPRoute is not accepted. The * implementation must raise an 'Accepted' Condition with a status of * `False` in the corresponding RouteParentStatus. * + * * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. * overlapping wildcard matching and exact matching hostnames), precedence must * be given to rules from the HTTPRoute with the largest number of: * + * * * Characters in a matching non-wildcard hostname. * * Characters in a matching hostname. * + * * If ties exist across multiple Routes, the matching precedence rules for * HTTPRouteMatches takes over. * + * * Support: Core */ hostnames?: pulumi.Input[]>; @@ -43245,16 +34679,21 @@ export namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -43264,8 +34703,10 @@ export namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -43273,12 +34714,14 @@ export namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -43286,10 +34729,12 @@ export namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -43301,21 +34746,6 @@ export namespace gateway { * Rules are a list of HTTP matchers, filters and actions. */ rules?: pulumi.Input[]>; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways?: pulumi.Input; } /** @@ -43328,37 +34758,41 @@ export namespace gateway { * BackendRefs defines the backend(s) where matching requests should be * sent. * + * * Failure behavior here depends on how many BackendRefs are specified and * how many are invalid. * + * * If *all* entries in BackendRefs are invalid, and there are also no filters * specified in this route rule, *all* traffic which matches this rule MUST * receive a 500 status code. * + * * See the HTTPBackendRef definition for the rules about what makes a single * HTTPBackendRef invalid. * + * * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for * requests that would have otherwise been routed to an invalid backend. If * multiple backends are specified, and some are invalid, the proportion of * requests that would otherwise have been routed to an invalid backend * MUST receive a 500 status code. * + * * For example, if two backends are specified with equal weights, and one is * invalid, 50 percent of traffic must receive a 500. Implementations may * choose how that 50 percent is determined. * - * When a HTTPBackendRef refers to a Service that has no ready endpoints, - * implementations SHOULD return a 503 for requests to that backend instead. - * If an implementation chooses to do this, all of the above rules for 500 responses - * MUST also apply for responses that return a 503. * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Core */ backendRefs?: pulumi.Input[]>; @@ -43366,38 +34800,46 @@ export namespace gateway { * Filters define the filters that are applied to requests that match * this rule. * + * * Wherever possible, implementations SHOULD implement filters in the order * they are specified. * + * * Implementations MAY choose to implement this ordering strictly, rejecting - * any combination or order of filters that cannot be supported. If implementations + * any combination or order of filters that can not be supported. If implementations * choose a strict interpretation of filter ordering, they MUST clearly document * that behavior. * + * * To reject an invalid combination or order of filters, implementations SHOULD * consider the Route Rules with this configuration invalid. If all Route Rules * in a Route are invalid, the entire Route would be considered invalid. If only * a portion of Route Rules are invalid, implementations MUST set the * "PartiallyInvalid" condition for the Route. * + * * Conformance-levels at this level are defined based on the type of filter: * + * * - ALL core filters MUST be supported by all implementations. * - Implementers are encouraged to support extended filters. * - Implementation-specific custom filters have no API guarantees across * implementations. * + * * Specifying the same filter multiple times is not supported unless explicitly * indicated in the filter. * + * * All filters are expected to be compatible with each other except for the * URLRewrite and RequestRedirect filters, which may not be combined. If an - * implementation cannot support other combinations of filters, they must clearly + * implementation can not support other combinations of filters, they must clearly * document that limitation. In cases where incompatible or unsupported * filters are specified and cause the `Accepted` condition to be set to status * `False`, implementations may use the `IncompatibleFilters` reason to specify * this configuration error. * + * * Support: Core */ filters?: pulumi.Input[]>; @@ -43406,8 +34848,10 @@ export namespace gateway { * HTTP requests. Each match is independent, i.e. this rule will be matched * if **any** one of the matches is satisfied. * + * * For example, take the following matches configuration: * + * * ``` * matches: * - path: @@ -43419,54 +34863,58 @@ export namespace gateway { * value: "/v2/foo" * ``` * + * * For a request to match against this rule, a request must satisfy * EITHER of the two conditions: * + * * - path prefixed with `/foo` AND contains the header `version: v2` * - path prefix of `/v2/foo` * + * * See the documentation for HTTPRouteMatch on how to specify multiple * match conditions that should be ANDed together. * + * * If no matches are specified, the default is a prefix * path match on "/", which has the effect of matching every * HTTP request. * + * * Proxy or Load Balancer routing configuration generated from HTTPRoutes * MUST prioritize matches based on the following criteria, continuing on * ties. Across all rules specified on applicable Routes, precedence must be * given to the match having: * + * * * "Exact" path match. * * "Prefix" path match with largest number of characters. * * Method match. * * Largest number of header matches. * * Largest number of query param matches. * + * * Note: The precedence of RegularExpression path matches are implementation-specific. * + * * If ties still exist across multiple Routes, matching precedence MUST be * determined in order of the following criteria, continuing on ties: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * If ties still exist within an HTTPRoute, matching precedence MUST be granted * to the FIRST matching rule (in list order) with a match meeting the above * criteria. * + * * When no rules matching a request have been successfully attached to the * parent a request is coming from, a HTTP 404 status code MUST be returned. */ matches?: pulumi.Input[]>; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name?: pulumi.Input; - retry?: pulumi.Input; sessionPersistence?: pulumi.Input; timeouts?: pulumi.Input; } @@ -43474,31 +34922,42 @@ export namespace gateway { /** * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * */ export interface HTTPRouteSpecRulesBackendRefs { /** * Filters defined at this level should be executed if and only if the * request is being forwarded to the backend defined here. * + * * Support: Implementation-specific (For broader support of filters, use the * Filters field in HTTPRouteRule.) */ @@ -43512,16 +34971,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -43533,11 +34996,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -43557,11 +35022,13 @@ export namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight?: pulumi.Input; @@ -43576,9 +35043,7 @@ export namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ export interface HTTPRouteSpecRulesBackendRefsFilters { - cors?: pulumi.Input; extensionRef?: pulumi.Input; - externalAuth?: pulumi.Input; requestHeaderModifier?: pulumi.Input; requestMirror?: pulumi.Input; requestRedirect?: pulumi.Input; @@ -43587,14 +35052,17 @@ export namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -43603,16 +35071,20 @@ export namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -43621,426 +35093,16 @@ export namespace gateway { urlRewrite?: pulumi.Input; } - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersCors { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials?: pulumi.Input; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders?: pulumi.Input[]>; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods?: pulumi.Input[]>; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins?: pulumi.Input[]>; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders?: pulumi.Input[]>; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge?: pulumi.Input; - } - - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersCorsPatch { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials?: pulumi.Input; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders?: pulumi.Input[]>; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods?: pulumi.Input[]>; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins?: pulumi.Input[]>; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders?: pulumi.Input[]>; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge?: pulumi.Input; - } - /** * ExtensionRef is an optional, implementation-specific extension to the * "filter" behavior. For example, resource "myroutefilter" in group * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ export interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRef { @@ -44065,8 +35127,10 @@ export namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ export interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRefPatch { @@ -44085,410 +35149,6 @@ export namespace gateway { name?: pulumi.Input; } - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuth { - backendRef?: pulumi.Input; - forwardBody?: pulumi.Input; - grpc?: pulumi.Input; - http?: pulumi.Input; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol?: pulumi.Input; - } - - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRef { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port?: pulumi.Input; - } - - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRefPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port?: pulumi.Input; - } - - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBody { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize?: pulumi.Input; - } - - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBodyPatch { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize?: pulumi.Input; - } - - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpc { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders?: pulumi.Input[]>; - } - - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpcPatch { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders?: pulumi.Input[]>; - } - - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttp { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders?: pulumi.Input[]>; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders?: pulumi.Input[]>; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path?: pulumi.Input; - } - - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttpPatch { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders?: pulumi.Input[]>; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders?: pulumi.Input[]>; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path?: pulumi.Input; - } - - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthPatch { - backendRef?: pulumi.Input; - forwardBody?: pulumi.Input; - grpc?: pulumi.Input; - http?: pulumi.Input; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol?: pulumi.Input; - } - /** * HTTPRouteFilter defines processing steps that must be completed during the * request or response lifecycle. HTTPRouteFilters are meant as an extension @@ -44498,9 +35158,7 @@ export namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ export interface HTTPRouteSpecRulesBackendRefsFiltersPatch { - cors?: pulumi.Input; extensionRef?: pulumi.Input; - externalAuth?: pulumi.Input; requestHeaderModifier?: pulumi.Input; requestMirror?: pulumi.Input; requestRedirect?: pulumi.Input; @@ -44509,14 +35167,17 @@ export namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -44525,16 +35186,20 @@ export namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -44547,6 +35212,7 @@ export namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifier { @@ -44555,15 +35221,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -44575,15 +35244,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -44593,15 +35265,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -44615,7 +35290,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -44636,7 +35312,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -44655,6 +35332,7 @@ export namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch { @@ -44663,15 +35341,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -44683,15 +35364,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -44701,15 +35385,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -44723,7 +35410,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -44744,7 +35432,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -44764,49 +35453,47 @@ export namespace gateway { * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirror { backendRef?: pulumi.Input; - fraction?: pulumi.Input; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent?: pulumi.Input; } /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef { @@ -44819,16 +35506,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -44840,11 +35531,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -44861,26 +35554,32 @@ export namespace gateway { /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch { @@ -44893,16 +35592,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -44914,11 +35617,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -44932,59 +35637,28 @@ export namespace gateway { port?: pulumi.Input; } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFraction { - denominator?: pulumi.Input; - numerator?: pulumi.Input; - } - - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch { - denominator?: pulumi.Input; - numerator?: pulumi.Input; - } - /** * RequestMirror defines a schema for a filter that mirrors requests. * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorPatch { backendRef?: pulumi.Input; - fraction?: pulumi.Input; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent?: pulumi.Input; } /** * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirect { @@ -44993,6 +35667,7 @@ export namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname?: pulumi.Input; @@ -45001,9 +35676,11 @@ export namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -45011,14 +35688,17 @@ export namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port?: pulumi.Input; @@ -45026,29 +35706,36 @@ export namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme?: pulumi.Input; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode?: pulumi.Input; @@ -45058,6 +35745,7 @@ export namespace gateway { * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPatch { @@ -45066,6 +35754,7 @@ export namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname?: pulumi.Input; @@ -45074,9 +35763,11 @@ export namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -45084,14 +35775,17 @@ export namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port?: pulumi.Input; @@ -45099,29 +35793,36 @@ export namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme?: pulumi.Input; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode?: pulumi.Input; @@ -45132,6 +35833,7 @@ export namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPath { @@ -45146,26 +35848,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -45178,6 +35897,7 @@ export namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPathPatch { @@ -45192,26 +35912,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -45223,6 +35960,7 @@ export namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifier { @@ -45231,15 +35969,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -45251,15 +35992,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -45269,15 +36013,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -45291,7 +36038,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -45312,7 +36060,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -45331,6 +36080,7 @@ export namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch { @@ -45339,15 +36089,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -45359,15 +36112,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -45377,15 +36133,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -45399,7 +36158,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -45420,7 +36180,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -45438,6 +36199,7 @@ export namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewrite { @@ -45445,6 +36207,7 @@ export namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname?: pulumi.Input; @@ -45454,6 +36217,7 @@ export namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePatch { @@ -45461,6 +36225,7 @@ export namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname?: pulumi.Input; @@ -45470,6 +36235,7 @@ export namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePath { @@ -45484,26 +36250,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -45514,6 +36297,7 @@ export namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePathPatch { @@ -45528,26 +36312,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -45558,31 +36359,42 @@ export namespace gateway { /** * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * */ export interface HTTPRouteSpecRulesBackendRefsPatch { /** * Filters defined at this level should be executed if and only if the * request is being forwarded to the backend defined here. * + * * Support: Implementation-specific (For broader support of filters, use the * Filters field in HTTPRouteRule.) */ @@ -45596,16 +36408,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -45617,11 +36433,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -45641,11 +36459,13 @@ export namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight?: pulumi.Input; @@ -45660,9 +36480,7 @@ export namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ export interface HTTPRouteSpecRulesFilters { - cors?: pulumi.Input; extensionRef?: pulumi.Input; - externalAuth?: pulumi.Input; requestHeaderModifier?: pulumi.Input; requestMirror?: pulumi.Input; requestRedirect?: pulumi.Input; @@ -45671,14 +36489,17 @@ export namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -45687,16 +36508,20 @@ export namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -45705,426 +36530,16 @@ export namespace gateway { urlRewrite?: pulumi.Input; } - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesFiltersCors { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials?: pulumi.Input; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders?: pulumi.Input[]>; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods?: pulumi.Input[]>; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins?: pulumi.Input[]>; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders?: pulumi.Input[]>; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge?: pulumi.Input; - } - - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesFiltersCorsPatch { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials?: pulumi.Input; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders?: pulumi.Input[]>; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods?: pulumi.Input[]>; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins?: pulumi.Input[]>; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders?: pulumi.Input[]>; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge?: pulumi.Input; - } - /** * ExtensionRef is an optional, implementation-specific extension to the * "filter" behavior. For example, resource "myroutefilter" in group * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ export interface HTTPRouteSpecRulesFiltersExtensionRef { @@ -46149,8 +36564,10 @@ export namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ export interface HTTPRouteSpecRulesFiltersExtensionRefPatch { @@ -46169,410 +36586,6 @@ export namespace gateway { name?: pulumi.Input; } - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesFiltersExternalAuth { - backendRef?: pulumi.Input; - forwardBody?: pulumi.Input; - grpc?: pulumi.Input; - http?: pulumi.Input; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol?: pulumi.Input; - } - - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthBackendRef { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port?: pulumi.Input; - } - - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthBackendRefPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group?: pulumi.Input; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind?: pulumi.Input; - /** - * Name is the name of the referent. - */ - name?: pulumi.Input; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace?: pulumi.Input; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port?: pulumi.Input; - } - - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthForwardBody { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize?: pulumi.Input; - } - - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthForwardBodyPatch { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize?: pulumi.Input; - } - - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthGrpc { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders?: pulumi.Input[]>; - } - - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthGrpcPatch { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders?: pulumi.Input[]>; - } - - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthHttp { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders?: pulumi.Input[]>; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders?: pulumi.Input[]>; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path?: pulumi.Input; - } - - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthHttpPatch { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders?: pulumi.Input[]>; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders?: pulumi.Input[]>; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path?: pulumi.Input; - } - - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthPatch { - backendRef?: pulumi.Input; - forwardBody?: pulumi.Input; - grpc?: pulumi.Input; - http?: pulumi.Input; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol?: pulumi.Input; - } - /** * HTTPRouteFilter defines processing steps that must be completed during the * request or response lifecycle. HTTPRouteFilters are meant as an extension @@ -46582,9 +36595,7 @@ export namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ export interface HTTPRouteSpecRulesFiltersPatch { - cors?: pulumi.Input; extensionRef?: pulumi.Input; - externalAuth?: pulumi.Input; requestHeaderModifier?: pulumi.Input; requestMirror?: pulumi.Input; requestRedirect?: pulumi.Input; @@ -46593,14 +36604,17 @@ export namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -46609,16 +36623,20 @@ export namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -46631,6 +36649,7 @@ export namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ export interface HTTPRouteSpecRulesFiltersRequestHeaderModifier { @@ -46639,15 +36658,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -46659,15 +36681,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -46677,15 +36702,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -46699,7 +36727,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -46720,7 +36749,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -46739,6 +36769,7 @@ export namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierPatch { @@ -46747,15 +36778,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -46767,15 +36801,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -46785,15 +36822,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -46807,7 +36847,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -46828,7 +36869,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -46848,49 +36890,47 @@ export namespace gateway { * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersRequestMirror { backendRef?: pulumi.Input; - fraction?: pulumi.Input; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent?: pulumi.Input; } /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ export interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRef { @@ -46903,16 +36943,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -46924,11 +36968,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -46945,26 +36991,32 @@ export namespace gateway { /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ export interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRefPatch { @@ -46977,16 +37029,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind?: pulumi.Input; @@ -46998,11 +37054,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace?: pulumi.Input; @@ -47016,59 +37074,28 @@ export namespace gateway { port?: pulumi.Input; } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - export interface HTTPRouteSpecRulesFiltersRequestMirrorFraction { - denominator?: pulumi.Input; - numerator?: pulumi.Input; - } - - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - export interface HTTPRouteSpecRulesFiltersRequestMirrorFractionPatch { - denominator?: pulumi.Input; - numerator?: pulumi.Input; - } - /** * RequestMirror defines a schema for a filter that mirrors requests. * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersRequestMirrorPatch { backendRef?: pulumi.Input; - fraction?: pulumi.Input; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent?: pulumi.Input; } /** * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ export interface HTTPRouteSpecRulesFiltersRequestRedirect { @@ -47077,6 +37104,7 @@ export namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname?: pulumi.Input; @@ -47085,9 +37113,11 @@ export namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -47095,14 +37125,17 @@ export namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port?: pulumi.Input; @@ -47110,29 +37143,36 @@ export namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme?: pulumi.Input; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode?: pulumi.Input; @@ -47142,6 +37182,7 @@ export namespace gateway { * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ export interface HTTPRouteSpecRulesFiltersRequestRedirectPatch { @@ -47150,6 +37191,7 @@ export namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname?: pulumi.Input; @@ -47158,9 +37200,11 @@ export namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -47168,14 +37212,17 @@ export namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port?: pulumi.Input; @@ -47183,29 +37230,36 @@ export namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme?: pulumi.Input; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode?: pulumi.Input; @@ -47216,6 +37270,7 @@ export namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersRequestRedirectPath { @@ -47230,26 +37285,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -47262,6 +37334,7 @@ export namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersRequestRedirectPathPatch { @@ -47276,26 +37349,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -47307,6 +37397,7 @@ export namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersResponseHeaderModifier { @@ -47315,15 +37406,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -47335,15 +37429,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -47353,15 +37450,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -47375,7 +37475,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -47396,7 +37497,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -47415,6 +37517,7 @@ export namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierPatch { @@ -47423,15 +37526,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -47443,15 +37549,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -47461,15 +37570,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -47483,7 +37595,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -47504,7 +37617,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -47522,6 +37636,7 @@ export namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersUrlRewrite { @@ -47529,6 +37644,7 @@ export namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname?: pulumi.Input; @@ -47538,6 +37654,7 @@ export namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersUrlRewritePatch { @@ -47545,6 +37662,7 @@ export namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname?: pulumi.Input; @@ -47554,6 +37672,7 @@ export namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersUrlRewritePath { @@ -47568,26 +37687,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -47598,6 +37734,7 @@ export namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersUrlRewritePathPatch { @@ -47612,26 +37749,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch?: pulumi.Input; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -47644,18 +37798,22 @@ export namespace gateway { * action. Multiple match types are ANDed together, i.e. the match will * evaluate to true only if all conditions are satisfied. * + * * For example, the match below will match a HTTP request only if its path * starts with `/foo` AND it contains the `version: v1` header: * + * * ``` * match: * + * * path: * value: "/foo" * headers: * - name: "version" * value "v1" * + * * ``` */ export interface HTTPRouteSpecRulesMatches { @@ -47670,6 +37828,7 @@ export namespace gateway { * When specified, this route will be matched only if the request has the * specified method. * + * * Support: Extended */ method?: pulumi.Input; @@ -47679,6 +37838,7 @@ export namespace gateway { * values are ANDed together, meaning, a request must match all the * specified query parameters to select the route. * + * * Support: Extended */ queryParams?: pulumi.Input[]>; @@ -47691,7 +37851,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesMatchesHeaders { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent @@ -47699,6 +37860,7 @@ export namespace gateway { * case-insensitivity of header names, "foo" and "Foo" are considered * equivalent. * + * * When a header is repeated in an HTTP request, it is * implementation-specific behavior as to how this is represented. * Generally, proxies should follow the guidance from the RFC: @@ -47709,10 +37871,13 @@ export namespace gateway { /** * Type specifies how to match against the value of the header. * + * * Support: Core (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression HeaderMatchType has implementation-specific * conformance, implementations can support POSIX, PCRE or any other dialects * of regular expressions. Please read the implementation's documentation to @@ -47732,7 +37897,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesMatchesHeadersPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent @@ -47740,6 +37906,7 @@ export namespace gateway { * case-insensitivity of header names, "foo" and "Foo" are considered * equivalent. * + * * When a header is repeated in an HTTP request, it is * implementation-specific behavior as to how this is represented. * Generally, proxies should follow the guidance from the RFC: @@ -47750,10 +37917,13 @@ export namespace gateway { /** * Type specifies how to match against the value of the header. * + * * Support: Core (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression HeaderMatchType has implementation-specific * conformance, implementations can support POSIX, PCRE or any other dialects * of regular expressions. Please read the implementation's documentation to @@ -47771,18 +37941,22 @@ export namespace gateway { * action. Multiple match types are ANDed together, i.e. the match will * evaluate to true only if all conditions are satisfied. * + * * For example, the match below will match a HTTP request only if its path * starts with `/foo` AND it contains the `version: v1` header: * + * * ``` * match: * + * * path: * value: "/foo" * headers: * - name: "version" * value "v1" * + * * ``` */ export interface HTTPRouteSpecRulesMatchesPatch { @@ -47797,6 +37971,7 @@ export namespace gateway { * When specified, this route will be matched only if the request has the * specified method. * + * * Support: Extended */ method?: pulumi.Input; @@ -47806,6 +37981,7 @@ export namespace gateway { * values are ANDed together, meaning, a request must match all the * specified query parameters to select the route. * + * * Support: Extended */ queryParams?: pulumi.Input[]>; @@ -47819,8 +37995,10 @@ export namespace gateway { /** * Type specifies how to match against the path Value. * + * * Support: Core (Exact, PathPrefix) * + * * Support: Implementation-specific (RegularExpression) */ type?: pulumi.Input; @@ -47838,8 +38016,10 @@ export namespace gateway { /** * Type specifies how to match against the path Value. * + * * Support: Core (Exact, PathPrefix) * + * * Support: Implementation-specific (RegularExpression) */ type?: pulumi.Input; @@ -47859,10 +38039,12 @@ export namespace gateway { * exact string match. (See * https://tools.ietf.org/html/rfc7230#section-2.7.3). * + * * If multiple entries specify equivalent query param names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent * entries with an equivalent query param name MUST be ignored. * + * * If a query param is repeated in an HTTP request, the behavior is * purposely left undefined, since different data planes have different * capabilities. However, it is *recommended* that implementations should @@ -47870,6 +38052,7 @@ export namespace gateway { * as this behavior is expected in other load balancing contexts outside of * the Gateway API. * + * * Users SHOULD NOT route traffic based on repeated query params to guard * themselves against potential differences in the implementations. */ @@ -47877,10 +38060,13 @@ export namespace gateway { /** * Type specifies how to match against the value of the query parameter. * + * * Support: Extended (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression QueryParamMatchType has Implementation-specific * conformance, implementations can support POSIX, PCRE or any other * dialects of regular expressions. Please read the implementation's @@ -47903,10 +38089,12 @@ export namespace gateway { * exact string match. (See * https://tools.ietf.org/html/rfc7230#section-2.7.3). * + * * If multiple entries specify equivalent query param names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent * entries with an equivalent query param name MUST be ignored. * + * * If a query param is repeated in an HTTP request, the behavior is * purposely left undefined, since different data planes have different * capabilities. However, it is *recommended* that implementations should @@ -47914,6 +38102,7 @@ export namespace gateway { * as this behavior is expected in other load balancing contexts outside of * the Gateway API. * + * * Users SHOULD NOT route traffic based on repeated query params to guard * themselves against potential differences in the implementations. */ @@ -47921,10 +38110,13 @@ export namespace gateway { /** * Type specifies how to match against the value of the query parameter. * + * * Support: Extended (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression QueryParamMatchType has Implementation-specific * conformance, implementations can support POSIX, PCRE or any other * dialects of regular expressions. Please read the implementation's @@ -47947,37 +38139,41 @@ export namespace gateway { * BackendRefs defines the backend(s) where matching requests should be * sent. * + * * Failure behavior here depends on how many BackendRefs are specified and * how many are invalid. * + * * If *all* entries in BackendRefs are invalid, and there are also no filters * specified in this route rule, *all* traffic which matches this rule MUST * receive a 500 status code. * + * * See the HTTPBackendRef definition for the rules about what makes a single * HTTPBackendRef invalid. * + * * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for * requests that would have otherwise been routed to an invalid backend. If * multiple backends are specified, and some are invalid, the proportion of * requests that would otherwise have been routed to an invalid backend * MUST receive a 500 status code. * + * * For example, if two backends are specified with equal weights, and one is * invalid, 50 percent of traffic must receive a 500. Implementations may * choose how that 50 percent is determined. * - * When a HTTPBackendRef refers to a Service that has no ready endpoints, - * implementations SHOULD return a 503 for requests to that backend instead. - * If an implementation chooses to do this, all of the above rules for 500 responses - * MUST also apply for responses that return a 503. * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Core */ backendRefs?: pulumi.Input[]>; @@ -47985,38 +38181,46 @@ export namespace gateway { * Filters define the filters that are applied to requests that match * this rule. * + * * Wherever possible, implementations SHOULD implement filters in the order * they are specified. * + * * Implementations MAY choose to implement this ordering strictly, rejecting - * any combination or order of filters that cannot be supported. If implementations + * any combination or order of filters that can not be supported. If implementations * choose a strict interpretation of filter ordering, they MUST clearly document * that behavior. * + * * To reject an invalid combination or order of filters, implementations SHOULD * consider the Route Rules with this configuration invalid. If all Route Rules * in a Route are invalid, the entire Route would be considered invalid. If only * a portion of Route Rules are invalid, implementations MUST set the * "PartiallyInvalid" condition for the Route. * + * * Conformance-levels at this level are defined based on the type of filter: * + * * - ALL core filters MUST be supported by all implementations. * - Implementers are encouraged to support extended filters. * - Implementation-specific custom filters have no API guarantees across * implementations. * + * * Specifying the same filter multiple times is not supported unless explicitly * indicated in the filter. * + * * All filters are expected to be compatible with each other except for the * URLRewrite and RequestRedirect filters, which may not be combined. If an - * implementation cannot support other combinations of filters, they must clearly + * implementation can not support other combinations of filters, they must clearly * document that limitation. In cases where incompatible or unsupported * filters are specified and cause the `Accepted` condition to be set to status * `False`, implementations may use the `IncompatibleFilters` reason to specify * this configuration error. * + * * Support: Core */ filters?: pulumi.Input[]>; @@ -48025,8 +38229,10 @@ export namespace gateway { * HTTP requests. Each match is independent, i.e. this rule will be matched * if **any** one of the matches is satisfied. * + * * For example, take the following matches configuration: * + * * ``` * matches: * - path: @@ -48038,196 +38244,67 @@ export namespace gateway { * value: "/v2/foo" * ``` * + * * For a request to match against this rule, a request must satisfy * EITHER of the two conditions: * + * * - path prefixed with `/foo` AND contains the header `version: v2` * - path prefix of `/v2/foo` * + * * See the documentation for HTTPRouteMatch on how to specify multiple * match conditions that should be ANDed together. * + * * If no matches are specified, the default is a prefix * path match on "/", which has the effect of matching every * HTTP request. * + * * Proxy or Load Balancer routing configuration generated from HTTPRoutes * MUST prioritize matches based on the following criteria, continuing on * ties. Across all rules specified on applicable Routes, precedence must be * given to the match having: * + * * * "Exact" path match. * * "Prefix" path match with largest number of characters. * * Method match. * * Largest number of header matches. * * Largest number of query param matches. * + * * Note: The precedence of RegularExpression path matches are implementation-specific. * + * * If ties still exist across multiple Routes, matching precedence MUST be * determined in order of the following criteria, continuing on ties: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * If ties still exist within an HTTPRoute, matching precedence MUST be granted * to the FIRST matching rule (in list order) with a match meeting the above * criteria. * + * * When no rules matching a request have been successfully attached to the * parent a request is coming from, a HTTP 404 status code MUST be returned. */ matches?: pulumi.Input[]>; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name?: pulumi.Input; - retry?: pulumi.Input; sessionPersistence?: pulumi.Input; timeouts?: pulumi.Input; } - /** - * Retry defines the configuration for when to retry an HTTP request. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesRetry { - /** - * Attempts specifies the maximum number of times an individual request - * from the gateway to a backend should be retried. - * - * If the maximum number of retries has been attempted without a successful - * response from the backend, the Gateway MUST return an error. - * - * When this field is unspecified, the number of times to attempt to retry - * a backend request is implementation-specific. - * - * Support: Extended - */ - attempts?: pulumi.Input; - /** - * Backoff specifies the minimum duration a Gateway should wait between - * retry attempts and is represented in Gateway API Duration formatting. - * - * For example, setting the `rules[].retry.backoff` field to the value - * `100ms` will cause a backend request to first be retried approximately - * 100 milliseconds after timing out or receiving a response code configured - * to be retryable. - * - * An implementation MAY use an exponential or alternative backoff strategy - * for subsequent retry attempts, MAY cap the maximum backoff duration to - * some amount greater than the specified minimum, and MAY add arbitrary - * jitter to stagger requests, as long as unsuccessful backend requests are - * not retried before the configured minimum duration. - * - * If a Request timeout (`rules[].timeouts.request`) is configured on the - * route, the entire duration of the initial request and any retry attempts - * MUST not exceed the Request timeout duration. If any retry attempts are - * still in progress when the Request timeout duration has been reached, - * these SHOULD be canceled if possible and the Gateway MUST immediately - * return a timeout error. - * - * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is - * configured on the route, any retry attempts which reach the configured - * BackendRequest timeout duration without a response SHOULD be canceled if - * possible and the Gateway should wait for at least the specified backoff - * duration before attempting to retry the backend request again. - * - * If a BackendRequest timeout is _not_ configured on the route, retry - * attempts MAY time out after an implementation default duration, or MAY - * remain pending until a configured Request timeout or implementation - * default duration for total request time is reached. - * - * When this field is unspecified, the time to wait between retry attempts - * is implementation-specific. - * - * Support: Extended - */ - backoff?: pulumi.Input; - /** - * Codes defines the HTTP response status codes for which a backend request - * should be retried. - * - * Support: Extended - */ - codes?: pulumi.Input[]>; - } - - /** - * Retry defines the configuration for when to retry an HTTP request. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesRetryPatch { - /** - * Attempts specifies the maximum number of times an individual request - * from the gateway to a backend should be retried. - * - * If the maximum number of retries has been attempted without a successful - * response from the backend, the Gateway MUST return an error. - * - * When this field is unspecified, the number of times to attempt to retry - * a backend request is implementation-specific. - * - * Support: Extended - */ - attempts?: pulumi.Input; - /** - * Backoff specifies the minimum duration a Gateway should wait between - * retry attempts and is represented in Gateway API Duration formatting. - * - * For example, setting the `rules[].retry.backoff` field to the value - * `100ms` will cause a backend request to first be retried approximately - * 100 milliseconds after timing out or receiving a response code configured - * to be retryable. - * - * An implementation MAY use an exponential or alternative backoff strategy - * for subsequent retry attempts, MAY cap the maximum backoff duration to - * some amount greater than the specified minimum, and MAY add arbitrary - * jitter to stagger requests, as long as unsuccessful backend requests are - * not retried before the configured minimum duration. - * - * If a Request timeout (`rules[].timeouts.request`) is configured on the - * route, the entire duration of the initial request and any retry attempts - * MUST not exceed the Request timeout duration. If any retry attempts are - * still in progress when the Request timeout duration has been reached, - * these SHOULD be canceled if possible and the Gateway MUST immediately - * return a timeout error. - * - * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is - * configured on the route, any retry attempts which reach the configured - * BackendRequest timeout duration without a response SHOULD be canceled if - * possible and the Gateway should wait for at least the specified backoff - * duration before attempting to retry the backend request again. - * - * If a BackendRequest timeout is _not_ configured on the route, retry - * attempts MAY time out after an implementation default duration, or MAY - * remain pending until a configured Request timeout or implementation - * default duration for total request time is reached. - * - * When this field is unspecified, the time to wait between retry attempts - * is implementation-specific. - * - * Support: Extended - */ - backoff?: pulumi.Input; - /** - * Codes defines the HTTP response status codes for which a backend request - * should be retried. - * - * Support: Extended - */ - codes?: pulumi.Input[]>; - } - /** * SessionPersistence defines and configures session persistence * for the route rule. * + * * Support: Extended */ export interface HTTPRouteSpecRulesSessionPersistence { @@ -48236,6 +38313,7 @@ export namespace gateway { * session. Once the AbsoluteTimeout duration has elapsed, the * session becomes invalid. * + * * Support: Extended */ absoluteTimeout?: pulumi.Input; @@ -48245,6 +38323,7 @@ export namespace gateway { * Once the session has been idle for more than the specified * IdleTimeout duration, the session becomes invalid. * + * * Support: Extended */ idleTimeout?: pulumi.Input; @@ -48254,6 +38333,7 @@ export namespace gateway { * should avoid reusing session names to prevent unintended * consequences, such as rejection or unpredictable behavior. * + * * Support: Implementation-specific */ sessionName?: pulumi.Input; @@ -48262,8 +38342,10 @@ export namespace gateway { * the use a header or cookie. Defaults to cookie based session * persistence. * + * * Support: Core for "Cookie" type * + * * Support: Extended for "Header" type */ type?: pulumi.Input; @@ -48273,6 +38355,7 @@ export namespace gateway { * CookieConfig provides configuration settings that are specific * to cookie-based session persistence. * + * * Support: Core */ export interface HTTPRouteSpecRulesSessionPersistenceCookieConfig { @@ -48283,18 +38366,20 @@ export namespace gateway { * attributes, while a session cookie is deleted when the current * session ends. * + * * When set to "Permanent", AbsoluteTimeout indicates the * cookie's lifetime via the Expires or Max-Age cookie attributes * and is required. * + * * When set to "Session", AbsoluteTimeout indicates the * absolute lifetime of the cookie tracked by the gateway and * is optional. * - * Defaults to "Session". * * Support: Core for "Session" type * + * * Support: Extended for "Permanent" type */ lifetimeType?: pulumi.Input; @@ -48304,6 +38389,7 @@ export namespace gateway { * CookieConfig provides configuration settings that are specific * to cookie-based session persistence. * + * * Support: Core */ export interface HTTPRouteSpecRulesSessionPersistenceCookieConfigPatch { @@ -48314,18 +38400,20 @@ export namespace gateway { * attributes, while a session cookie is deleted when the current * session ends. * + * * When set to "Permanent", AbsoluteTimeout indicates the * cookie's lifetime via the Expires or Max-Age cookie attributes * and is required. * + * * When set to "Session", AbsoluteTimeout indicates the * absolute lifetime of the cookie tracked by the gateway and * is optional. * - * Defaults to "Session". * * Support: Core for "Session" type * + * * Support: Extended for "Permanent" type */ lifetimeType?: pulumi.Input; @@ -48335,6 +38423,7 @@ export namespace gateway { * SessionPersistence defines and configures session persistence * for the route rule. * + * * Support: Extended */ export interface HTTPRouteSpecRulesSessionPersistencePatch { @@ -48343,6 +38432,7 @@ export namespace gateway { * session. Once the AbsoluteTimeout duration has elapsed, the * session becomes invalid. * + * * Support: Extended */ absoluteTimeout?: pulumi.Input; @@ -48352,6 +38442,7 @@ export namespace gateway { * Once the session has been idle for more than the specified * IdleTimeout duration, the session becomes invalid. * + * * Support: Extended */ idleTimeout?: pulumi.Input; @@ -48361,6 +38452,7 @@ export namespace gateway { * should avoid reusing session names to prevent unintended * consequences, such as rejection or unpredictable behavior. * + * * Support: Implementation-specific */ sessionName?: pulumi.Input; @@ -48369,8 +38461,10 @@ export namespace gateway { * the use a header or cookie. Defaults to cookie based session * persistence. * + * * Support: Core for "Cookie" type * + * * Support: Extended for "Header" type */ type?: pulumi.Input; @@ -48379,6 +38473,7 @@ export namespace gateway { /** * Timeouts defines the timeouts that can be configured for an HTTP request. * + * * Support: Extended */ export interface HTTPRouteSpecRulesTimeouts { @@ -48387,19 +38482,21 @@ export namespace gateway { * to a backend. This covers the time from when the request first starts being * sent from the gateway to when the full response has been received from the backend. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * An entire client HTTP transaction with a gateway, covered by the Request timeout, * may result in more than one call from the gateway to the destination backend, * for example, if automatic retries are supported. * - * The value of BackendRequest must be a Gateway API Duration string as defined by - * GEP-2257. When this field is unspecified, its behavior is implementation-specific; - * when specified, the value of BackendRequest must be no more than the value of the - * Request timeout (since the Request timeout encompasses the BackendRequest timeout). + * + * Because the Request timeout encompasses the BackendRequest timeout, the value of + * BackendRequest must be <= the value of Request timeout. + * * * Support: Extended */ @@ -48409,22 +38506,26 @@ export namespace gateway { * If the gateway has not been able to respond before this deadline is met, the gateway * MUST return a timeout error. * + * * For example, setting the `rules.timeouts.request` field to the value `10s` in an * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds * to complete. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * This timeout is intended to cover as close to the whole request-response transaction * as possible although an implementation MAY choose to start the timeout after the entire * request stream has been received instead of immediately after the transaction is * initiated by the client. * - * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this - * field is unspecified, request timeout behavior is implementation-specific. + * + * When this field is unspecified, request timeout behavior is implementation-specific. + * * * Support: Extended */ @@ -48434,6 +38535,7 @@ export namespace gateway { /** * Timeouts defines the timeouts that can be configured for an HTTP request. * + * * Support: Extended */ export interface HTTPRouteSpecRulesTimeoutsPatch { @@ -48442,19 +38544,21 @@ export namespace gateway { * to a backend. This covers the time from when the request first starts being * sent from the gateway to when the full response has been received from the backend. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * An entire client HTTP transaction with a gateway, covered by the Request timeout, * may result in more than one call from the gateway to the destination backend, * for example, if automatic retries are supported. * - * The value of BackendRequest must be a Gateway API Duration string as defined by - * GEP-2257. When this field is unspecified, its behavior is implementation-specific; - * when specified, the value of BackendRequest must be no more than the value of the - * Request timeout (since the Request timeout encompasses the BackendRequest timeout). + * + * Because the Request timeout encompasses the BackendRequest timeout, the value of + * BackendRequest must be <= the value of Request timeout. + * * * Support: Extended */ @@ -48464,22 +38568,26 @@ export namespace gateway { * If the gateway has not been able to respond before this deadline is met, the gateway * MUST return a timeout error. * + * * For example, setting the `rules.timeouts.request` field to the value `10s` in an * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds * to complete. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * This timeout is intended to cover as close to the whole request-response transaction * as possible although an implementation MAY choose to start the timeout after the entire * request stream has been received instead of immediately after the transaction is * initiated by the client. * - * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this - * field is unspecified, request timeout behavior is implementation-specific. + * + * When this field is unspecified, request timeout behavior is implementation-specific. + * * * Support: Extended */ @@ -48498,11 +38606,13 @@ export namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -48519,19 +38629,23 @@ export namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -48541,12 +38655,15 @@ export namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -48557,6 +38674,22 @@ export namespace gateway { /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface HTTPRouteStatusParentsConditions { /** @@ -48589,6 +38722,10 @@ export namespace gateway { status?: pulumi.Input; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type?: pulumi.Input; } @@ -48604,23 +38741,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group?: pulumi.Input; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind?: pulumi.Input; /** * Name is the name of the referent. * + * * Support: Core */ name?: pulumi.Input; @@ -48628,6 +38770,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -48635,10 +38778,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -48646,6 +38791,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace?: pulumi.Input; @@ -48653,6 +38799,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -48662,15 +38809,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -48679,6 +38829,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port?: pulumi.Input; @@ -48686,6 +38837,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -48693,10 +38845,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -48706,6 +38860,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName?: pulumi.Input; @@ -48716,13 +38871,16 @@ export namespace gateway { * trusted to reference the specified kinds of resources in the same namespace * as the policy. * + * * Each ReferenceGrant can be used to represent a unique trust relationship. * Additional Reference Grants can be used to add to the set of trusted * sources of inbound references for the namespace they are defined within. * + * * All cross-namespace references in Gateway API (with the exception of cross-namespace * Gateway-route attachment) require a ReferenceGrant. * + * * ReferenceGrant is a form of runtime verification allowing users to assert * which cross-namespace object references are permitted. Implementations that * support ReferenceGrant MUST NOT permit cross-namespace references which have @@ -48755,6 +38913,7 @@ export namespace gateway { * to be an additional place that references can be valid from, or to put * this another way, entries MUST be combined using OR. * + * * Support: Core */ from?: pulumi.Input[]>; @@ -48764,6 +38923,7 @@ export namespace gateway { * additional place that references can be valid to, or to put this another * way, entries MUST be combined using OR. * + * * Support: Core */ to?: pulumi.Input[]>; @@ -48777,6 +38937,7 @@ export namespace gateway { * Group is the group of the referent. * When empty, the Kubernetes core API group is inferred. * + * * Support: Core */ group?: pulumi.Input; @@ -48785,12 +38946,16 @@ export namespace gateway { * additional resources, the following types are part of the "Core" * support level for this field. * + * * When used to permit a SecretObjectReference: * + * * * Gateway * + * * When used to permit a BackendObjectReference: * + * * * GRPCRoute * * HTTPRoute * * TCPRoute @@ -48801,6 +38966,7 @@ export namespace gateway { /** * Namespace is the namespace of the referent. * + * * Support: Core */ namespace?: pulumi.Input; @@ -48814,6 +38980,7 @@ export namespace gateway { * Group is the group of the referent. * When empty, the Kubernetes core API group is inferred. * + * * Support: Core */ group?: pulumi.Input; @@ -48822,12 +38989,16 @@ export namespace gateway { * additional resources, the following types are part of the "Core" * support level for this field. * + * * When used to permit a SecretObjectReference: * + * * * Gateway * + * * When used to permit a BackendObjectReference: * + * * * GRPCRoute * * HTTPRoute * * TCPRoute @@ -48838,6 +39009,7 @@ export namespace gateway { /** * Namespace is the namespace of the referent. * + * * Support: Core */ namespace?: pulumi.Input; @@ -48853,6 +39025,7 @@ export namespace gateway { * to be an additional place that references can be valid from, or to put * this another way, entries MUST be combined using OR. * + * * Support: Core */ from?: pulumi.Input[]>; @@ -48862,6 +39035,7 @@ export namespace gateway { * additional place that references can be valid to, or to put this another * way, entries MUST be combined using OR. * + * * Support: Core */ to?: pulumi.Input[]>; @@ -48876,6 +39050,7 @@ export namespace gateway { * Group is the group of the referent. * When empty, the Kubernetes core API group is inferred. * + * * Support: Core */ group?: pulumi.Input; @@ -48884,6 +39059,7 @@ export namespace gateway { * additional resources, the following types are part of the "Core" * support level for this field: * + * * * Secret when used to permit a SecretObjectReference * * Service when used to permit a BackendObjectReference */ @@ -48905,6 +39081,7 @@ export namespace gateway { * Group is the group of the referent. * When empty, the Kubernetes core API group is inferred. * + * * Support: Core */ group?: pulumi.Input; @@ -48913,6 +39090,7 @@ export namespace gateway { * additional resources, the following types are part of the "Core" * support level for this field: * + * * * Secret when used to permit a SecretObjectReference * * Service when used to permit a BackendObjectReference */ diff --git a/generated/crds/types/output.d.ts b/generated/crds/types/output.d.ts index 16baf81..d2376fb 100644 --- a/generated/crds/types/output.d.ts +++ b/generated/crds/types/output.d.ts @@ -27,9 +27,9 @@ export declare namespace acme { */ authorizationURL: string; /** - * dnsName is the identifier that this challenge is for, e.g., example.com. + * dnsName is the identifier that this challenge is for, e.g. example.com. * If the requested DNSName is a 'wildcard', this field MUST be set to the - * non-wildcard domain, e.g., for `*.example.com`, it must be `example.com`. + * non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`. */ dnsName: string; issuerRef: outputs.acme.v1.ChallengeSpecIssuerRef; @@ -74,17 +74,15 @@ export declare namespace acme { */ interface ChallengeSpecIssuerRef { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group: string; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind: string; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name: string; } @@ -97,17 +95,15 @@ export declare namespace acme { */ interface ChallengeSpecIssuerRefPatch { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group: string; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind: string; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name: string; } @@ -118,9 +114,9 @@ export declare namespace acme { */ authorizationURL: string; /** - * dnsName is the identifier that this challenge is for, e.g., example.com. + * dnsName is the identifier that this challenge is for, e.g. example.com. * If the requested DNSName is a 'wildcard', this field MUST be set to the - * non-wildcard domain, e.g., for `*.example.com`, it must be `example.com`. + * non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`. */ dnsName: string; issuerRef: outputs.acme.v1.ChallengeSpecIssuerRefPatch; @@ -433,18 +429,14 @@ export declare namespace acme { */ interface ChallengeSpecSolverDns01AzureDNSManagedIdentity { /** - * client ID of the managed identity, cannot be used at the same time as resourceID + * client ID of the managed identity, can not be used at the same time as resourceID */ clientID: string; /** - * resource ID of the managed identity, cannot be used at the same time as clientID + * resource ID of the managed identity, can not be used at the same time as clientID * Cannot be used for Azure Managed Service Identity */ resourceID: string; - /** - * tenant ID of the managed identity, cannot be used at the same time as resourceID - */ - tenantID: string; } /** * Auth: Azure Workload Identity or Azure Managed Service Identity: @@ -453,18 +445,14 @@ export declare namespace acme { */ interface ChallengeSpecSolverDns01AzureDNSManagedIdentityPatch { /** - * client ID of the managed identity, cannot be used at the same time as resourceID + * client ID of the managed identity, can not be used at the same time as resourceID */ clientID: string; /** - * resource ID of the managed identity, cannot be used at the same time as clientID + * resource ID of the managed identity, can not be used at the same time as clientID * Cannot be used for Azure Managed Service Identity */ resourceID: string; - /** - * tenant ID of the managed identity, cannot be used at the same time as resourceID - */ - tenantID: string; } /** * Use the Microsoft Azure DNS API to manage DNS01 challenge records. @@ -729,10 +717,6 @@ export declare namespace acme { * This field is required. */ nameserver: string; - /** - * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default). - */ - protocol: string; /** * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. @@ -759,10 +743,6 @@ export declare namespace acme { * This field is required. */ nameserver: string; - /** - * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default). - */ - protocol: string; /** * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. @@ -826,32 +806,11 @@ export declare namespace acme { accessKeyIDSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01Route53AccessKeyIDSecretRef; auth: outputs.acme.v1.ChallengeSpecSolverDns01Route53Auth; /** - * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. + * If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. */ hostedZoneID: string; /** - * Override the AWS region. - * - * Route53 is a global service and does not have regional endpoints but the - * region specified here (or via environment variables) is used as a hint to - * help compute the correct AWS credential scope and partition when it - * connects to Route53. See: - * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) - * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) - * - * If you omit this region field, cert-manager will use the region from - * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set - * in the cert-manager controller Pod. - * - * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). - * In this case this `region` field value is ignored. - * - * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), - * In this case this `region` field value is ignored. + * Always set the region when using AccessKeyID and SecretAccessKey */ region: string; /** @@ -980,32 +939,11 @@ export declare namespace acme { accessKeyIDSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01Route53AccessKeyIDSecretRefPatch; auth: outputs.acme.v1.ChallengeSpecSolverDns01Route53AuthPatch; /** - * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. + * If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. */ hostedZoneID: string; /** - * Override the AWS region. - * - * Route53 is a global service and does not have regional endpoints but the - * region specified here (or via environment variables) is used as a hint to - * help compute the correct AWS credential scope and partition when it - * connects to Route53. See: - * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) - * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) - * - * If you omit this region field, cert-manager will use the region from - * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set - * in the cert-manager controller Pod. - * - * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). - * In this case this `region` field value is ignored. - * - * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), - * In this case this `region` field value is ignored. + * Always set the region when using AccessKeyID and SecretAccessKey */ region: string; /** @@ -1063,7 +1001,7 @@ export declare namespace acme { * when challenges are processed. * This can contain arbitrary JSON data. * Secret values should not be specified in this stanza. - * If secret values are needed (e.g., credentials for a DNS service), you + * If secret values are needed (e.g. credentials for a DNS service), you * should use a SecretKeySelector to reference a Secret resource. * For details on the schema of this field, consult the webhook provider * implementation's documentation. @@ -1081,7 +1019,7 @@ export declare namespace acme { /** * The name of the solver to use, as defined in the webhook provider * implementation. - * This will typically be the name of the provider, e.g., 'cloudflare'. + * This will typically be the name of the provider, e.g. 'cloudflare'. */ solverName: string; } @@ -1095,7 +1033,7 @@ export declare namespace acme { * when challenges are processed. * This can contain arbitrary JSON data. * Secret values should not be specified in this stanza. - * If secret values are needed (e.g., credentials for a DNS service), you + * If secret values are needed (e.g. credentials for a DNS service), you * should use a SecretKeySelector to reference a Secret resource. * For details on the schema of this field, consult the webhook provider * implementation's documentation. @@ -1113,7 +1051,7 @@ export declare namespace acme { /** * The name of the solver to use, as defined in the webhook provider * implementation. - * This will typically be the name of the provider, e.g., 'cloudflare'. + * This will typically be the name of the provider, e.g. 'cloudflare'. */ solverName: string; } @@ -1121,7 +1059,7 @@ export declare namespace acme { * Configures cert-manager to attempt to complete authorizations by * performing the HTTP01 challenge flow. * It is not possible to obtain certificates for wildcard domain names - * (e.g., `*.example.com`) using the HTTP01 challenge mechanism. + * (e.g. `*.example.com`) using the HTTP01 challenge mechanism. */ interface ChallengeSpecSolverHttp01 { gatewayHTTPRoute: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoute; @@ -1148,7 +1086,6 @@ export declare namespace acme { * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways */ parentRefs: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRouteParentRefs[]; - podTemplate: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplate; /** * Optional service type for Kubernetes solver service. Supported values * are NodePort or ClusterIP. If unset, defaults to NodePort. @@ -1160,12 +1097,15 @@ export declare namespace acme { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -1176,23 +1116,28 @@ export declare namespace acme { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -1200,17 +1145,20 @@ export declare namespace acme { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: * Gateway has the AllowedRoutes field, and ReferenceGrant provides a * generic way to enable any other kind of cross-namespace reference. * + * * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -1218,6 +1166,7 @@ export declare namespace acme { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -1225,6 +1174,7 @@ export declare namespace acme { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -1233,16 +1183,19 @@ export declare namespace acme { * and SectionName are specified, the name and port of the selected listener * must match both specified values. * + * * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -1251,6 +1204,7 @@ export declare namespace acme { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -1258,6 +1212,7 @@ export declare namespace acme { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -1265,10 +1220,12 @@ export declare namespace acme { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -1278,6 +1235,7 @@ export declare namespace acme { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -1287,12 +1245,15 @@ export declare namespace acme { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -1303,23 +1264,28 @@ export declare namespace acme { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -1327,17 +1293,20 @@ export declare namespace acme { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: * Gateway has the AllowedRoutes field, and ReferenceGrant provides a * generic way to enable any other kind of cross-namespace reference. * + * * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -1345,6 +1314,7 @@ export declare namespace acme { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -1352,6 +1322,7 @@ export declare namespace acme { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -1360,16 +1331,19 @@ export declare namespace acme { * and SectionName are specified, the name and port of the selected listener * must match both specified values. * + * * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -1378,6 +1352,7 @@ export declare namespace acme { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -1385,6 +1360,7 @@ export declare namespace acme { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -1392,10 +1368,12 @@ export declare namespace acme { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -1405,6 +1383,7 @@ export declare namespace acme { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -1430,2083 +1409,12 @@ export declare namespace acme { * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways */ parentRefs: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRouteParentRefsPatch[]; - podTemplate: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplatePatch; /** * Optional service type for Kubernetes solver service. Supported values * are NodePort or ClusterIP. If unset, defaults to NodePort. */ serviceType: string; } - /** - * Optional pod template used to configure the ACME challenge solver pods - * used for HTTP01 challenges. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplate { - metadata: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateMetadata; - spec: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpec; - } - /** - * ObjectMeta overrides for the pod used to solve HTTP01 challenges. - * Only the 'labels' and 'annotations' fields may be set. - * If labels or annotations overlap with in-built values, the values here - * will override the in-built values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateMetadata { - /** - * Annotations that should be added to the created ACME HTTP01 solver pods. - */ - annotations: { - [key: string]: string; - }; - /** - * Labels that should be added to the created ACME HTTP01 solver pods. - */ - labels: { - [key: string]: string; - }; - } - /** - * ObjectMeta overrides for the pod used to solve HTTP01 challenges. - * Only the 'labels' and 'annotations' fields may be set. - * If labels or annotations overlap with in-built values, the values here - * will override the in-built values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateMetadataPatch { - /** - * Annotations that should be added to the created ACME HTTP01 solver pods. - */ - annotations: { - [key: string]: string; - }; - /** - * Labels that should be added to the created ACME HTTP01 solver pods. - */ - labels: { - [key: string]: string; - }; - } - /** - * Optional pod template used to configure the ACME challenge solver pods - * used for HTTP01 challenges. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplatePatch { - metadata: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateMetadataPatch; - spec: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecPatch; - } - /** - * PodSpec defines overrides for the HTTP01 challenge solver pod. - * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - * All other fields will be ignored. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpec { - affinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinity; - /** - * If specified, the pod's imagePullSecrets - */ - imagePullSecrets: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets[]; - /** - * NodeSelector is a selector which must be true for the pod to fit on a node. - * Selector which must match a node's labels for the pod to be scheduled on that node. - * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - */ - nodeSelector: { - [key: string]: string; - }; - /** - * If specified, the pod's priorityClassName. - */ - priorityClassName: string; - resources: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecResources; - securityContext: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext; - /** - * If specified, the pod's service account - */ - serviceAccountName: string; - /** - * If specified, the pod's tolerations. - */ - tolerations: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecTolerations[]; - } - /** - * If specified, the pod's scheduling constraints - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinity { - nodeAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity; - podAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity; - podAntiAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity; - } - /** - * Describes node affinity scheduling rules for the pod. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node matches the corresponding matchExpressions; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution[]; - requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution; - } - /** - * Describes node affinity scheduling rules for the pod. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node matches the corresponding matchExpressions; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[]; - requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch; - } - /** - * An empty preferred scheduling term matches all objects with implicit weight 0 - * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution { - preference: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference; - /** - * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - */ - weight: number; - } - /** - * An empty preferred scheduling term matches all objects with implicit weight 0 - * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - preference: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch; - /** - * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - */ - weight: number; - } - /** - * A node selector term, associated with the corresponding weight. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions[]; - /** - * A list of node selector requirements by node's fields. - */ - matchFields: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields[]; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - /** - * A node selector term, associated with the corresponding weight. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch[]; - /** - * A list of node selector requirements by node's fields. - */ - matchFields: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch[]; - } - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to an update), the system - * may or may not try to eventually evict the pod from its node. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution { - /** - * Required. A list of node selector terms. The terms are ORed. - */ - nodeSelectorTerms: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms[]; - } - /** - * A null or empty node selector term matches no objects. The requirements of - * them are ANDed. - * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions[]; - /** - * A list of node selector requirements by node's fields. - */ - matchFields: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields[]; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - /** - * A null or empty node selector term matches no objects. The requirements of - * them are ANDed. - * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch[]; - /** - * A list of node selector requirements by node's fields. - */ - matchFields: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch[]; - } - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to an update), the system - * may or may not try to eventually evict the pod from its node. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - /** - * Required. A list of node selector terms. The terms are ORed. - */ - nodeSelectorTerms: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch[]; - } - /** - * If specified, the pod's scheduling constraints - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch { - nodeAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch; - podAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch; - podAntiAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch; - } - /** - * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution[]; - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution[]; - } - /** - * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[]; - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[]; - } - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution { - podAffinityTerm: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight: number; - } - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - podAffinityTerm: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight: number; - } - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm { - labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch { - labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution { - labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - /** - * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the anti-affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution[]; - /** - * If the anti-affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the anti-affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution[]; - } - /** - * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the anti-affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[]; - /** - * If the anti-affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the anti-affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[]; - } - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution { - podAffinityTerm: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight: number; - } - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - podAffinityTerm: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight: number; - } - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm { - labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch { - labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution { - labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - /** - * LocalObjectReference contains enough information to let you locate the - * referenced object inside the same namespace. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets { - /** - * Name of the referent. - * This field is effectively required, but due to backwards compatibility is - * allowed to be empty. Instances of this type with an empty value here are - * almost certainly wrong. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name: string; - } - /** - * LocalObjectReference contains enough information to let you locate the - * referenced object inside the same namespace. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch { - /** - * Name of the referent. - * This field is effectively required, but due to backwards compatibility is - * allowed to be empty. Instances of this type with an empty value here are - * almost certainly wrong. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name: string; - } - /** - * PodSpec defines overrides for the HTTP01 challenge solver pod. - * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - * All other fields will be ignored. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecPatch { - affinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch; - /** - * If specified, the pod's imagePullSecrets - */ - imagePullSecrets: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch[]; - /** - * NodeSelector is a selector which must be true for the pod to fit on a node. - * Selector which must match a node's labels for the pod to be scheduled on that node. - * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - */ - nodeSelector: { - [key: string]: string; - }; - /** - * If specified, the pod's priorityClassName. - */ - priorityClassName: string; - resources: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch; - securityContext: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch; - /** - * If specified, the pod's service account - */ - serviceAccountName: string; - /** - * If specified, the pod's tolerations. - */ - tolerations: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch[]; - } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecResources { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits: { - [key: string]: number | string; - }; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests: { - [key: string]: number | string; - }; - } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits: { - [key: string]: number | string; - }; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests: { - [key: string]: number | string; - }; - } - /** - * If specified, the pod's security context - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup: number; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy: string; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup: number; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot: boolean; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser: number; - seLinuxOptions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions; - seccompProfile: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups: number[]; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls[]; - } - /** - * If specified, the pod's security context - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup: number; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy: string; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup: number; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot: boolean; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser: number; - seLinuxOptions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch; - seccompProfile: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups: number[]; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch[]; - } - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions { - /** - * Level is SELinux level label that applies to the container. - */ - level: string; - /** - * Role is a SELinux role label that applies to the container. - */ - role: string; - /** - * Type is a SELinux type label that applies to the container. - */ - type: string; - /** - * User is a SELinux user label that applies to the container. - */ - user: string; - } - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch { - /** - * Level is SELinux level label that applies to the container. - */ - level: string; - /** - * Role is a SELinux role label that applies to the container. - */ - role: string; - /** - * Type is a SELinux type label that applies to the container. - */ - type: string; - /** - * User is a SELinux user label that applies to the container. - */ - user: string; - } - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile: string; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type: string; - } - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile: string; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type: string; - } - /** - * Sysctl defines a kernel parameter to be set - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls { - /** - * Name of a property to set - */ - name: string; - /** - * Value of a property to set - */ - value: string; - } - /** - * Sysctl defines a kernel parameter to be set - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch { - /** - * Name of a property to set - */ - name: string; - /** - * Value of a property to set - */ - value: string; - } - /** - * The pod this Toleration is attached to tolerates any taint that matches - * the triple using the matching operator . - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecTolerations { - /** - * Effect indicates the taint effect to match. Empty means match all taint effects. - * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - */ - effect: string; - /** - * Key is the taint key that the toleration applies to. Empty means match all taint keys. - * If the key is empty, operator must be Exists; this combination means to match all values and all keys. - */ - key: string; - /** - * Operator represents a key's relationship to the value. - * Valid operators are Exists and Equal. Defaults to Equal. - * Exists is equivalent to wildcard for value, so that a pod can - * tolerate all taints of a particular category. - */ - operator: string; - /** - * TolerationSeconds represents the period of time the toleration (which must be - * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - * it is not set, which means tolerate the taint forever (do not evict). Zero and - * negative values will be treated as 0 (evict immediately) by the system. - */ - tolerationSeconds: number; - /** - * Value is the taint value the toleration matches to. - * If the operator is Exists, the value should be empty, otherwise just a regular string. - */ - value: string; - } - /** - * The pod this Toleration is attached to tolerates any taint that matches - * the triple using the matching operator . - */ - interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch { - /** - * Effect indicates the taint effect to match. Empty means match all taint effects. - * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - */ - effect: string; - /** - * Key is the taint key that the toleration applies to. Empty means match all taint keys. - * If the key is empty, operator must be Exists; this combination means to match all values and all keys. - */ - key: string; - /** - * Operator represents a key's relationship to the value. - * Valid operators are Exists and Equal. Defaults to Equal. - * Exists is equivalent to wildcard for value, so that a pod can - * tolerate all taints of a particular category. - */ - operator: string; - /** - * TolerationSeconds represents the period of time the toleration (which must be - * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - * it is not set, which means tolerate the taint forever (do not evict). Zero and - * negative values will be treated as 0 (evict immediately) by the system. - */ - tolerationSeconds: number; - /** - * Value is the taint value the toleration matches to. - * If the operator is Exists, the value should be empty, otherwise just a regular string. - */ - value: string; - } /** * The ingress based HTTP01 challenge solver will solve challenges by * creating or modifying Ingress resources in order to route requests for @@ -3653,7 +1561,7 @@ export declare namespace acme { */ interface ChallengeSpecSolverHttp01IngressPodTemplateMetadata { /** - * Annotations that should be added to the created ACME HTTP01 solver pods. + * Annotations that should be added to the create ACME HTTP01 solver pods. */ annotations: { [key: string]: string; @@ -3673,7 +1581,7 @@ export declare namespace acme { */ interface ChallengeSpecSolverHttp01IngressPodTemplateMetadataPatch { /** - * Annotations that should be added to the created ACME HTTP01 solver pods. + * Annotations that should be added to the create ACME HTTP01 solver pods. */ annotations: { [key: string]: string; @@ -3716,8 +1624,6 @@ export declare namespace acme { * If specified, the pod's priorityClassName. */ priorityClassName: string; - resources: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecResources; - securityContext: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContext; /** * If specified, the pod's service account */ @@ -4157,6 +2063,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -4168,6 +2075,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector; @@ -4367,6 +2275,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -4378,6 +2287,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch; @@ -4416,6 +2326,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -4427,6 +2338,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector; @@ -4631,6 +2543,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -4642,6 +2555,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch; @@ -4672,8 +2586,8 @@ export declare namespace acme { * most preferred is the one with the greatest sum of weights, i.e. * for each node that meets all of the scheduling requirements (resource * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + * compute a sum by iterating through the elements of this field and adding + * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the * node(s) with the highest sum are the most preferred. */ preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution[]; @@ -4699,8 +2613,8 @@ export declare namespace acme { * most preferred is the one with the greatest sum of weights, i.e. * for each node that meets all of the scheduling requirements (resource * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + * compute a sum by iterating through the elements of this field and adding + * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the * node(s) with the highest sum are the most preferred. */ preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[]; @@ -4751,6 +2665,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -4762,6 +2677,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector; @@ -4961,6 +2877,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -4972,6 +2889,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch; @@ -5010,6 +2928,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -5021,6 +2940,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector; @@ -5225,6 +3145,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -5236,6 +3157,7 @@ export declare namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch; @@ -5265,7 +3187,9 @@ export declare namespace acme { * This field is effectively required, but due to backwards compatibility is * allowed to be empty. Instances of this type with an empty value here are * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name: string; } @@ -5279,7 +3203,9 @@ export declare namespace acme { * This field is effectively required, but due to backwards compatibility is * allowed to be empty. Instances of this type with an empty value here are * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name: string; } @@ -5306,8 +3232,6 @@ export declare namespace acme { * If specified, the pod's priorityClassName. */ priorityClassName: string; - resources: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecResourcesPatch; - securityContext: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextPatch; /** * If specified, the pod's service account */ @@ -5317,326 +3241,6 @@ export declare namespace acme { */ tolerations: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecTolerationsPatch[]; } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - interface ChallengeSpecSolverHttp01IngressPodTemplateSpecResources { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits: { - [key: string]: number | string; - }; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests: { - [key: string]: number | string; - }; - } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - interface ChallengeSpecSolverHttp01IngressPodTemplateSpecResourcesPatch { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits: { - [key: string]: number | string; - }; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests: { - [key: string]: number | string; - }; - } - /** - * If specified, the pod's security context - */ - interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContext { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup: number; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy: string; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup: number; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot: boolean; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser: number; - seLinuxOptions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions; - seccompProfile: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeccompProfile; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups: number[]; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSysctls[]; - } - /** - * If specified, the pod's security context - */ - interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextPatch { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup: number; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy: string; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup: number; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot: boolean; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser: number; - seLinuxOptions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch; - seccompProfile: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups: number[]; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch[]; - } - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions { - /** - * Level is SELinux level label that applies to the container. - */ - level: string; - /** - * Role is a SELinux role label that applies to the container. - */ - role: string; - /** - * Type is a SELinux type label that applies to the container. - */ - type: string; - /** - * User is a SELinux user label that applies to the container. - */ - user: string; - } - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch { - /** - * Level is SELinux level label that applies to the container. - */ - level: string; - /** - * Role is a SELinux role label that applies to the container. - */ - role: string; - /** - * Type is a SELinux type label that applies to the container. - */ - type: string; - /** - * User is a SELinux user label that applies to the container. - */ - user: string; - } - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeccompProfile { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile: string; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type: string; - } - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile: string; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type: string; - } - /** - * Sysctl defines a kernel parameter to be set - */ - interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSysctls { - /** - * Name of a property to set - */ - name: string; - /** - * Value of a property to set - */ - value: string; - } - /** - * Sysctl defines a kernel parameter to be set - */ - interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch { - /** - * Name of a property to set - */ - name: string; - /** - * Value of a property to set - */ - value: string; - } /** * The pod this Toleration is attached to tolerates any taint that matches * the triple using the matching operator . @@ -5711,7 +3315,7 @@ export declare namespace acme { * Configures cert-manager to attempt to complete authorizations by * performing the HTTP01 challenge flow. * It is not possible to obtain certificates for wildcard domain names - * (e.g., `*.example.com`) using the HTTP01 challenge mechanism. + * (e.g. `*.example.com`) using the HTTP01 challenge mechanism. */ interface ChallengeSpecSolverHttp01Patch { gatewayHTTPRoute: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePatch; @@ -5906,11 +3510,6 @@ export declare namespace acme { */ ipAddresses: string[]; issuerRef: outputs.acme.v1.OrderSpecIssuerRef; - /** - * Profile allows requesting a certificate profile from the ACME server. - * Supported profiles are listed by the server's ACME directory URL. - */ - profile: string; /** * Certificate signing request bytes in DER encoding. * This will be used when finalizing the order. @@ -5927,17 +3526,15 @@ export declare namespace acme { */ interface OrderSpecIssuerRef { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group: string; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind: string; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name: string; } @@ -5950,17 +3547,15 @@ export declare namespace acme { */ interface OrderSpecIssuerRefPatch { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group: string; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind: string; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name: string; } @@ -5989,11 +3584,6 @@ export declare namespace acme { */ ipAddresses: string[]; issuerRef: outputs.acme.v1.OrderSpecIssuerRefPatch; - /** - * Profile allows requesting a certificate profile from the ACME server. - * Supported profiles are listed by the server's ACME directory URL. - */ - profile: string; /** * Certificate signing request bytes in DER encoding. * This will be used when finalizing the order. @@ -6096,7 +3686,7 @@ export declare namespace acme { */ token: string; /** - * Type is the type of challenge being offered, e.g., 'http-01', 'dns-01', + * Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', * 'tls-sni-01', etc. * This is the raw value retrieved from the ACME server. * Only 'http-01' and 'dns-01' are supported by cert-manager, other values @@ -6121,7 +3711,7 @@ export declare namespace acme { */ token: string; /** - * Type is the type of challenge being offered, e.g., 'http-01', 'dns-01', + * Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', * 'tls-sni-01', etc. * This is the raw value retrieved from the ACME server. * Only 'http-01' and 'dns-01' are supported by cert-manager, other values @@ -6225,6 +3815,7 @@ export declare namespace cert_manager { * A Certificate resource should be created to ensure an up to date and signed * X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. * + * * The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`). */ interface Certificate { @@ -6247,10 +3838,12 @@ export declare namespace cert_manager { * A CertificateRequest is used to request a signed certificate from one of the * configured issuers. * + * * All fields within the CertificateRequest's `spec` are immutable after creation. * A CertificateRequest will either succeed or fail, as denoted by its `Ready` status * condition and its `status.failureTime` field. * + * * A CertificateRequest is a one-shot resource, meaning it represents a single * point in time request for a certificate and cannot be re-used. */ @@ -6297,9 +3890,11 @@ export declare namespace cert_manager { * Requested basic constraints isCA value. Note that the issuer may choose * to ignore the requested isCA value, just like any other requested attribute. * + * * NOTE: If the CSR in the `Request` field has a BasicConstraints extension, * it must have the same isCA value as specified here. * + * * If true, this will automatically add the `cert sign` usage to the list * of requested `usages`. */ @@ -6309,6 +3904,7 @@ export declare namespace cert_manager { * The PEM-encoded X.509 certificate signing request to be submitted to the * issuer for signing. * + * * If the CSR has a BasicConstraints extension, its isCA attribute must * match the `isCA` value of this CertificateRequest. * If the CSR has a KeyUsage extension, its key usages must match the @@ -6326,10 +3922,12 @@ export declare namespace cert_manager { /** * Requested key usages and extended key usages. * + * * NOTE: If the CSR in the `Request` field has uses the KeyUsage or * ExtKeyUsage extension, these extensions must have the same values * as specified here without any additional values. * + * * If unset, defaults to `digital signature` and `key encipherment`. */ usages: string[]; @@ -6345,21 +3943,20 @@ export declare namespace cert_manager { * as the Certificate. If the issuer is cluster-scoped, it can be used * from any namespace. * + * * The `name` field of the reference must always be specified. */ interface CertificateRequestSpecIssuerRef { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group: string; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind: string; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name: string; } @@ -6369,21 +3966,20 @@ export declare namespace cert_manager { * as the Certificate. If the issuer is cluster-scoped, it can be used * from any namespace. * + * * The `name` field of the reference must always be specified. */ interface CertificateRequestSpecIssuerRefPatch { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group: string; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind: string; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name: string; } @@ -6414,9 +4010,11 @@ export declare namespace cert_manager { * Requested basic constraints isCA value. Note that the issuer may choose * to ignore the requested isCA value, just like any other requested attribute. * + * * NOTE: If the CSR in the `Request` field has a BasicConstraints extension, * it must have the same isCA value as specified here. * + * * If true, this will automatically add the `cert sign` usage to the list * of requested `usages`. */ @@ -6426,6 +4024,7 @@ export declare namespace cert_manager { * The PEM-encoded X.509 certificate signing request to be submitted to the * issuer for signing. * + * * If the CSR has a BasicConstraints extension, its isCA attribute must * match the `isCA` value of this CertificateRequest. * If the CSR has a KeyUsage extension, its key usages must match the @@ -6443,10 +4042,12 @@ export declare namespace cert_manager { /** * Requested key usages and extended key usages. * + * * NOTE: If the CSR in the `Request` field has uses the KeyUsage or * ExtKeyUsage extension, these extensions must have the same values * as specified here without any additional values. * + * * If unset, defaults to `digital signature` and `key encipherment`. */ usages: string[]; @@ -6588,6 +4189,11 @@ export declare namespace cert_manager { /** * Defines extra output formats of the private key and signed certificate chain * to be written to this Certificate's target Secret. + * + * + * This is a Beta Feature enabled by default. It can be disabled with the + * `--feature-gates=AdditionalCertificateOutputFormats=false` option set on both + * the controller and webhook components. */ additionalOutputFormats: outputs.cert_manager.v1.CertificateSpecAdditionalOutputFormats[]; /** @@ -6596,6 +4202,7 @@ export declare namespace cert_manager { * NOTE: TLS clients will ignore this value when any subject alternative name is * set (see https://tools.ietf.org/html/rfc6125#section-6.4.4). * + * * Should have a length of 64 characters or fewer to avoid generating invalid CSRs. * Cannot be set if the `literalSubject` field is set. */ @@ -6609,6 +4216,7 @@ export declare namespace cert_manager { * issuer may choose to ignore the requested duration, just like any other * requested attribute. * + * * If unset, this defaults to 90 days. * Minimum accepted duration is 1 hour. * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration. @@ -6621,6 +4229,7 @@ export declare namespace cert_manager { /** * Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR. * + * * This option defaults to true, and should only be disabled if the target * issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions. */ @@ -6635,6 +4244,7 @@ export declare namespace cert_manager { * resources. Note that the issuer may choose to ignore the requested isCA value, just * like any other requested attribute. * + * * If true, this will automatically add the `cert sign` usage to the list * of requested `usages`. */ @@ -6651,6 +4261,7 @@ export declare namespace cert_manager { * More info: https://github.com/cert-manager/cert-manager/issues/3203 * More info: https://github.com/cert-manager/cert-manager/issues/4424 * + * * Cannot be set if the `subject` or `commonName` field is set. */ literalSubject: string; @@ -6670,33 +4281,17 @@ export declare namespace cert_manager { * 50 minutes after it was issued (i.e. when there are 10 minutes remaining until * the certificate is no longer valid). * + * * NOTE: The actual lifetime of the issued certificate is used to determine the * renewal time. If an issuer returns a certificate with a different lifetime than * the one requested, cert-manager will use the lifetime of the issued certificate. * + * * If unset, this defaults to 1/3 of the issued certificate's lifetime. * Minimum accepted value is 5 minutes. * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration. - * Cannot be set if the `renewBeforePercentage` field is set. */ renewBefore: string; - /** - * `renewBeforePercentage` is like `renewBefore`, except it is a relative percentage - * rather than an absolute duration. For example, if a certificate is valid for 60 - * minutes, and `renewBeforePercentage=25`, cert-manager will begin to attempt to - * renew the certificate 45 minutes after it was issued (i.e. when there are 15 - * minutes (25%) remaining until the certificate is no longer valid). - * - * NOTE: The actual lifetime of the issued certificate is used to determine the - * renewal time. If an issuer returns a certificate with a different lifetime than - * the one requested, cert-manager will use the lifetime of the issued certificate. - * - * Value must be an integer in the range (0,100). The minimum effective - * `renewBefore` derived from the `renewBeforePercentage` and `duration` fields is 5 - * minutes. - * Cannot be set if the `renewBefore` field is set. - */ - renewBeforePercentage: number; /** * The maximum number of CertificateRequest revisions that are maintained in * the Certificate's history. Each revision represents a single `CertificateRequest` @@ -6704,8 +4299,10 @@ export declare namespace cert_manager { * was changed. Revisions will be removed by oldest first if the number of * revisions exceeds this number. * + * * If set, revisionHistoryLimit must be a value of `1` or greater. - * Default value is `1`. + * If unset (`nil`), revisions will not be garbage collected. + * Default value is `nil`. */ revisionHistoryLimit: number; /** @@ -6716,13 +4313,6 @@ export declare namespace cert_manager { */ secretName: string; secretTemplate: outputs.cert_manager.v1.CertificateSpecSecretTemplate; - /** - * Signature algorithm to use. - * Allowed values for RSA keys: SHA256WithRSA, SHA384WithRSA, SHA512WithRSA. - * Allowed values for ECDSA keys: ECDSAWithSHA256, ECDSAWithSHA384, ECDSAWithSHA512. - * Allowed values for Ed25519 keys: PureEd25519. - */ - signatureAlgorithm: string; subject: outputs.cert_manager.v1.CertificateSpecSubject; /** * Requested URI subject alternative names. @@ -6734,6 +4324,7 @@ export declare namespace cert_manager { * resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages * will additionally be encoded in the `request` field which contains the CSR blob. * + * * If unset, defaults to `digital signature` and `key encipherment`. */ usages: string[]; @@ -6768,21 +4359,20 @@ export declare namespace cert_manager { * as the Certificate. If the issuer is cluster-scoped, it can be used * from any namespace. * + * * The `name` field of the reference must always be specified. */ interface CertificateSpecIssuerRef { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group: string; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind: string; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name: string; } @@ -6792,21 +4382,20 @@ export declare namespace cert_manager { * as the Certificate. If the issuer is cluster-scoped, it can be used * from any namespace. * + * * The `name` field of the reference must always be specified. */ interface CertificateSpecIssuerRefPatch { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group: string; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind: string; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name: string; } @@ -6831,7 +4420,7 @@ export declare namespace cert_manager { * Create enables JKS keystore creation for the Certificate. * If true, a file named `keystore.jks` will be created in the target * Secret resource, encrypted using the password stored in - * `passwordSecretRef` or `password`. + * `passwordSecretRef`. * The keystore file will be updated immediately. * If the issuer provided a CA certificate, a file named `truststore.jks` * will also be created in the target Secret resource, encrypted using the @@ -6839,19 +4428,11 @@ export declare namespace cert_manager { * containing the issuing Certificate Authority */ create: boolean; - /** - * Password provides a literal password used to encrypt the JKS keystore. - * Mutually exclusive with passwordSecretRef. - * One of password or passwordSecretRef must provide a password with a non-zero length. - */ - password: string; passwordSecretRef: outputs.cert_manager.v1.CertificateSpecKeystoresJksPasswordSecretRef; } /** - * PasswordSecretRef is a reference to a non-empty key in a Secret resource + * PasswordSecretRef is a reference to a key in a Secret resource * containing the password used to encrypt the JKS keystore. - * Mutually exclusive with password. - * One of password or passwordSecretRef must provide a password with a non-zero length. */ interface CertificateSpecKeystoresJksPasswordSecretRef { /** @@ -6867,10 +4448,8 @@ export declare namespace cert_manager { name: string; } /** - * PasswordSecretRef is a reference to a non-empty key in a Secret resource + * PasswordSecretRef is a reference to a key in a Secret resource * containing the password used to encrypt the JKS keystore. - * Mutually exclusive with password. - * One of password or passwordSecretRef must provide a password with a non-zero length. */ interface CertificateSpecKeystoresJksPasswordSecretRefPatch { /** @@ -6899,7 +4478,7 @@ export declare namespace cert_manager { * Create enables JKS keystore creation for the Certificate. * If true, a file named `keystore.jks` will be created in the target * Secret resource, encrypted using the password stored in - * `passwordSecretRef` or `password`. + * `passwordSecretRef`. * The keystore file will be updated immediately. * If the issuer provided a CA certificate, a file named `truststore.jks` * will also be created in the target Secret resource, encrypted using the @@ -6907,12 +4486,6 @@ export declare namespace cert_manager { * containing the issuing Certificate Authority */ create: boolean; - /** - * Password provides a literal password used to encrypt the JKS keystore. - * Mutually exclusive with passwordSecretRef. - * One of password or passwordSecretRef must provide a password with a non-zero length. - */ - password: string; passwordSecretRef: outputs.cert_manager.v1.CertificateSpecKeystoresJksPasswordSecretRefPatch; } /** @@ -6931,7 +4504,7 @@ export declare namespace cert_manager { * Create enables PKCS12 keystore creation for the Certificate. * If true, a file named `keystore.p12` will be created in the target * Secret resource, encrypted using the password stored in - * `passwordSecretRef` or in `password`. + * `passwordSecretRef`. * The keystore file will be updated immediately. * If the issuer provided a CA certificate, a file named `truststore.p12` will * also be created in the target Secret resource, encrypted using the @@ -6939,31 +4512,24 @@ export declare namespace cert_manager { * Authority */ create: boolean; - /** - * Password provides a literal password used to encrypt the PKCS#12 keystore. - * Mutually exclusive with passwordSecretRef. - * One of password or passwordSecretRef must provide a password with a non-zero length. - */ - password: string; passwordSecretRef: outputs.cert_manager.v1.CertificateSpecKeystoresPkcs12PasswordSecretRef; /** * Profile specifies the key and certificate encryption algorithms and the HMAC algorithm * used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. * + * * If provided, allowed values are: * `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. * `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility. * `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms - * (e.g., because of company policy). Please note that the security of the algorithm is not that important + * (eg. because of company policy). Please note that the security of the algorithm is not that important * in reality, because the unencrypted certificate and private key are also stored in the Secret. */ profile: string; } /** - * PasswordSecretRef is a reference to a non-empty key in a Secret resource - * containing the password used to encrypt the PKCS#12 keystore. - * Mutually exclusive with password. - * One of password or passwordSecretRef must provide a password with a non-zero length. + * PasswordSecretRef is a reference to a key in a Secret resource + * containing the password used to encrypt the PKCS12 keystore. */ interface CertificateSpecKeystoresPkcs12PasswordSecretRef { /** @@ -6979,10 +4545,8 @@ export declare namespace cert_manager { name: string; } /** - * PasswordSecretRef is a reference to a non-empty key in a Secret resource - * containing the password used to encrypt the PKCS#12 keystore. - * Mutually exclusive with password. - * One of password or passwordSecretRef must provide a password with a non-zero length. + * PasswordSecretRef is a reference to a key in a Secret resource + * containing the password used to encrypt the PKCS12 keystore. */ interface CertificateSpecKeystoresPkcs12PasswordSecretRefPatch { /** @@ -7006,7 +4570,7 @@ export declare namespace cert_manager { * Create enables PKCS12 keystore creation for the Certificate. * If true, a file named `keystore.p12` will be created in the target * Secret resource, encrypted using the password stored in - * `passwordSecretRef` or in `password`. + * `passwordSecretRef`. * The keystore file will be updated immediately. * If the issuer provided a CA certificate, a file named `truststore.p12` will * also be created in the target Secret resource, encrypted using the @@ -7014,22 +4578,17 @@ export declare namespace cert_manager { * Authority */ create: boolean; - /** - * Password provides a literal password used to encrypt the PKCS#12 keystore. - * Mutually exclusive with passwordSecretRef. - * One of password or passwordSecretRef must provide a password with a non-zero length. - */ - password: string; passwordSecretRef: outputs.cert_manager.v1.CertificateSpecKeystoresPkcs12PasswordSecretRefPatch; /** * Profile specifies the key and certificate encryption algorithms and the HMAC algorithm * used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. * + * * If provided, allowed values are: * `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. * `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility. * `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms - * (e.g., because of company policy). Please note that the security of the algorithm is not that important + * (eg. because of company policy). Please note that the security of the algorithm is not that important * in reality, because the unencrypted certificate and private key are also stored in the Secret. */ profile: string; @@ -7038,6 +4597,7 @@ export declare namespace cert_manager { * x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. * More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 * + * * This is an Alpha Feature and is only enabled with the * `--feature-gates=NameConstraints=true` option set on both * the controller and webhook components. @@ -7102,6 +4662,7 @@ export declare namespace cert_manager { * x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. * More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 * + * * This is an Alpha Feature and is only enabled with the * `--feature-gates=NameConstraints=true` option set on both * the controller and webhook components. @@ -7192,6 +4753,11 @@ export declare namespace cert_manager { /** * Defines extra output formats of the private key and signed certificate chain * to be written to this Certificate's target Secret. + * + * + * This is a Beta Feature enabled by default. It can be disabled with the + * `--feature-gates=AdditionalCertificateOutputFormats=false` option set on both + * the controller and webhook components. */ additionalOutputFormats: outputs.cert_manager.v1.CertificateSpecAdditionalOutputFormatsPatch[]; /** @@ -7200,6 +4766,7 @@ export declare namespace cert_manager { * NOTE: TLS clients will ignore this value when any subject alternative name is * set (see https://tools.ietf.org/html/rfc6125#section-6.4.4). * + * * Should have a length of 64 characters or fewer to avoid generating invalid CSRs. * Cannot be set if the `literalSubject` field is set. */ @@ -7213,6 +4780,7 @@ export declare namespace cert_manager { * issuer may choose to ignore the requested duration, just like any other * requested attribute. * + * * If unset, this defaults to 90 days. * Minimum accepted duration is 1 hour. * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration. @@ -7225,6 +4793,7 @@ export declare namespace cert_manager { /** * Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR. * + * * This option defaults to true, and should only be disabled if the target * issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions. */ @@ -7239,6 +4808,7 @@ export declare namespace cert_manager { * resources. Note that the issuer may choose to ignore the requested isCA value, just * like any other requested attribute. * + * * If true, this will automatically add the `cert sign` usage to the list * of requested `usages`. */ @@ -7255,6 +4825,7 @@ export declare namespace cert_manager { * More info: https://github.com/cert-manager/cert-manager/issues/3203 * More info: https://github.com/cert-manager/cert-manager/issues/4424 * + * * Cannot be set if the `subject` or `commonName` field is set. */ literalSubject: string; @@ -7274,33 +4845,17 @@ export declare namespace cert_manager { * 50 minutes after it was issued (i.e. when there are 10 minutes remaining until * the certificate is no longer valid). * + * * NOTE: The actual lifetime of the issued certificate is used to determine the * renewal time. If an issuer returns a certificate with a different lifetime than * the one requested, cert-manager will use the lifetime of the issued certificate. * + * * If unset, this defaults to 1/3 of the issued certificate's lifetime. * Minimum accepted value is 5 minutes. * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration. - * Cannot be set if the `renewBeforePercentage` field is set. */ renewBefore: string; - /** - * `renewBeforePercentage` is like `renewBefore`, except it is a relative percentage - * rather than an absolute duration. For example, if a certificate is valid for 60 - * minutes, and `renewBeforePercentage=25`, cert-manager will begin to attempt to - * renew the certificate 45 minutes after it was issued (i.e. when there are 15 - * minutes (25%) remaining until the certificate is no longer valid). - * - * NOTE: The actual lifetime of the issued certificate is used to determine the - * renewal time. If an issuer returns a certificate with a different lifetime than - * the one requested, cert-manager will use the lifetime of the issued certificate. - * - * Value must be an integer in the range (0,100). The minimum effective - * `renewBefore` derived from the `renewBeforePercentage` and `duration` fields is 5 - * minutes. - * Cannot be set if the `renewBefore` field is set. - */ - renewBeforePercentage: number; /** * The maximum number of CertificateRequest revisions that are maintained in * the Certificate's history. Each revision represents a single `CertificateRequest` @@ -7308,8 +4863,10 @@ export declare namespace cert_manager { * was changed. Revisions will be removed by oldest first if the number of * revisions exceeds this number. * + * * If set, revisionHistoryLimit must be a value of `1` or greater. - * Default value is `1`. + * If unset (`nil`), revisions will not be garbage collected. + * Default value is `nil`. */ revisionHistoryLimit: number; /** @@ -7320,13 +4877,6 @@ export declare namespace cert_manager { */ secretName: string; secretTemplate: outputs.cert_manager.v1.CertificateSpecSecretTemplatePatch; - /** - * Signature algorithm to use. - * Allowed values for RSA keys: SHA256WithRSA, SHA384WithRSA, SHA512WithRSA. - * Allowed values for ECDSA keys: ECDSAWithSHA256, ECDSAWithSHA384, ECDSAWithSHA512. - * Allowed values for Ed25519 keys: PureEd25519. - */ - signatureAlgorithm: string; subject: outputs.cert_manager.v1.CertificateSpecSubjectPatch; /** * Requested URI subject alternative names. @@ -7338,6 +4888,7 @@ export declare namespace cert_manager { * resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages * will additionally be encoded in the `request` field which contains the CSR blob. * + * * If unset, defaults to `digital signature` and `key encipherment`. */ usages: string[]; @@ -7351,6 +4902,7 @@ export declare namespace cert_manager { * Algorithm is the private key algorithm of the corresponding private key * for this certificate. * + * * If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`. * If `algorithm` is specified and `size` is not provided, * key size of 2048 will be used for `RSA` key algorithm and @@ -7362,6 +4914,7 @@ export declare namespace cert_manager { * The private key cryptography standards (PKCS) encoding for this * certificate's private key to be encoded in. * + * * If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 * and PKCS#8, respectively. * Defaults to `PKCS1` if not specified. @@ -7371,22 +4924,20 @@ export declare namespace cert_manager { * RotationPolicy controls how private keys should be regenerated when a * re-issuance is being processed. * + * * If set to `Never`, a private key will only be generated if one does not - * already exist in the target `spec.secretName`. If one does exist but it + * already exist in the target `spec.secretName`. If one does exists but it * does not have the correct algorithm or size, a warning will be raised * to await user intervention. * If set to `Always`, a private key matching the specified requirements * will be generated whenever a re-issuance occurs. - * Default is `Always`. - * The default was changed from `Never` to `Always` in cert-manager >=v1.18.0. - * The new default can be disabled by setting the - * `--feature-gates=DefaultPrivateKeyRotationPolicyAlways=false` option on - * the controller component. + * Default is `Never` for backward compatibility. */ rotationPolicy: string; /** * Size is the key bit size of the corresponding private key for this certificate. * + * * If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, * and will default to `2048` if not specified. * If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, @@ -7405,6 +4956,7 @@ export declare namespace cert_manager { * Algorithm is the private key algorithm of the corresponding private key * for this certificate. * + * * If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`. * If `algorithm` is specified and `size` is not provided, * key size of 2048 will be used for `RSA` key algorithm and @@ -7416,6 +4968,7 @@ export declare namespace cert_manager { * The private key cryptography standards (PKCS) encoding for this * certificate's private key to be encoded in. * + * * If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 * and PKCS#8, respectively. * Defaults to `PKCS1` if not specified. @@ -7425,22 +4978,20 @@ export declare namespace cert_manager { * RotationPolicy controls how private keys should be regenerated when a * re-issuance is being processed. * + * * If set to `Never`, a private key will only be generated if one does not - * already exist in the target `spec.secretName`. If one does exist but it + * already exist in the target `spec.secretName`. If one does exists but it * does not have the correct algorithm or size, a warning will be raised * to await user intervention. * If set to `Always`, a private key matching the specified requirements * will be generated whenever a re-issuance occurs. - * Default is `Always`. - * The default was changed from `Never` to `Always` in cert-manager >=v1.18.0. - * The new default can be disabled by setting the - * `--feature-gates=DefaultPrivateKeyRotationPolicyAlways=false` option on - * the controller component. + * Default is `Never` for backward compatibility. */ rotationPolicy: string; /** * Size is the key bit size of the corresponding private key for this certificate. * + * * If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, * and will default to `2048` if not specified. * If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, @@ -7496,6 +5047,7 @@ export declare namespace cert_manager { * Requested set of X509 certificate subject attributes. * More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 * + * * The common name attribute is specified separately in the `commonName` field. * Cannot be set if the `literalSubject` field is set. */ @@ -7537,6 +5089,7 @@ export declare namespace cert_manager { * Requested set of X509 certificate subject attributes. * More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 * + * * The common name attribute is specified separately in the `commonName` field. * Cannot be set if the `literalSubject` field is set. */ @@ -7595,7 +5148,7 @@ export declare namespace cert_manager { */ failedIssuanceAttempts: number; /** - * LastFailureTime is set only if the latest issuance for this + * LastFailureTime is set only if the lastest issuance for this * Certificate failed and contains the time of the failure. If an * issuance has failed, the delay till the next issuance will be * calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - @@ -7630,13 +5183,16 @@ export declare namespace cert_manager { /** * The current 'revision' of the certificate as issued. * + * * When a CertificateRequest resource is created, it will have the * `cert-manager.io/certificate-revision` set to one greater than the * current value of this field. * + * * Upon issuance, this field will be set to the value of the annotation * on the CertificateRequest resource used to issue the certificate. * + * * Persisting the value on the CertificateRequest resource allows the * certificates controller to know whether a request is part of an old * issuance or if it is part of the ongoing revision's issuance by @@ -7646,7 +5202,7 @@ export declare namespace cert_manager { revision: number; } /** - * CertificateCondition contains condition information for a Certificate. + * CertificateCondition contains condition information for an Certificate. */ interface CertificateStatusConditions { /** @@ -7682,7 +5238,7 @@ export declare namespace cert_manager { type: string; } /** - * CertificateCondition contains condition information for a Certificate. + * CertificateCondition contains condition information for an Certificate. */ interface CertificateStatusConditionsPatch { /** @@ -7738,7 +5294,7 @@ export declare namespace cert_manager { */ failedIssuanceAttempts: number; /** - * LastFailureTime is set only if the latest issuance for this + * LastFailureTime is set only if the lastest issuance for this * Certificate failed and contains the time of the failure. If an * issuance has failed, the delay till the next issuance will be * calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - @@ -7773,13 +5329,16 @@ export declare namespace cert_manager { /** * The current 'revision' of the certificate as issued. * + * * When a CertificateRequest resource is created, it will have the * `cert-manager.io/certificate-revision` set to one greater than the * current value of this field. * + * * Upon issuance, this field will be set to the value of the annotation * on the CertificateRequest resource used to issue the certificate. * + * * Persisting the value on the CertificateRequest resource allows the * certificates controller to know whether a request is part of an old * issuance or if it is part of the ongoing revision's issuance by @@ -7865,7 +5424,7 @@ export declare namespace cert_manager { * PreferredChain is the chain to use if the ACME server outputs multiple. * PreferredChain is no guarantee that this one gets delivered by the ACME * endpoint. - * For example, for Let's Encrypt's DST cross-sign you would use: + * For example, for Let's Encrypt's DST crosssign you would use: * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA. * This value picks the first certificate bundle in the combined set of * ACME default and alternative chains that has a root-most certificate with @@ -7873,11 +5432,6 @@ export declare namespace cert_manager { */ preferredChain: string; privateKeySecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmePrivateKeySecretRef; - /** - * Profile allows requesting a certificate profile from the ACME server. - * Supported profiles are listed by the server's ACME directory URL. - */ - profile: string; /** * Server is the URL used to access the ACME server's 'directory' endpoint. * For example, for Let's Encrypt's staging endpoint, you would use: @@ -8032,7 +5586,7 @@ export declare namespace cert_manager { * PreferredChain is the chain to use if the ACME server outputs multiple. * PreferredChain is no guarantee that this one gets delivered by the ACME * endpoint. - * For example, for Let's Encrypt's DST cross-sign you would use: + * For example, for Let's Encrypt's DST crosssign you would use: * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA. * This value picks the first certificate bundle in the combined set of * ACME default and alternative chains that has a root-most certificate with @@ -8040,11 +5594,6 @@ export declare namespace cert_manager { */ preferredChain: string; privateKeySecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmePrivateKeySecretRefPatch; - /** - * Profile allows requesting a certificate profile from the ACME server. - * Supported profiles are listed by the server's ACME directory URL. - */ - profile: string; /** * Server is the URL used to access the ACME server's 'directory' endpoint. * For example, for Let's Encrypt's staging endpoint, you would use: @@ -8391,18 +5940,14 @@ export declare namespace cert_manager { */ interface ClusterIssuerSpecAcmeSolversDns01AzureDNSManagedIdentity { /** - * client ID of the managed identity, cannot be used at the same time as resourceID + * client ID of the managed identity, can not be used at the same time as resourceID */ clientID: string; /** - * resource ID of the managed identity, cannot be used at the same time as clientID + * resource ID of the managed identity, can not be used at the same time as clientID * Cannot be used for Azure Managed Service Identity */ resourceID: string; - /** - * tenant ID of the managed identity, cannot be used at the same time as resourceID - */ - tenantID: string; } /** * Auth: Azure Workload Identity or Azure Managed Service Identity: @@ -8411,18 +5956,14 @@ export declare namespace cert_manager { */ interface ClusterIssuerSpecAcmeSolversDns01AzureDNSManagedIdentityPatch { /** - * client ID of the managed identity, cannot be used at the same time as resourceID + * client ID of the managed identity, can not be used at the same time as resourceID */ clientID: string; /** - * resource ID of the managed identity, cannot be used at the same time as clientID + * resource ID of the managed identity, can not be used at the same time as clientID * Cannot be used for Azure Managed Service Identity */ resourceID: string; - /** - * tenant ID of the managed identity, cannot be used at the same time as resourceID - */ - tenantID: string; } /** * Use the Microsoft Azure DNS API to manage DNS01 challenge records. @@ -8687,10 +6228,6 @@ export declare namespace cert_manager { * This field is required. */ nameserver: string; - /** - * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default). - */ - protocol: string; /** * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. @@ -8717,10 +6254,6 @@ export declare namespace cert_manager { * This field is required. */ nameserver: string; - /** - * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default). - */ - protocol: string; /** * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. @@ -8784,32 +6317,11 @@ export declare namespace cert_manager { accessKeyIDSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRef; auth: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53Auth; /** - * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. + * If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. */ hostedZoneID: string; /** - * Override the AWS region. - * - * Route53 is a global service and does not have regional endpoints but the - * region specified here (or via environment variables) is used as a hint to - * help compute the correct AWS credential scope and partition when it - * connects to Route53. See: - * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) - * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) - * - * If you omit this region field, cert-manager will use the region from - * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set - * in the cert-manager controller Pod. - * - * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). - * In this case this `region` field value is ignored. - * - * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), - * In this case this `region` field value is ignored. + * Always set the region when using AccessKeyID and SecretAccessKey */ region: string; /** @@ -8938,32 +6450,11 @@ export declare namespace cert_manager { accessKeyIDSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRefPatch; auth: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AuthPatch; /** - * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. + * If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. */ hostedZoneID: string; /** - * Override the AWS region. - * - * Route53 is a global service and does not have regional endpoints but the - * region specified here (or via environment variables) is used as a hint to - * help compute the correct AWS credential scope and partition when it - * connects to Route53. See: - * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) - * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) - * - * If you omit this region field, cert-manager will use the region from - * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set - * in the cert-manager controller Pod. - * - * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). - * In this case this `region` field value is ignored. - * - * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), - * In this case this `region` field value is ignored. + * Always set the region when using AccessKeyID and SecretAccessKey */ region: string; /** @@ -9021,7 +6512,7 @@ export declare namespace cert_manager { * when challenges are processed. * This can contain arbitrary JSON data. * Secret values should not be specified in this stanza. - * If secret values are needed (e.g., credentials for a DNS service), you + * If secret values are needed (e.g. credentials for a DNS service), you * should use a SecretKeySelector to reference a Secret resource. * For details on the schema of this field, consult the webhook provider * implementation's documentation. @@ -9039,7 +6530,7 @@ export declare namespace cert_manager { /** * The name of the solver to use, as defined in the webhook provider * implementation. - * This will typically be the name of the provider, e.g., 'cloudflare'. + * This will typically be the name of the provider, e.g. 'cloudflare'. */ solverName: string; } @@ -9053,7 +6544,7 @@ export declare namespace cert_manager { * when challenges are processed. * This can contain arbitrary JSON data. * Secret values should not be specified in this stanza. - * If secret values are needed (e.g., credentials for a DNS service), you + * If secret values are needed (e.g. credentials for a DNS service), you * should use a SecretKeySelector to reference a Secret resource. * For details on the schema of this field, consult the webhook provider * implementation's documentation. @@ -9071,7 +6562,7 @@ export declare namespace cert_manager { /** * The name of the solver to use, as defined in the webhook provider * implementation. - * This will typically be the name of the provider, e.g., 'cloudflare'. + * This will typically be the name of the provider, e.g. 'cloudflare'. */ solverName: string; } @@ -9079,7 +6570,7 @@ export declare namespace cert_manager { * Configures cert-manager to attempt to complete authorizations by * performing the HTTP01 challenge flow. * It is not possible to obtain certificates for wildcard domain names - * (e.g., `*.example.com`) using the HTTP01 challenge mechanism. + * (e.g. `*.example.com`) using the HTTP01 challenge mechanism. */ interface ClusterIssuerSpecAcmeSolversHttp01 { gatewayHTTPRoute: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoute; @@ -9106,7 +6597,6 @@ export declare namespace cert_manager { * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways */ parentRefs: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefs[]; - podTemplate: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplate; /** * Optional service type for Kubernetes solver service. Supported values * are NodePort or ClusterIP. If unset, defaults to NodePort. @@ -9118,12 +6608,15 @@ export declare namespace cert_manager { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -9134,23 +6627,28 @@ export declare namespace cert_manager { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -9158,17 +6656,20 @@ export declare namespace cert_manager { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: * Gateway has the AllowedRoutes field, and ReferenceGrant provides a * generic way to enable any other kind of cross-namespace reference. * + * * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -9176,6 +6677,7 @@ export declare namespace cert_manager { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -9183,6 +6685,7 @@ export declare namespace cert_manager { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -9191,16 +6694,19 @@ export declare namespace cert_manager { * and SectionName are specified, the name and port of the selected listener * must match both specified values. * + * * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -9209,6 +6715,7 @@ export declare namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -9216,6 +6723,7 @@ export declare namespace cert_manager { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -9223,10 +6731,12 @@ export declare namespace cert_manager { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -9236,6 +6746,7 @@ export declare namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -9245,12 +6756,15 @@ export declare namespace cert_manager { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -9261,23 +6775,28 @@ export declare namespace cert_manager { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -9285,17 +6804,20 @@ export declare namespace cert_manager { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: * Gateway has the AllowedRoutes field, and ReferenceGrant provides a * generic way to enable any other kind of cross-namespace reference. * + * * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -9303,6 +6825,7 @@ export declare namespace cert_manager { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -9310,6 +6833,7 @@ export declare namespace cert_manager { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -9318,16 +6842,19 @@ export declare namespace cert_manager { * and SectionName are specified, the name and port of the selected listener * must match both specified values. * + * * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -9336,6 +6863,7 @@ export declare namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -9343,6 +6871,7 @@ export declare namespace cert_manager { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -9350,10 +6879,12 @@ export declare namespace cert_manager { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -9363,6 +6894,7 @@ export declare namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -9388,2083 +6920,12 @@ export declare namespace cert_manager { * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways */ parentRefs: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefsPatch[]; - podTemplate: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplatePatch; /** * Optional service type for Kubernetes solver service. Supported values * are NodePort or ClusterIP. If unset, defaults to NodePort. */ serviceType: string; } - /** - * Optional pod template used to configure the ACME challenge solver pods - * used for HTTP01 challenges. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplate { - metadata: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadata; - spec: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpec; - } - /** - * ObjectMeta overrides for the pod used to solve HTTP01 challenges. - * Only the 'labels' and 'annotations' fields may be set. - * If labels or annotations overlap with in-built values, the values here - * will override the in-built values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadata { - /** - * Annotations that should be added to the created ACME HTTP01 solver pods. - */ - annotations: { - [key: string]: string; - }; - /** - * Labels that should be added to the created ACME HTTP01 solver pods. - */ - labels: { - [key: string]: string; - }; - } - /** - * ObjectMeta overrides for the pod used to solve HTTP01 challenges. - * Only the 'labels' and 'annotations' fields may be set. - * If labels or annotations overlap with in-built values, the values here - * will override the in-built values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadataPatch { - /** - * Annotations that should be added to the created ACME HTTP01 solver pods. - */ - annotations: { - [key: string]: string; - }; - /** - * Labels that should be added to the created ACME HTTP01 solver pods. - */ - labels: { - [key: string]: string; - }; - } - /** - * Optional pod template used to configure the ACME challenge solver pods - * used for HTTP01 challenges. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplatePatch { - metadata: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadataPatch; - spec: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecPatch; - } - /** - * PodSpec defines overrides for the HTTP01 challenge solver pod. - * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - * All other fields will be ignored. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpec { - affinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinity; - /** - * If specified, the pod's imagePullSecrets - */ - imagePullSecrets: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets[]; - /** - * NodeSelector is a selector which must be true for the pod to fit on a node. - * Selector which must match a node's labels for the pod to be scheduled on that node. - * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - */ - nodeSelector: { - [key: string]: string; - }; - /** - * If specified, the pod's priorityClassName. - */ - priorityClassName: string; - resources: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResources; - securityContext: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext; - /** - * If specified, the pod's service account - */ - serviceAccountName: string; - /** - * If specified, the pod's tolerations. - */ - tolerations: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerations[]; - } - /** - * If specified, the pod's scheduling constraints - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinity { - nodeAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity; - podAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity; - podAntiAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity; - } - /** - * Describes node affinity scheduling rules for the pod. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node matches the corresponding matchExpressions; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution[]; - requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution; - } - /** - * Describes node affinity scheduling rules for the pod. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node matches the corresponding matchExpressions; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[]; - requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch; - } - /** - * An empty preferred scheduling term matches all objects with implicit weight 0 - * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution { - preference: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference; - /** - * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - */ - weight: number; - } - /** - * An empty preferred scheduling term matches all objects with implicit weight 0 - * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - preference: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch; - /** - * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - */ - weight: number; - } - /** - * A node selector term, associated with the corresponding weight. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions[]; - /** - * A list of node selector requirements by node's fields. - */ - matchFields: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields[]; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - /** - * A node selector term, associated with the corresponding weight. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch[]; - /** - * A list of node selector requirements by node's fields. - */ - matchFields: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch[]; - } - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to an update), the system - * may or may not try to eventually evict the pod from its node. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution { - /** - * Required. A list of node selector terms. The terms are ORed. - */ - nodeSelectorTerms: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms[]; - } - /** - * A null or empty node selector term matches no objects. The requirements of - * them are ANDed. - * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions[]; - /** - * A list of node selector requirements by node's fields. - */ - matchFields: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields[]; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - /** - * A null or empty node selector term matches no objects. The requirements of - * them are ANDed. - * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch[]; - /** - * A list of node selector requirements by node's fields. - */ - matchFields: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch[]; - } - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to an update), the system - * may or may not try to eventually evict the pod from its node. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - /** - * Required. A list of node selector terms. The terms are ORed. - */ - nodeSelectorTerms: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch[]; - } - /** - * If specified, the pod's scheduling constraints - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch { - nodeAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch; - podAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch; - podAntiAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch; - } - /** - * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution[]; - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution[]; - } - /** - * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[]; - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[]; - } - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution { - podAffinityTerm: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight: number; - } - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - podAffinityTerm: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight: number; - } - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm { - labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch { - labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution { - labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - /** - * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the anti-affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution[]; - /** - * If the anti-affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the anti-affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution[]; - } - /** - * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the anti-affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[]; - /** - * If the anti-affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the anti-affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[]; - } - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution { - podAffinityTerm: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight: number; - } - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - podAffinityTerm: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight: number; - } - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm { - labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch { - labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution { - labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - /** - * LocalObjectReference contains enough information to let you locate the - * referenced object inside the same namespace. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets { - /** - * Name of the referent. - * This field is effectively required, but due to backwards compatibility is - * allowed to be empty. Instances of this type with an empty value here are - * almost certainly wrong. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name: string; - } - /** - * LocalObjectReference contains enough information to let you locate the - * referenced object inside the same namespace. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch { - /** - * Name of the referent. - * This field is effectively required, but due to backwards compatibility is - * allowed to be empty. Instances of this type with an empty value here are - * almost certainly wrong. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name: string; - } - /** - * PodSpec defines overrides for the HTTP01 challenge solver pod. - * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - * All other fields will be ignored. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecPatch { - affinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch; - /** - * If specified, the pod's imagePullSecrets - */ - imagePullSecrets: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch[]; - /** - * NodeSelector is a selector which must be true for the pod to fit on a node. - * Selector which must match a node's labels for the pod to be scheduled on that node. - * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - */ - nodeSelector: { - [key: string]: string; - }; - /** - * If specified, the pod's priorityClassName. - */ - priorityClassName: string; - resources: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch; - securityContext: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch; - /** - * If specified, the pod's service account - */ - serviceAccountName: string; - /** - * If specified, the pod's tolerations. - */ - tolerations: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch[]; - } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResources { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits: { - [key: string]: number | string; - }; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests: { - [key: string]: number | string; - }; - } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits: { - [key: string]: number | string; - }; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests: { - [key: string]: number | string; - }; - } - /** - * If specified, the pod's security context - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup: number; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy: string; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup: number; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot: boolean; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser: number; - seLinuxOptions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions; - seccompProfile: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups: number[]; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls[]; - } - /** - * If specified, the pod's security context - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup: number; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy: string; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup: number; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot: boolean; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser: number; - seLinuxOptions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch; - seccompProfile: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups: number[]; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch[]; - } - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions { - /** - * Level is SELinux level label that applies to the container. - */ - level: string; - /** - * Role is a SELinux role label that applies to the container. - */ - role: string; - /** - * Type is a SELinux type label that applies to the container. - */ - type: string; - /** - * User is a SELinux user label that applies to the container. - */ - user: string; - } - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch { - /** - * Level is SELinux level label that applies to the container. - */ - level: string; - /** - * Role is a SELinux role label that applies to the container. - */ - role: string; - /** - * Type is a SELinux type label that applies to the container. - */ - type: string; - /** - * User is a SELinux user label that applies to the container. - */ - user: string; - } - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile: string; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type: string; - } - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile: string; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type: string; - } - /** - * Sysctl defines a kernel parameter to be set - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls { - /** - * Name of a property to set - */ - name: string; - /** - * Value of a property to set - */ - value: string; - } - /** - * Sysctl defines a kernel parameter to be set - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch { - /** - * Name of a property to set - */ - name: string; - /** - * Value of a property to set - */ - value: string; - } - /** - * The pod this Toleration is attached to tolerates any taint that matches - * the triple using the matching operator . - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerations { - /** - * Effect indicates the taint effect to match. Empty means match all taint effects. - * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - */ - effect: string; - /** - * Key is the taint key that the toleration applies to. Empty means match all taint keys. - * If the key is empty, operator must be Exists; this combination means to match all values and all keys. - */ - key: string; - /** - * Operator represents a key's relationship to the value. - * Valid operators are Exists and Equal. Defaults to Equal. - * Exists is equivalent to wildcard for value, so that a pod can - * tolerate all taints of a particular category. - */ - operator: string; - /** - * TolerationSeconds represents the period of time the toleration (which must be - * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - * it is not set, which means tolerate the taint forever (do not evict). Zero and - * negative values will be treated as 0 (evict immediately) by the system. - */ - tolerationSeconds: number; - /** - * Value is the taint value the toleration matches to. - * If the operator is Exists, the value should be empty, otherwise just a regular string. - */ - value: string; - } - /** - * The pod this Toleration is attached to tolerates any taint that matches - * the triple using the matching operator . - */ - interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch { - /** - * Effect indicates the taint effect to match. Empty means match all taint effects. - * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - */ - effect: string; - /** - * Key is the taint key that the toleration applies to. Empty means match all taint keys. - * If the key is empty, operator must be Exists; this combination means to match all values and all keys. - */ - key: string; - /** - * Operator represents a key's relationship to the value. - * Valid operators are Exists and Equal. Defaults to Equal. - * Exists is equivalent to wildcard for value, so that a pod can - * tolerate all taints of a particular category. - */ - operator: string; - /** - * TolerationSeconds represents the period of time the toleration (which must be - * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - * it is not set, which means tolerate the taint forever (do not evict). Zero and - * negative values will be treated as 0 (evict immediately) by the system. - */ - tolerationSeconds: number; - /** - * Value is the taint value the toleration matches to. - * If the operator is Exists, the value should be empty, otherwise just a regular string. - */ - value: string; - } /** * The ingress based HTTP01 challenge solver will solve challenges by * creating or modifying Ingress resources in order to route requests for @@ -11611,7 +7072,7 @@ export declare namespace cert_manager { */ interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateMetadata { /** - * Annotations that should be added to the created ACME HTTP01 solver pods. + * Annotations that should be added to the create ACME HTTP01 solver pods. */ annotations: { [key: string]: string; @@ -11631,7 +7092,7 @@ export declare namespace cert_manager { */ interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateMetadataPatch { /** - * Annotations that should be added to the created ACME HTTP01 solver pods. + * Annotations that should be added to the create ACME HTTP01 solver pods. */ annotations: { [key: string]: string; @@ -11674,8 +7135,6 @@ export declare namespace cert_manager { * If specified, the pod's priorityClassName. */ priorityClassName: string; - resources: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResources; - securityContext: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContext; /** * If specified, the pod's service account */ @@ -12115,6 +7574,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -12126,6 +7586,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector; @@ -12325,6 +7786,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -12336,6 +7798,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch; @@ -12374,6 +7837,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -12385,6 +7849,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector; @@ -12589,6 +8054,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -12600,6 +8066,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch; @@ -12630,8 +8097,8 @@ export declare namespace cert_manager { * most preferred is the one with the greatest sum of weights, i.e. * for each node that meets all of the scheduling requirements (resource * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + * compute a sum by iterating through the elements of this field and adding + * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the * node(s) with the highest sum are the most preferred. */ preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution[]; @@ -12657,8 +8124,8 @@ export declare namespace cert_manager { * most preferred is the one with the greatest sum of weights, i.e. * for each node that meets all of the scheduling requirements (resource * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + * compute a sum by iterating through the elements of this field and adding + * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the * node(s) with the highest sum are the most preferred. */ preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[]; @@ -12709,6 +8176,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -12720,6 +8188,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector; @@ -12919,6 +8388,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -12930,6 +8400,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch; @@ -12968,6 +8439,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -12979,6 +8451,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector; @@ -13183,6 +8656,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -13194,6 +8668,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch; @@ -13223,7 +8698,9 @@ export declare namespace cert_manager { * This field is effectively required, but due to backwards compatibility is * allowed to be empty. Instances of this type with an empty value here are * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name: string; } @@ -13237,7 +8714,9 @@ export declare namespace cert_manager { * This field is effectively required, but due to backwards compatibility is * allowed to be empty. Instances of this type with an empty value here are * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name: string; } @@ -13264,8 +8743,6 @@ export declare namespace cert_manager { * If specified, the pod's priorityClassName. */ priorityClassName: string; - resources: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResourcesPatch; - securityContext: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextPatch; /** * If specified, the pod's service account */ @@ -13275,326 +8752,6 @@ export declare namespace cert_manager { */ tolerations: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerationsPatch[]; } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResources { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits: { - [key: string]: number | string; - }; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests: { - [key: string]: number | string; - }; - } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResourcesPatch { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits: { - [key: string]: number | string; - }; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests: { - [key: string]: number | string; - }; - } - /** - * If specified, the pod's security context - */ - interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContext { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup: number; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy: string; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup: number; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot: boolean; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser: number; - seLinuxOptions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions; - seccompProfile: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups: number[]; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls[]; - } - /** - * If specified, the pod's security context - */ - interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextPatch { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup: number; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy: string; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup: number; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot: boolean; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser: number; - seLinuxOptions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch; - seccompProfile: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups: number[]; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch[]; - } - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions { - /** - * Level is SELinux level label that applies to the container. - */ - level: string; - /** - * Role is a SELinux role label that applies to the container. - */ - role: string; - /** - * Type is a SELinux type label that applies to the container. - */ - type: string; - /** - * User is a SELinux user label that applies to the container. - */ - user: string; - } - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch { - /** - * Level is SELinux level label that applies to the container. - */ - level: string; - /** - * Role is a SELinux role label that applies to the container. - */ - role: string; - /** - * Type is a SELinux type label that applies to the container. - */ - type: string; - /** - * User is a SELinux user label that applies to the container. - */ - user: string; - } - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile: string; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type: string; - } - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile: string; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type: string; - } - /** - * Sysctl defines a kernel parameter to be set - */ - interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls { - /** - * Name of a property to set - */ - name: string; - /** - * Value of a property to set - */ - value: string; - } - /** - * Sysctl defines a kernel parameter to be set - */ - interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch { - /** - * Name of a property to set - */ - name: string; - /** - * Value of a property to set - */ - value: string; - } /** * The pod this Toleration is attached to tolerates any taint that matches * the triple using the matching operator . @@ -13669,7 +8826,7 @@ export declare namespace cert_manager { * Configures cert-manager to attempt to complete authorizations by * performing the HTTP01 challenge flow. * It is not possible to obtain certificates for wildcard domain names - * (e.g., `*.example.com`) using the HTTP01 challenge mechanism. + * (e.g. `*.example.com`) using the HTTP01 challenge mechanism. */ interface ClusterIssuerSpecAcmeSolversHttp01Patch { gatewayHTTPRoute: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePatch; @@ -13891,18 +9048,12 @@ export declare namespace cert_manager { * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200". */ server: string; - /** - * ServerName is used to verify the hostname on the returned certificates - * by the Vault server. - */ - serverName: string; } /** * Auth configures how cert-manager authenticates with the Vault server. */ interface ClusterIssuerSpecVaultAuth { appRole: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthAppRole; - clientCertificate: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthClientCertificate; kubernetes: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthKubernetes; tokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthTokenSecretRef; } @@ -13978,56 +9129,6 @@ export declare namespace cert_manager { */ name: string; } - /** - * ClientCertificate authenticates with Vault by presenting a client - * certificate during the request's TLS handshake. - * Works only when using HTTPS protocol. - */ - interface ClusterIssuerSpecVaultAuthClientCertificate { - /** - * The Vault mountPath here is the mount path to use when authenticating with - * Vault. For example, setting a value to `/v1/auth/foo`, will use the path - * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the - * default value "/v1/auth/cert" will be used. - */ - mountPath: string; - /** - * Name of the certificate role to authenticate against. - * If not set, matching any certificate role, if available. - */ - name: string; - /** - * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing - * tls.crt and tls.key) used to authenticate to Vault using TLS client - * authentication. - */ - secretName: string; - } - /** - * ClientCertificate authenticates with Vault by presenting a client - * certificate during the request's TLS handshake. - * Works only when using HTTPS protocol. - */ - interface ClusterIssuerSpecVaultAuthClientCertificatePatch { - /** - * The Vault mountPath here is the mount path to use when authenticating with - * Vault. For example, setting a value to `/v1/auth/foo`, will use the path - * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the - * default value "/v1/auth/cert" will be used. - */ - mountPath: string; - /** - * Name of the certificate role to authenticate against. - * If not set, matching any certificate role, if available. - */ - name: string; - /** - * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing - * tls.crt and tls.key) used to authenticate to Vault using TLS client - * authentication. - */ - secretName: string; - } /** * Kubernetes authenticates with Vault by passing the ServiceAccount * token stored in the named Secret resource to the Vault server. @@ -14145,7 +9246,6 @@ export declare namespace cert_manager { */ interface ClusterIssuerSpecVaultAuthPatch { appRole: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthAppRolePatch; - clientCertificate: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthClientCertificatePatch; kubernetes: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthKubernetesPatch; tokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthTokenSecretRefPatch; } @@ -14323,11 +9423,6 @@ export declare namespace cert_manager { * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200". */ server: string; - /** - * ServerName is used to verify the hostname on the returned certificates - * by the Vault server. - */ - serverName: string; } /** * Venafi configures this issuer to sign certificates using a Venafi TPP @@ -14352,7 +9447,7 @@ export declare namespace cert_manager { apiTokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVenafiCloudApiTokenSecretRef; /** * URL is the base URL for Venafi Cloud. - * Defaults to "https://api.venafi.cloud/". + * Defaults to "https://api.venafi.cloud/v1". */ url: string; } @@ -14396,7 +9491,7 @@ export declare namespace cert_manager { apiTokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVenafiCloudApiTokenSecretRefPatch; /** * URL is the base URL for Venafi Cloud. - * Defaults to "https://api.venafi.cloud/". + * Defaults to "https://api.venafi.cloud/v1". */ url: string; } @@ -14427,7 +9522,6 @@ export declare namespace cert_manager { * is used to validate the chain. */ caBundle: string; - caBundleSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVenafiTppCaBundleSecretRef; credentialsRef: outputs.cert_manager.v1.ClusterIssuerSpecVenafiTppCredentialsRef; /** * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, @@ -14436,49 +9530,9 @@ export declare namespace cert_manager { url: string; } /** - * Reference to a Secret containing a base64-encoded bundle of PEM CAs - * which will be used to validate the certificate chain presented by the TPP server. - * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle. - * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in - * the cert-manager controller container is used to validate the TLS connection. - */ - interface ClusterIssuerSpecVenafiTppCaBundleSecretRef { - /** - * The key of the entry in the Secret resource's `data` field to be used. - * Some instances of this field may be defaulted, in others it may be - * required. - */ - key: string; - /** - * Name of the resource being referred to. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name: string; - } - /** - * Reference to a Secret containing a base64-encoded bundle of PEM CAs - * which will be used to validate the certificate chain presented by the TPP server. - * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle. - * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in - * the cert-manager controller container is used to validate the TLS connection. - */ - interface ClusterIssuerSpecVenafiTppCaBundleSecretRefPatch { - /** - * The key of the entry in the Secret resource's `data` field to be used. - * Some instances of this field may be defaulted, in others it may be - * required. - */ - key: string; - /** - * Name of the resource being referred to. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name: string; - } - /** - * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials. - * The secret must contain the key 'access-token' for the Access Token Authentication, - * or two keys, 'username' and 'password' for the API Keys Authentication. + * CredentialsRef is a reference to a Secret containing the username and + * password for the TPP server. + * The secret must contain two keys, 'username' and 'password'. */ interface ClusterIssuerSpecVenafiTppCredentialsRef { /** @@ -14488,9 +9542,9 @@ export declare namespace cert_manager { name: string; } /** - * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials. - * The secret must contain the key 'access-token' for the Access Token Authentication, - * or two keys, 'username' and 'password' for the API Keys Authentication. + * CredentialsRef is a reference to a Secret containing the username and + * password for the TPP server. + * The secret must contain two keys, 'username' and 'password'. */ interface ClusterIssuerSpecVenafiTppCredentialsRefPatch { /** @@ -14511,7 +9565,6 @@ export declare namespace cert_manager { * is used to validate the chain. */ caBundle: string; - caBundleSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVenafiTppCaBundleSecretRefPatch; credentialsRef: outputs.cert_manager.v1.ClusterIssuerSpecVenafiTppCredentialsRefPatch; /** * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, @@ -14737,7 +9790,7 @@ export declare namespace cert_manager { * PreferredChain is the chain to use if the ACME server outputs multiple. * PreferredChain is no guarantee that this one gets delivered by the ACME * endpoint. - * For example, for Let's Encrypt's DST cross-sign you would use: + * For example, for Let's Encrypt's DST crosssign you would use: * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA. * This value picks the first certificate bundle in the combined set of * ACME default and alternative chains that has a root-most certificate with @@ -14745,11 +9798,6 @@ export declare namespace cert_manager { */ preferredChain: string; privateKeySecretRef: outputs.cert_manager.v1.IssuerSpecAcmePrivateKeySecretRef; - /** - * Profile allows requesting a certificate profile from the ACME server. - * Supported profiles are listed by the server's ACME directory URL. - */ - profile: string; /** * Server is the URL used to access the ACME server's 'directory' endpoint. * For example, for Let's Encrypt's staging endpoint, you would use: @@ -14904,7 +9952,7 @@ export declare namespace cert_manager { * PreferredChain is the chain to use if the ACME server outputs multiple. * PreferredChain is no guarantee that this one gets delivered by the ACME * endpoint. - * For example, for Let's Encrypt's DST cross-sign you would use: + * For example, for Let's Encrypt's DST crosssign you would use: * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA. * This value picks the first certificate bundle in the combined set of * ACME default and alternative chains that has a root-most certificate with @@ -14912,11 +9960,6 @@ export declare namespace cert_manager { */ preferredChain: string; privateKeySecretRef: outputs.cert_manager.v1.IssuerSpecAcmePrivateKeySecretRefPatch; - /** - * Profile allows requesting a certificate profile from the ACME server. - * Supported profiles are listed by the server's ACME directory URL. - */ - profile: string; /** * Server is the URL used to access the ACME server's 'directory' endpoint. * For example, for Let's Encrypt's staging endpoint, you would use: @@ -15263,18 +10306,14 @@ export declare namespace cert_manager { */ interface IssuerSpecAcmeSolversDns01AzureDNSManagedIdentity { /** - * client ID of the managed identity, cannot be used at the same time as resourceID + * client ID of the managed identity, can not be used at the same time as resourceID */ clientID: string; /** - * resource ID of the managed identity, cannot be used at the same time as clientID + * resource ID of the managed identity, can not be used at the same time as clientID * Cannot be used for Azure Managed Service Identity */ resourceID: string; - /** - * tenant ID of the managed identity, cannot be used at the same time as resourceID - */ - tenantID: string; } /** * Auth: Azure Workload Identity or Azure Managed Service Identity: @@ -15283,18 +10322,14 @@ export declare namespace cert_manager { */ interface IssuerSpecAcmeSolversDns01AzureDNSManagedIdentityPatch { /** - * client ID of the managed identity, cannot be used at the same time as resourceID + * client ID of the managed identity, can not be used at the same time as resourceID */ clientID: string; /** - * resource ID of the managed identity, cannot be used at the same time as clientID + * resource ID of the managed identity, can not be used at the same time as clientID * Cannot be used for Azure Managed Service Identity */ resourceID: string; - /** - * tenant ID of the managed identity, cannot be used at the same time as resourceID - */ - tenantID: string; } /** * Use the Microsoft Azure DNS API to manage DNS01 challenge records. @@ -15559,10 +10594,6 @@ export declare namespace cert_manager { * This field is required. */ nameserver: string; - /** - * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default). - */ - protocol: string; /** * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. @@ -15589,10 +10620,6 @@ export declare namespace cert_manager { * This field is required. */ nameserver: string; - /** - * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default). - */ - protocol: string; /** * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. @@ -15656,32 +10683,11 @@ export declare namespace cert_manager { accessKeyIDSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRef; auth: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53Auth; /** - * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. + * If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. */ hostedZoneID: string; /** - * Override the AWS region. - * - * Route53 is a global service and does not have regional endpoints but the - * region specified here (or via environment variables) is used as a hint to - * help compute the correct AWS credential scope and partition when it - * connects to Route53. See: - * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) - * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) - * - * If you omit this region field, cert-manager will use the region from - * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set - * in the cert-manager controller Pod. - * - * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). - * In this case this `region` field value is ignored. - * - * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), - * In this case this `region` field value is ignored. + * Always set the region when using AccessKeyID and SecretAccessKey */ region: string; /** @@ -15810,32 +10816,11 @@ export declare namespace cert_manager { accessKeyIDSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRefPatch; auth: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AuthPatch; /** - * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. + * If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. */ hostedZoneID: string; /** - * Override the AWS region. - * - * Route53 is a global service and does not have regional endpoints but the - * region specified here (or via environment variables) is used as a hint to - * help compute the correct AWS credential scope and partition when it - * connects to Route53. See: - * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) - * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) - * - * If you omit this region field, cert-manager will use the region from - * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set - * in the cert-manager controller Pod. - * - * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). - * In this case this `region` field value is ignored. - * - * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), - * In this case this `region` field value is ignored. + * Always set the region when using AccessKeyID and SecretAccessKey */ region: string; /** @@ -15893,7 +10878,7 @@ export declare namespace cert_manager { * when challenges are processed. * This can contain arbitrary JSON data. * Secret values should not be specified in this stanza. - * If secret values are needed (e.g., credentials for a DNS service), you + * If secret values are needed (e.g. credentials for a DNS service), you * should use a SecretKeySelector to reference a Secret resource. * For details on the schema of this field, consult the webhook provider * implementation's documentation. @@ -15911,7 +10896,7 @@ export declare namespace cert_manager { /** * The name of the solver to use, as defined in the webhook provider * implementation. - * This will typically be the name of the provider, e.g., 'cloudflare'. + * This will typically be the name of the provider, e.g. 'cloudflare'. */ solverName: string; } @@ -15925,7 +10910,7 @@ export declare namespace cert_manager { * when challenges are processed. * This can contain arbitrary JSON data. * Secret values should not be specified in this stanza. - * If secret values are needed (e.g., credentials for a DNS service), you + * If secret values are needed (e.g. credentials for a DNS service), you * should use a SecretKeySelector to reference a Secret resource. * For details on the schema of this field, consult the webhook provider * implementation's documentation. @@ -15943,7 +10928,7 @@ export declare namespace cert_manager { /** * The name of the solver to use, as defined in the webhook provider * implementation. - * This will typically be the name of the provider, e.g., 'cloudflare'. + * This will typically be the name of the provider, e.g. 'cloudflare'. */ solverName: string; } @@ -15951,7 +10936,7 @@ export declare namespace cert_manager { * Configures cert-manager to attempt to complete authorizations by * performing the HTTP01 challenge flow. * It is not possible to obtain certificates for wildcard domain names - * (e.g., `*.example.com`) using the HTTP01 challenge mechanism. + * (e.g. `*.example.com`) using the HTTP01 challenge mechanism. */ interface IssuerSpecAcmeSolversHttp01 { gatewayHTTPRoute: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoute; @@ -15978,7 +10963,6 @@ export declare namespace cert_manager { * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways */ parentRefs: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefs[]; - podTemplate: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplate; /** * Optional service type for Kubernetes solver service. Supported values * are NodePort or ClusterIP. If unset, defaults to NodePort. @@ -15990,12 +10974,15 @@ export declare namespace cert_manager { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -16006,23 +10993,28 @@ export declare namespace cert_manager { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -16030,17 +11022,20 @@ export declare namespace cert_manager { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: * Gateway has the AllowedRoutes field, and ReferenceGrant provides a * generic way to enable any other kind of cross-namespace reference. * + * * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -16048,6 +11043,7 @@ export declare namespace cert_manager { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -16055,6 +11051,7 @@ export declare namespace cert_manager { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -16063,16 +11060,19 @@ export declare namespace cert_manager { * and SectionName are specified, the name and port of the selected listener * must match both specified values. * + * * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -16081,6 +11081,7 @@ export declare namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -16088,6 +11089,7 @@ export declare namespace cert_manager { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -16095,10 +11097,12 @@ export declare namespace cert_manager { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -16108,6 +11112,7 @@ export declare namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -16117,12 +11122,15 @@ export declare namespace cert_manager { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -16133,23 +11141,28 @@ export declare namespace cert_manager { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -16157,17 +11170,20 @@ export declare namespace cert_manager { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: * Gateway has the AllowedRoutes field, and ReferenceGrant provides a * generic way to enable any other kind of cross-namespace reference. * + * * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -16175,6 +11191,7 @@ export declare namespace cert_manager { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -16182,6 +11199,7 @@ export declare namespace cert_manager { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -16190,16 +11208,19 @@ export declare namespace cert_manager { * and SectionName are specified, the name and port of the selected listener * must match both specified values. * + * * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -16208,6 +11229,7 @@ export declare namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -16215,6 +11237,7 @@ export declare namespace cert_manager { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -16222,10 +11245,12 @@ export declare namespace cert_manager { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -16235,6 +11260,7 @@ export declare namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -16260,2083 +11286,12 @@ export declare namespace cert_manager { * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways */ parentRefs: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefsPatch[]; - podTemplate: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplatePatch; /** * Optional service type for Kubernetes solver service. Supported values * are NodePort or ClusterIP. If unset, defaults to NodePort. */ serviceType: string; } - /** - * Optional pod template used to configure the ACME challenge solver pods - * used for HTTP01 challenges. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplate { - metadata: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadata; - spec: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpec; - } - /** - * ObjectMeta overrides for the pod used to solve HTTP01 challenges. - * Only the 'labels' and 'annotations' fields may be set. - * If labels or annotations overlap with in-built values, the values here - * will override the in-built values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadata { - /** - * Annotations that should be added to the created ACME HTTP01 solver pods. - */ - annotations: { - [key: string]: string; - }; - /** - * Labels that should be added to the created ACME HTTP01 solver pods. - */ - labels: { - [key: string]: string; - }; - } - /** - * ObjectMeta overrides for the pod used to solve HTTP01 challenges. - * Only the 'labels' and 'annotations' fields may be set. - * If labels or annotations overlap with in-built values, the values here - * will override the in-built values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadataPatch { - /** - * Annotations that should be added to the created ACME HTTP01 solver pods. - */ - annotations: { - [key: string]: string; - }; - /** - * Labels that should be added to the created ACME HTTP01 solver pods. - */ - labels: { - [key: string]: string; - }; - } - /** - * Optional pod template used to configure the ACME challenge solver pods - * used for HTTP01 challenges. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplatePatch { - metadata: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadataPatch; - spec: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecPatch; - } - /** - * PodSpec defines overrides for the HTTP01 challenge solver pod. - * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - * All other fields will be ignored. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpec { - affinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinity; - /** - * If specified, the pod's imagePullSecrets - */ - imagePullSecrets: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets[]; - /** - * NodeSelector is a selector which must be true for the pod to fit on a node. - * Selector which must match a node's labels for the pod to be scheduled on that node. - * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - */ - nodeSelector: { - [key: string]: string; - }; - /** - * If specified, the pod's priorityClassName. - */ - priorityClassName: string; - resources: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResources; - securityContext: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext; - /** - * If specified, the pod's service account - */ - serviceAccountName: string; - /** - * If specified, the pod's tolerations. - */ - tolerations: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerations[]; - } - /** - * If specified, the pod's scheduling constraints - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinity { - nodeAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity; - podAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity; - podAntiAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity; - } - /** - * Describes node affinity scheduling rules for the pod. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node matches the corresponding matchExpressions; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution[]; - requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution; - } - /** - * Describes node affinity scheduling rules for the pod. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node matches the corresponding matchExpressions; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[]; - requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch; - } - /** - * An empty preferred scheduling term matches all objects with implicit weight 0 - * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution { - preference: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference; - /** - * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - */ - weight: number; - } - /** - * An empty preferred scheduling term matches all objects with implicit weight 0 - * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - preference: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch; - /** - * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - */ - weight: number; - } - /** - * A node selector term, associated with the corresponding weight. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions[]; - /** - * A list of node selector requirements by node's fields. - */ - matchFields: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields[]; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - /** - * A node selector term, associated with the corresponding weight. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch[]; - /** - * A list of node selector requirements by node's fields. - */ - matchFields: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch[]; - } - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to an update), the system - * may or may not try to eventually evict the pod from its node. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution { - /** - * Required. A list of node selector terms. The terms are ORed. - */ - nodeSelectorTerms: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms[]; - } - /** - * A null or empty node selector term matches no objects. The requirements of - * them are ANDed. - * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions[]; - /** - * A list of node selector requirements by node's fields. - */ - matchFields: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields[]; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - /** - * A null or empty node selector term matches no objects. The requirements of - * them are ANDed. - * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch[]; - /** - * A list of node selector requirements by node's fields. - */ - matchFields: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch[]; - } - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to an update), the system - * may or may not try to eventually evict the pod from its node. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - /** - * Required. A list of node selector terms. The terms are ORed. - */ - nodeSelectorTerms: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch[]; - } - /** - * If specified, the pod's scheduling constraints - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch { - nodeAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch; - podAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch; - podAntiAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch; - } - /** - * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution[]; - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution[]; - } - /** - * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[]; - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[]; - } - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution { - podAffinityTerm: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight: number; - } - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - podAffinityTerm: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight: number; - } - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm { - labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch { - labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution { - labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - /** - * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the anti-affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution[]; - /** - * If the anti-affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the anti-affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution[]; - } - /** - * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the anti-affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[]; - /** - * If the anti-affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the anti-affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[]; - } - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution { - podAffinityTerm: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight: number; - } - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - podAffinityTerm: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight: number; - } - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm { - labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch { - labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution { - labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - /** - * LocalObjectReference contains enough information to let you locate the - * referenced object inside the same namespace. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets { - /** - * Name of the referent. - * This field is effectively required, but due to backwards compatibility is - * allowed to be empty. Instances of this type with an empty value here are - * almost certainly wrong. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name: string; - } - /** - * LocalObjectReference contains enough information to let you locate the - * referenced object inside the same namespace. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch { - /** - * Name of the referent. - * This field is effectively required, but due to backwards compatibility is - * allowed to be empty. Instances of this type with an empty value here are - * almost certainly wrong. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name: string; - } - /** - * PodSpec defines overrides for the HTTP01 challenge solver pod. - * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - * All other fields will be ignored. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecPatch { - affinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch; - /** - * If specified, the pod's imagePullSecrets - */ - imagePullSecrets: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch[]; - /** - * NodeSelector is a selector which must be true for the pod to fit on a node. - * Selector which must match a node's labels for the pod to be scheduled on that node. - * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - */ - nodeSelector: { - [key: string]: string; - }; - /** - * If specified, the pod's priorityClassName. - */ - priorityClassName: string; - resources: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch; - securityContext: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch; - /** - * If specified, the pod's service account - */ - serviceAccountName: string; - /** - * If specified, the pod's tolerations. - */ - tolerations: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch[]; - } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResources { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits: { - [key: string]: number | string; - }; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests: { - [key: string]: number | string; - }; - } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits: { - [key: string]: number | string; - }; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests: { - [key: string]: number | string; - }; - } - /** - * If specified, the pod's security context - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup: number; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy: string; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup: number; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot: boolean; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser: number; - seLinuxOptions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions; - seccompProfile: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups: number[]; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls[]; - } - /** - * If specified, the pod's security context - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup: number; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy: string; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup: number; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot: boolean; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser: number; - seLinuxOptions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch; - seccompProfile: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups: number[]; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch[]; - } - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions { - /** - * Level is SELinux level label that applies to the container. - */ - level: string; - /** - * Role is a SELinux role label that applies to the container. - */ - role: string; - /** - * Type is a SELinux type label that applies to the container. - */ - type: string; - /** - * User is a SELinux user label that applies to the container. - */ - user: string; - } - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch { - /** - * Level is SELinux level label that applies to the container. - */ - level: string; - /** - * Role is a SELinux role label that applies to the container. - */ - role: string; - /** - * Type is a SELinux type label that applies to the container. - */ - type: string; - /** - * User is a SELinux user label that applies to the container. - */ - user: string; - } - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile: string; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type: string; - } - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile: string; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type: string; - } - /** - * Sysctl defines a kernel parameter to be set - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls { - /** - * Name of a property to set - */ - name: string; - /** - * Value of a property to set - */ - value: string; - } - /** - * Sysctl defines a kernel parameter to be set - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch { - /** - * Name of a property to set - */ - name: string; - /** - * Value of a property to set - */ - value: string; - } - /** - * The pod this Toleration is attached to tolerates any taint that matches - * the triple using the matching operator . - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerations { - /** - * Effect indicates the taint effect to match. Empty means match all taint effects. - * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - */ - effect: string; - /** - * Key is the taint key that the toleration applies to. Empty means match all taint keys. - * If the key is empty, operator must be Exists; this combination means to match all values and all keys. - */ - key: string; - /** - * Operator represents a key's relationship to the value. - * Valid operators are Exists and Equal. Defaults to Equal. - * Exists is equivalent to wildcard for value, so that a pod can - * tolerate all taints of a particular category. - */ - operator: string; - /** - * TolerationSeconds represents the period of time the toleration (which must be - * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - * it is not set, which means tolerate the taint forever (do not evict). Zero and - * negative values will be treated as 0 (evict immediately) by the system. - */ - tolerationSeconds: number; - /** - * Value is the taint value the toleration matches to. - * If the operator is Exists, the value should be empty, otherwise just a regular string. - */ - value: string; - } - /** - * The pod this Toleration is attached to tolerates any taint that matches - * the triple using the matching operator . - */ - interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch { - /** - * Effect indicates the taint effect to match. Empty means match all taint effects. - * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - */ - effect: string; - /** - * Key is the taint key that the toleration applies to. Empty means match all taint keys. - * If the key is empty, operator must be Exists; this combination means to match all values and all keys. - */ - key: string; - /** - * Operator represents a key's relationship to the value. - * Valid operators are Exists and Equal. Defaults to Equal. - * Exists is equivalent to wildcard for value, so that a pod can - * tolerate all taints of a particular category. - */ - operator: string; - /** - * TolerationSeconds represents the period of time the toleration (which must be - * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - * it is not set, which means tolerate the taint forever (do not evict). Zero and - * negative values will be treated as 0 (evict immediately) by the system. - */ - tolerationSeconds: number; - /** - * Value is the taint value the toleration matches to. - * If the operator is Exists, the value should be empty, otherwise just a regular string. - */ - value: string; - } /** * The ingress based HTTP01 challenge solver will solve challenges by * creating or modifying Ingress resources in order to route requests for @@ -18483,7 +11438,7 @@ export declare namespace cert_manager { */ interface IssuerSpecAcmeSolversHttp01IngressPodTemplateMetadata { /** - * Annotations that should be added to the created ACME HTTP01 solver pods. + * Annotations that should be added to the create ACME HTTP01 solver pods. */ annotations: { [key: string]: string; @@ -18503,7 +11458,7 @@ export declare namespace cert_manager { */ interface IssuerSpecAcmeSolversHttp01IngressPodTemplateMetadataPatch { /** - * Annotations that should be added to the created ACME HTTP01 solver pods. + * Annotations that should be added to the create ACME HTTP01 solver pods. */ annotations: { [key: string]: string; @@ -18546,8 +11501,6 @@ export declare namespace cert_manager { * If specified, the pod's priorityClassName. */ priorityClassName: string; - resources: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResources; - securityContext: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContext; /** * If specified, the pod's service account */ @@ -18987,6 +11940,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -18998,6 +11952,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector; @@ -19197,6 +12152,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -19208,6 +12164,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch; @@ -19246,6 +12203,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -19257,6 +12215,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector; @@ -19461,6 +12420,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -19472,6 +12432,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch; @@ -19502,8 +12463,8 @@ export declare namespace cert_manager { * most preferred is the one with the greatest sum of weights, i.e. * for each node that meets all of the scheduling requirements (resource * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + * compute a sum by iterating through the elements of this field and adding + * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the * node(s) with the highest sum are the most preferred. */ preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution[]; @@ -19529,8 +12490,8 @@ export declare namespace cert_manager { * most preferred is the one with the greatest sum of weights, i.e. * for each node that meets all of the scheduling requirements (resource * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + * compute a sum by iterating through the elements of this field and adding + * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the * node(s) with the highest sum are the most preferred. */ preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[]; @@ -19581,6 +12542,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -19592,6 +12554,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector; @@ -19791,6 +12754,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -19802,6 +12766,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch; @@ -19840,6 +12805,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -19851,6 +12817,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector; @@ -20055,6 +13022,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -20066,6 +13034,7 @@ export declare namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch; @@ -20095,7 +13064,9 @@ export declare namespace cert_manager { * This field is effectively required, but due to backwards compatibility is * allowed to be empty. Instances of this type with an empty value here are * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name: string; } @@ -20109,7 +13080,9 @@ export declare namespace cert_manager { * This field is effectively required, but due to backwards compatibility is * allowed to be empty. Instances of this type with an empty value here are * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name: string; } @@ -20136,8 +13109,6 @@ export declare namespace cert_manager { * If specified, the pod's priorityClassName. */ priorityClassName: string; - resources: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResourcesPatch; - securityContext: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextPatch; /** * If specified, the pod's service account */ @@ -20147,326 +13118,6 @@ export declare namespace cert_manager { */ tolerations: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerationsPatch[]; } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResources { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits: { - [key: string]: number | string; - }; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests: { - [key: string]: number | string; - }; - } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResourcesPatch { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits: { - [key: string]: number | string; - }; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests: { - [key: string]: number | string; - }; - } - /** - * If specified, the pod's security context - */ - interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContext { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup: number; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy: string; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup: number; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot: boolean; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser: number; - seLinuxOptions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions; - seccompProfile: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups: number[]; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls[]; - } - /** - * If specified, the pod's security context - */ - interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextPatch { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup: number; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy: string; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup: number; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot: boolean; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser: number; - seLinuxOptions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch; - seccompProfile: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups: number[]; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch[]; - } - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions { - /** - * Level is SELinux level label that applies to the container. - */ - level: string; - /** - * Role is a SELinux role label that applies to the container. - */ - role: string; - /** - * Type is a SELinux type label that applies to the container. - */ - type: string; - /** - * User is a SELinux user label that applies to the container. - */ - user: string; - } - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch { - /** - * Level is SELinux level label that applies to the container. - */ - level: string; - /** - * Role is a SELinux role label that applies to the container. - */ - role: string; - /** - * Type is a SELinux type label that applies to the container. - */ - type: string; - /** - * User is a SELinux user label that applies to the container. - */ - user: string; - } - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile: string; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type: string; - } - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile: string; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type: string; - } - /** - * Sysctl defines a kernel parameter to be set - */ - interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls { - /** - * Name of a property to set - */ - name: string; - /** - * Value of a property to set - */ - value: string; - } - /** - * Sysctl defines a kernel parameter to be set - */ - interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch { - /** - * Name of a property to set - */ - name: string; - /** - * Value of a property to set - */ - value: string; - } /** * The pod this Toleration is attached to tolerates any taint that matches * the triple using the matching operator . @@ -20541,7 +13192,7 @@ export declare namespace cert_manager { * Configures cert-manager to attempt to complete authorizations by * performing the HTTP01 challenge flow. * It is not possible to obtain certificates for wildcard domain names - * (e.g., `*.example.com`) using the HTTP01 challenge mechanism. + * (e.g. `*.example.com`) using the HTTP01 challenge mechanism. */ interface IssuerSpecAcmeSolversHttp01Patch { gatewayHTTPRoute: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePatch; @@ -20763,18 +13414,12 @@ export declare namespace cert_manager { * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200". */ server: string; - /** - * ServerName is used to verify the hostname on the returned certificates - * by the Vault server. - */ - serverName: string; } /** * Auth configures how cert-manager authenticates with the Vault server. */ interface IssuerSpecVaultAuth { appRole: outputs.cert_manager.v1.IssuerSpecVaultAuthAppRole; - clientCertificate: outputs.cert_manager.v1.IssuerSpecVaultAuthClientCertificate; kubernetes: outputs.cert_manager.v1.IssuerSpecVaultAuthKubernetes; tokenSecretRef: outputs.cert_manager.v1.IssuerSpecVaultAuthTokenSecretRef; } @@ -20850,56 +13495,6 @@ export declare namespace cert_manager { */ name: string; } - /** - * ClientCertificate authenticates with Vault by presenting a client - * certificate during the request's TLS handshake. - * Works only when using HTTPS protocol. - */ - interface IssuerSpecVaultAuthClientCertificate { - /** - * The Vault mountPath here is the mount path to use when authenticating with - * Vault. For example, setting a value to `/v1/auth/foo`, will use the path - * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the - * default value "/v1/auth/cert" will be used. - */ - mountPath: string; - /** - * Name of the certificate role to authenticate against. - * If not set, matching any certificate role, if available. - */ - name: string; - /** - * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing - * tls.crt and tls.key) used to authenticate to Vault using TLS client - * authentication. - */ - secretName: string; - } - /** - * ClientCertificate authenticates with Vault by presenting a client - * certificate during the request's TLS handshake. - * Works only when using HTTPS protocol. - */ - interface IssuerSpecVaultAuthClientCertificatePatch { - /** - * The Vault mountPath here is the mount path to use when authenticating with - * Vault. For example, setting a value to `/v1/auth/foo`, will use the path - * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the - * default value "/v1/auth/cert" will be used. - */ - mountPath: string; - /** - * Name of the certificate role to authenticate against. - * If not set, matching any certificate role, if available. - */ - name: string; - /** - * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing - * tls.crt and tls.key) used to authenticate to Vault using TLS client - * authentication. - */ - secretName: string; - } /** * Kubernetes authenticates with Vault by passing the ServiceAccount * token stored in the named Secret resource to the Vault server. @@ -21017,7 +13612,6 @@ export declare namespace cert_manager { */ interface IssuerSpecVaultAuthPatch { appRole: outputs.cert_manager.v1.IssuerSpecVaultAuthAppRolePatch; - clientCertificate: outputs.cert_manager.v1.IssuerSpecVaultAuthClientCertificatePatch; kubernetes: outputs.cert_manager.v1.IssuerSpecVaultAuthKubernetesPatch; tokenSecretRef: outputs.cert_manager.v1.IssuerSpecVaultAuthTokenSecretRefPatch; } @@ -21195,11 +13789,6 @@ export declare namespace cert_manager { * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200". */ server: string; - /** - * ServerName is used to verify the hostname on the returned certificates - * by the Vault server. - */ - serverName: string; } /** * Venafi configures this issuer to sign certificates using a Venafi TPP @@ -21224,7 +13813,7 @@ export declare namespace cert_manager { apiTokenSecretRef: outputs.cert_manager.v1.IssuerSpecVenafiCloudApiTokenSecretRef; /** * URL is the base URL for Venafi Cloud. - * Defaults to "https://api.venafi.cloud/". + * Defaults to "https://api.venafi.cloud/v1". */ url: string; } @@ -21268,7 +13857,7 @@ export declare namespace cert_manager { apiTokenSecretRef: outputs.cert_manager.v1.IssuerSpecVenafiCloudApiTokenSecretRefPatch; /** * URL is the base URL for Venafi Cloud. - * Defaults to "https://api.venafi.cloud/". + * Defaults to "https://api.venafi.cloud/v1". */ url: string; } @@ -21299,7 +13888,6 @@ export declare namespace cert_manager { * is used to validate the chain. */ caBundle: string; - caBundleSecretRef: outputs.cert_manager.v1.IssuerSpecVenafiTppCaBundleSecretRef; credentialsRef: outputs.cert_manager.v1.IssuerSpecVenafiTppCredentialsRef; /** * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, @@ -21308,49 +13896,9 @@ export declare namespace cert_manager { url: string; } /** - * Reference to a Secret containing a base64-encoded bundle of PEM CAs - * which will be used to validate the certificate chain presented by the TPP server. - * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle. - * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in - * the cert-manager controller container is used to validate the TLS connection. - */ - interface IssuerSpecVenafiTppCaBundleSecretRef { - /** - * The key of the entry in the Secret resource's `data` field to be used. - * Some instances of this field may be defaulted, in others it may be - * required. - */ - key: string; - /** - * Name of the resource being referred to. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name: string; - } - /** - * Reference to a Secret containing a base64-encoded bundle of PEM CAs - * which will be used to validate the certificate chain presented by the TPP server. - * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle. - * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in - * the cert-manager controller container is used to validate the TLS connection. - */ - interface IssuerSpecVenafiTppCaBundleSecretRefPatch { - /** - * The key of the entry in the Secret resource's `data` field to be used. - * Some instances of this field may be defaulted, in others it may be - * required. - */ - key: string; - /** - * Name of the resource being referred to. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name: string; - } - /** - * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials. - * The secret must contain the key 'access-token' for the Access Token Authentication, - * or two keys, 'username' and 'password' for the API Keys Authentication. + * CredentialsRef is a reference to a Secret containing the username and + * password for the TPP server. + * The secret must contain two keys, 'username' and 'password'. */ interface IssuerSpecVenafiTppCredentialsRef { /** @@ -21360,9 +13908,9 @@ export declare namespace cert_manager { name: string; } /** - * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials. - * The secret must contain the key 'access-token' for the Access Token Authentication, - * or two keys, 'username' and 'password' for the API Keys Authentication. + * CredentialsRef is a reference to a Secret containing the username and + * password for the TPP server. + * The secret must contain two keys, 'username' and 'password'. */ interface IssuerSpecVenafiTppCredentialsRefPatch { /** @@ -21383,7 +13931,6 @@ export declare namespace cert_manager { * is used to validate the chain. */ caBundle: string; - caBundleSecretRef: outputs.cert_manager.v1.IssuerSpecVenafiTppCaBundleSecretRefPatch; credentialsRef: outputs.cert_manager.v1.IssuerSpecVenafiTppCredentialsRefPatch; /** * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, @@ -21537,1006 +14084,20 @@ export declare namespace cert_manager { } export declare namespace gateway { namespace v1 { - /** - * BackendTLSPolicy provides a way to configure how a Gateway - * connects to a Backend via TLS. - */ - interface BackendTLSPolicy { - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - apiVersion: "gateway.networking.k8s.io/v1"; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - kind: "BackendTLSPolicy"; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - metadata: outputs.meta.v1.ObjectMeta; - spec: outputs.gateway.v1.BackendTLSPolicySpec; - status: outputs.gateway.v1.BackendTLSPolicyStatus; - } - /** - * Spec defines the desired state of BackendTLSPolicy. - */ - interface BackendTLSPolicySpec { - /** - * Options are a list of key/value pairs to enable extended TLS - * configuration for each implementation. For example, configuring the - * minimum TLS version or supported cipher suites. - * - * A set of common keys MAY be defined by the API in the future. To avoid - * any ambiguity, implementation-specific definitions MUST use - * domain-prefixed names, such as `example.com/my-custom-option`. - * Un-prefixed names are reserved for key names defined by Gateway API. - * - * Support: Implementation-specific - */ - options: { - [key: string]: string; - }; - /** - * TargetRefs identifies an API object to apply the policy to. - * Only Services have Extended support. Implementations MAY support - * additional objects, with Implementation Specific support. - * Note that this config applies to the entire referenced resource - * by default, but this default may change in the future to provide - * a more granular application of the policy. - * - * TargetRefs must be _distinct_. This means either that: - * - * * They select different targets. If this is the case, then targetRef - * entries are distinct. In terms of fields, this means that the - * multi-part key defined by `group`, `kind`, and `name` must - * be unique across all targetRef entries in the BackendTLSPolicy. - * * They select different sectionNames in the same target. - * - * When more than one BackendTLSPolicy selects the same target and - * sectionName, implementations MUST determine precedence using the - * following criteria, continuing on ties: - * - * * The older policy by creation timestamp takes precedence. For - * example, a policy with a creation timestamp of "2021-07-15 - * 01:02:03" MUST be given precedence over a policy with a - * creation timestamp of "2021-07-15 01:02:04". - * * The policy appearing first in alphabetical order by {name}. - * For example, a policy named `bar` is given precedence over a - * policy named `baz`. - * - * For any BackendTLSPolicy that does not take precedence, the - * implementation MUST ensure the `Accepted` Condition is set to - * `status: False`, with Reason `Conflicted`. - * - * Support: Extended for Kubernetes Service - * - * Support: Implementation-specific for any other resource - */ - targetRefs: outputs.gateway.v1.BackendTLSPolicySpecTargetRefs[]; - validation: outputs.gateway.v1.BackendTLSPolicySpecValidation; - } - /** - * Spec defines the desired state of BackendTLSPolicy. - */ - interface BackendTLSPolicySpecPatch { - /** - * Options are a list of key/value pairs to enable extended TLS - * configuration for each implementation. For example, configuring the - * minimum TLS version or supported cipher suites. - * - * A set of common keys MAY be defined by the API in the future. To avoid - * any ambiguity, implementation-specific definitions MUST use - * domain-prefixed names, such as `example.com/my-custom-option`. - * Un-prefixed names are reserved for key names defined by Gateway API. - * - * Support: Implementation-specific - */ - options: { - [key: string]: string; - }; - /** - * TargetRefs identifies an API object to apply the policy to. - * Only Services have Extended support. Implementations MAY support - * additional objects, with Implementation Specific support. - * Note that this config applies to the entire referenced resource - * by default, but this default may change in the future to provide - * a more granular application of the policy. - * - * TargetRefs must be _distinct_. This means either that: - * - * * They select different targets. If this is the case, then targetRef - * entries are distinct. In terms of fields, this means that the - * multi-part key defined by `group`, `kind`, and `name` must - * be unique across all targetRef entries in the BackendTLSPolicy. - * * They select different sectionNames in the same target. - * - * When more than one BackendTLSPolicy selects the same target and - * sectionName, implementations MUST determine precedence using the - * following criteria, continuing on ties: - * - * * The older policy by creation timestamp takes precedence. For - * example, a policy with a creation timestamp of "2021-07-15 - * 01:02:03" MUST be given precedence over a policy with a - * creation timestamp of "2021-07-15 01:02:04". - * * The policy appearing first in alphabetical order by {name}. - * For example, a policy named `bar` is given precedence over a - * policy named `baz`. - * - * For any BackendTLSPolicy that does not take precedence, the - * implementation MUST ensure the `Accepted` Condition is set to - * `status: False`, with Reason `Conflicted`. - * - * Support: Extended for Kubernetes Service - * - * Support: Implementation-specific for any other resource - */ - targetRefs: outputs.gateway.v1.BackendTLSPolicySpecTargetRefsPatch[]; - validation: outputs.gateway.v1.BackendTLSPolicySpecValidationPatch; - } - /** - * LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a - * direct policy to. This should be used as part of Policy resources that can - * target single resources. For more information on how this policy attachment - * mode works, and a sample Policy resource, refer to the policy attachment - * documentation for Gateway API. - * - * Note: This should only be used for direct policy attachment when references - * to SectionName are actually needed. In all other cases, - * LocalPolicyTargetReference should be used. - */ - interface BackendTLSPolicySpecTargetRefs { - /** - * Group is the group of the target resource. - */ - group: string; - /** - * Kind is kind of the target resource. - */ - kind: string; - /** - * Name is the name of the target resource. - */ - name: string; - /** - * SectionName is the name of a section within the target resource. When - * unspecified, this targetRef targets the entire resource. In the following - * resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name - * * HTTPRoute: HTTPRouteRule name - * * Service: Port name - * - * If a SectionName is specified, but does not exist on the targeted object, - * the Policy must fail to attach, and the policy implementation should record - * a `ResolvedRefs` or similar Condition in the Policy's status. - */ - sectionName: string; - } - /** - * LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a - * direct policy to. This should be used as part of Policy resources that can - * target single resources. For more information on how this policy attachment - * mode works, and a sample Policy resource, refer to the policy attachment - * documentation for Gateway API. - * - * Note: This should only be used for direct policy attachment when references - * to SectionName are actually needed. In all other cases, - * LocalPolicyTargetReference should be used. - */ - interface BackendTLSPolicySpecTargetRefsPatch { - /** - * Group is the group of the target resource. - */ - group: string; - /** - * Kind is kind of the target resource. - */ - kind: string; - /** - * Name is the name of the target resource. - */ - name: string; - /** - * SectionName is the name of a section within the target resource. When - * unspecified, this targetRef targets the entire resource. In the following - * resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name - * * HTTPRoute: HTTPRouteRule name - * * Service: Port name - * - * If a SectionName is specified, but does not exist on the targeted object, - * the Policy must fail to attach, and the policy implementation should record - * a `ResolvedRefs` or similar Condition in the Policy's status. - */ - sectionName: string; - } - /** - * Validation contains backend TLS validation configuration. - */ - interface BackendTLSPolicySpecValidation { - /** - * CACertificateRefs contains one or more references to Kubernetes objects that - * contain a PEM-encoded TLS CA certificate bundle, which is used to - * validate a TLS handshake between the Gateway and backend Pod. - * - * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be - * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, - * not both. If CACertificateRefs is empty or unspecified, the configuration for - * WellKnownCACertificates MUST be honored instead if supported by the implementation. - * - * A CACertificateRef is invalid if: - * - * * It refers to a resource that cannot be resolved (e.g., the referenced resource - * does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key - * named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef` - * and the Message of the Condition must indicate which reference is invalid and why. - * - * * It refers to an unknown or unsupported kind of resource. In this case, the Reason - * must be set to `InvalidKind` and the Message of the Condition must explain which - * kind of resource is unknown or unsupported. - * - * * It refers to a resource in another namespace. This may change in future - * spec updates. - * - * Implementations MAY choose to perform further validation of the certificate - * content (e.g., checking expiry or enforcing specific formats). In such cases, - * an implementation-specific Reason and Message must be set for the invalid reference. - * - * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on - * the BackendTLSPolicy is set to `status: False`, with a Reason and Message - * that indicate the cause of the error. Connections using an invalid - * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error - * response. If ALL CACertificateRefs are invalid, the implementation MUST also - * ensure the `Accepted` Condition on the BackendTLSPolicy is set to - * `status: False`, with a Reason `NoValidCACertificate`. - * - * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support. - * Implementations MAY choose to support attaching multiple certificates to - * a backend, but this behavior is implementation-specific. - * - * Support: Core - An optional single reference to a Kubernetes ConfigMap, - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific - More than one reference, other kinds - * of resources, or a single reference that includes multiple certificates. - */ - caCertificateRefs: outputs.gateway.v1.BackendTLSPolicySpecValidationCaCertificateRefs[]; - /** - * Hostname is used for two purposes in the connection between Gateways and - * backends: - * - * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). - * 2. Hostname MUST be used for authentication and MUST match the certificate - * served by the matching backend, unless SubjectAltNames is specified. - * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection - * but MUST NOT be used for authentication. If you want to use the value - * of the Hostname field for authentication, you MUST add it to the SubjectAltNames list. - * - * Support: Core - */ - hostname: string; - /** - * SubjectAltNames contains one or more Subject Alternative Names. - * When specified the certificate served from the backend MUST - * have at least one Subject Alternate Name matching one of the specified SubjectAltNames. - * - * Support: Extended - */ - subjectAltNames: outputs.gateway.v1.BackendTLSPolicySpecValidationSubjectAltNames[]; - /** - * WellKnownCACertificates specifies whether system CA certificates may be used in - * the TLS handshake between the gateway and backend pod. - * - * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs - * must be specified with at least one entry for a valid configuration. Only one of - * CACertificateRefs or WellKnownCACertificates may be specified, not both. - * If an implementation does not support the WellKnownCACertificates field, or - * the supplied value is not recognized, the implementation MUST ensure the - * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with - * a Reason `Invalid`. - * - * Support: Implementation-specific - */ - wellKnownCACertificates: string; - } - /** - * LocalObjectReference identifies an API object within the namespace of the - * referrer. - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - interface BackendTLSPolicySpecValidationCaCertificateRefs { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "HTTPRoute" or "Service". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - } - /** - * LocalObjectReference identifies an API object within the namespace of the - * referrer. - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - interface BackendTLSPolicySpecValidationCaCertificateRefsPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "HTTPRoute" or "Service". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - } - /** - * Validation contains backend TLS validation configuration. - */ - interface BackendTLSPolicySpecValidationPatch { - /** - * CACertificateRefs contains one or more references to Kubernetes objects that - * contain a PEM-encoded TLS CA certificate bundle, which is used to - * validate a TLS handshake between the Gateway and backend Pod. - * - * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be - * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, - * not both. If CACertificateRefs is empty or unspecified, the configuration for - * WellKnownCACertificates MUST be honored instead if supported by the implementation. - * - * A CACertificateRef is invalid if: - * - * * It refers to a resource that cannot be resolved (e.g., the referenced resource - * does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key - * named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef` - * and the Message of the Condition must indicate which reference is invalid and why. - * - * * It refers to an unknown or unsupported kind of resource. In this case, the Reason - * must be set to `InvalidKind` and the Message of the Condition must explain which - * kind of resource is unknown or unsupported. - * - * * It refers to a resource in another namespace. This may change in future - * spec updates. - * - * Implementations MAY choose to perform further validation of the certificate - * content (e.g., checking expiry or enforcing specific formats). In such cases, - * an implementation-specific Reason and Message must be set for the invalid reference. - * - * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on - * the BackendTLSPolicy is set to `status: False`, with a Reason and Message - * that indicate the cause of the error. Connections using an invalid - * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error - * response. If ALL CACertificateRefs are invalid, the implementation MUST also - * ensure the `Accepted` Condition on the BackendTLSPolicy is set to - * `status: False`, with a Reason `NoValidCACertificate`. - * - * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support. - * Implementations MAY choose to support attaching multiple certificates to - * a backend, but this behavior is implementation-specific. - * - * Support: Core - An optional single reference to a Kubernetes ConfigMap, - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific - More than one reference, other kinds - * of resources, or a single reference that includes multiple certificates. - */ - caCertificateRefs: outputs.gateway.v1.BackendTLSPolicySpecValidationCaCertificateRefsPatch[]; - /** - * Hostname is used for two purposes in the connection between Gateways and - * backends: - * - * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). - * 2. Hostname MUST be used for authentication and MUST match the certificate - * served by the matching backend, unless SubjectAltNames is specified. - * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection - * but MUST NOT be used for authentication. If you want to use the value - * of the Hostname field for authentication, you MUST add it to the SubjectAltNames list. - * - * Support: Core - */ - hostname: string; - /** - * SubjectAltNames contains one or more Subject Alternative Names. - * When specified the certificate served from the backend MUST - * have at least one Subject Alternate Name matching one of the specified SubjectAltNames. - * - * Support: Extended - */ - subjectAltNames: outputs.gateway.v1.BackendTLSPolicySpecValidationSubjectAltNamesPatch[]; - /** - * WellKnownCACertificates specifies whether system CA certificates may be used in - * the TLS handshake between the gateway and backend pod. - * - * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs - * must be specified with at least one entry for a valid configuration. Only one of - * CACertificateRefs or WellKnownCACertificates may be specified, not both. - * If an implementation does not support the WellKnownCACertificates field, or - * the supplied value is not recognized, the implementation MUST ensure the - * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with - * a Reason `Invalid`. - * - * Support: Implementation-specific - */ - wellKnownCACertificates: string; - } - /** - * SubjectAltName represents Subject Alternative Name. - */ - interface BackendTLSPolicySpecValidationSubjectAltNames { - /** - * Hostname contains Subject Alternative Name specified in DNS name format. - * Required when Type is set to Hostname, ignored otherwise. - * - * Support: Core - */ - hostname: string; - /** - * Type determines the format of the Subject Alternative Name. Always required. - * - * Support: Core - */ - type: string; - /** - * URI contains Subject Alternative Name specified in a full URI format. - * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. - * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa". - * Required when Type is set to URI, ignored otherwise. - * - * Support: Core - */ - uri: string; - } - /** - * SubjectAltName represents Subject Alternative Name. - */ - interface BackendTLSPolicySpecValidationSubjectAltNamesPatch { - /** - * Hostname contains Subject Alternative Name specified in DNS name format. - * Required when Type is set to Hostname, ignored otherwise. - * - * Support: Core - */ - hostname: string; - /** - * Type determines the format of the Subject Alternative Name. Always required. - * - * Support: Core - */ - type: string; - /** - * URI contains Subject Alternative Name specified in a full URI format. - * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. - * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa". - * Required when Type is set to URI, ignored otherwise. - * - * Support: Core - */ - uri: string; - } - /** - * Status defines the current state of BackendTLSPolicy. - */ - interface BackendTLSPolicyStatus { - /** - * Ancestors is a list of ancestor resources (usually Gateways) that are - * associated with the policy, and the status of the policy with respect to - * each ancestor. When this policy attaches to a parent, the controller that - * manages the parent and the ancestors MUST add an entry to this list when - * the controller first sees the policy and SHOULD update the entry as - * appropriate when the relevant ancestor is modified. - * - * Note that choosing the relevant ancestor is left to the Policy designers; - * an important part of Policy design is designing the right object level at - * which to namespace this status. - * - * Note also that implementations MUST ONLY populate ancestor status for - * the Ancestor resources they are responsible for. Implementations MUST - * use the ControllerName field to uniquely identify the entries in this list - * that they are responsible for. - * - * Note that to achieve this, the list of PolicyAncestorStatus structs - * MUST be treated as a map with a composite key, made up of the AncestorRef - * and ControllerName fields combined. - * - * A maximum of 16 ancestors will be represented in this list. An empty list - * means the Policy is not relevant for any ancestors. - * - * If this slice is full, implementations MUST NOT add further entries. - * Instead they MUST consider the policy unimplementable and signal that - * on any related resources such as the ancestor that would be referenced - * here. For example, if this list was full on BackendTLSPolicy, no - * additional Gateways would be able to reference the Service targeted by - * the BackendTLSPolicy. - */ - ancestors: outputs.gateway.v1.BackendTLSPolicyStatusAncestors[]; - } - /** - * PolicyAncestorStatus describes the status of a route with respect to an - * associated Ancestor. - * - * Ancestors refer to objects that are either the Target of a policy or above it - * in terms of object hierarchy. For example, if a policy targets a Service, the - * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and - * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most - * useful object to place Policy status on, so we recommend that implementations - * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers - * have a _very_ good reason otherwise. - * - * In the context of policy attachment, the Ancestor is used to distinguish which - * resource results in a distinct application of this policy. For example, if a policy - * targets a Service, it may have a distinct result per attached Gateway. - * - * Policies targeting the same resource may have different effects depending on the - * ancestors of those resources. For example, different Gateways targeting the same - * Service may have different capabilities, especially if they have different underlying - * implementations. - * - * For example, in BackendTLSPolicy, the Policy attaches to a Service that is - * used as a backend in a HTTPRoute that is itself attached to a Gateway. - * In this case, the relevant object for status is the Gateway, and that is the - * ancestor object referred to in this status. - * - * Note that a parent is also an ancestor, so for objects where the parent is the - * relevant object for status, this struct SHOULD still be used. - * - * This struct is intended to be used in a slice that's effectively a map, - * with a composite key made up of the AncestorRef and the ControllerName. - */ - interface BackendTLSPolicyStatusAncestors { - ancestorRef: outputs.gateway.v1.BackendTLSPolicyStatusAncestorsAncestorRef; - /** - * Conditions describes the status of the Policy with respect to the given Ancestor. - */ - conditions: outputs.gateway.v1.BackendTLSPolicyStatusAncestorsConditions[]; - /** - * ControllerName is a domain/path string that indicates the name of the - * controller that wrote this status. This corresponds with the - * controllerName field on GatewayClass. - * - * Example: "example.net/gateway-controller". - * - * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - * valid Kubernetes names - * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - * - * Controllers MUST populate this field when writing status. Controllers should ensure that - * entries to status populated with their ControllerName are cleaned up when they are no - * longer necessary. - */ - controllerName: string; - } - /** - * AncestorRef corresponds with a ParentRef in the spec that this - * PolicyAncestorStatus struct describes the status of. - */ - interface BackendTLSPolicyStatusAncestorsAncestorRef { - /** - * Group is the group of the referent. - * When unspecified, "gateway.networking.k8s.io" is inferred. - * To set the core API group (such as for a "Service" kind referent), - * Group must be explicitly set to "" (empty string). - * - * Support: Core - */ - group: string; - /** - * Kind is kind of the referent. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * Support for other resources is Implementation-Specific. - */ - kind: string; - /** - * Name is the name of the referent. - * - * Support: Core - */ - name: string; - /** - * Namespace is the namespace of the referent. When unspecified, this refers - * to the local namespace of the Route. - * - * Note that there are specific rules for ParentRefs which cross namespace - * boundaries. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example: - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable any other kind of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - * - * - * Support: Core - */ - namespace: string; - /** - * Port is the network port this Route targets. It can be interpreted - * differently based on the type of parent resource. - * - * When the parent resource is a Gateway, this targets all listeners - * listening on the specified port that also support this kind of Route(and - * select this Route). It's not recommended to set `Port` unless the - * networking behaviors specified in a Route must apply to a specific port - * as opposed to a listener(s) whose port(s) may be changed. When both Port - * and SectionName are specified, the name and port of the selected listener - * must match both specified values. - * - * - * When the parent resource is a Service, this targets a specific port in the - * Service spec. When both Port (experimental) and SectionName are specified, - * the name and port of the selected port must match both specified values. - * - * - * Implementations MAY choose to support other parent resources. - * Implementations supporting other types of parent resources MUST clearly - * document how/if Port is interpreted. - * - * For the purpose of status, an attachment is considered successful as - * long as the parent resource accepts it partially. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - * from the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, - * the Route MUST be considered detached from the Gateway. - * - * Support: Extended - */ - port: number; - /** - * SectionName is the name of a section within the target resource. In the - * following resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * * Service: Port name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * - * Implementations MAY choose to support attaching Routes to other resources. - * If that is the case, they MUST clearly document how SectionName is - * interpreted. - * - * When unspecified (empty string), this will reference the entire resource. - * For the purpose of status, an attachment is considered successful if at - * least one section in the parent resource accepts it. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - * the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, the - * Route MUST be considered detached from the Gateway. - * - * Support: Core - */ - sectionName: string; - } - /** - * AncestorRef corresponds with a ParentRef in the spec that this - * PolicyAncestorStatus struct describes the status of. - */ - interface BackendTLSPolicyStatusAncestorsAncestorRefPatch { - /** - * Group is the group of the referent. - * When unspecified, "gateway.networking.k8s.io" is inferred. - * To set the core API group (such as for a "Service" kind referent), - * Group must be explicitly set to "" (empty string). - * - * Support: Core - */ - group: string; - /** - * Kind is kind of the referent. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * Support for other resources is Implementation-Specific. - */ - kind: string; - /** - * Name is the name of the referent. - * - * Support: Core - */ - name: string; - /** - * Namespace is the namespace of the referent. When unspecified, this refers - * to the local namespace of the Route. - * - * Note that there are specific rules for ParentRefs which cross namespace - * boundaries. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example: - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable any other kind of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - * - * - * Support: Core - */ - namespace: string; - /** - * Port is the network port this Route targets. It can be interpreted - * differently based on the type of parent resource. - * - * When the parent resource is a Gateway, this targets all listeners - * listening on the specified port that also support this kind of Route(and - * select this Route). It's not recommended to set `Port` unless the - * networking behaviors specified in a Route must apply to a specific port - * as opposed to a listener(s) whose port(s) may be changed. When both Port - * and SectionName are specified, the name and port of the selected listener - * must match both specified values. - * - * - * When the parent resource is a Service, this targets a specific port in the - * Service spec. When both Port (experimental) and SectionName are specified, - * the name and port of the selected port must match both specified values. - * - * - * Implementations MAY choose to support other parent resources. - * Implementations supporting other types of parent resources MUST clearly - * document how/if Port is interpreted. - * - * For the purpose of status, an attachment is considered successful as - * long as the parent resource accepts it partially. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - * from the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, - * the Route MUST be considered detached from the Gateway. - * - * Support: Extended - */ - port: number; - /** - * SectionName is the name of a section within the target resource. In the - * following resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * * Service: Port name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * - * Implementations MAY choose to support attaching Routes to other resources. - * If that is the case, they MUST clearly document how SectionName is - * interpreted. - * - * When unspecified (empty string), this will reference the entire resource. - * For the purpose of status, an attachment is considered successful if at - * least one section in the parent resource accepts it. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - * the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, the - * Route MUST be considered detached from the Gateway. - * - * Support: Core - */ - sectionName: string; - } - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - interface BackendTLSPolicyStatusAncestorsConditions { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime: string; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message: string; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration: number; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason: string; - /** - * status of the condition, one of True, False, Unknown. - */ - status: string; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type: string; - } - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - interface BackendTLSPolicyStatusAncestorsConditionsPatch { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime: string; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message: string; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration: number; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason: string; - /** - * status of the condition, one of True, False, Unknown. - */ - status: string; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type: string; - } - /** - * PolicyAncestorStatus describes the status of a route with respect to an - * associated Ancestor. - * - * Ancestors refer to objects that are either the Target of a policy or above it - * in terms of object hierarchy. For example, if a policy targets a Service, the - * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and - * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most - * useful object to place Policy status on, so we recommend that implementations - * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers - * have a _very_ good reason otherwise. - * - * In the context of policy attachment, the Ancestor is used to distinguish which - * resource results in a distinct application of this policy. For example, if a policy - * targets a Service, it may have a distinct result per attached Gateway. - * - * Policies targeting the same resource may have different effects depending on the - * ancestors of those resources. For example, different Gateways targeting the same - * Service may have different capabilities, especially if they have different underlying - * implementations. - * - * For example, in BackendTLSPolicy, the Policy attaches to a Service that is - * used as a backend in a HTTPRoute that is itself attached to a Gateway. - * In this case, the relevant object for status is the Gateway, and that is the - * ancestor object referred to in this status. - * - * Note that a parent is also an ancestor, so for objects where the parent is the - * relevant object for status, this struct SHOULD still be used. - * - * This struct is intended to be used in a slice that's effectively a map, - * with a composite key made up of the AncestorRef and the ControllerName. - */ - interface BackendTLSPolicyStatusAncestorsPatch { - ancestorRef: outputs.gateway.v1.BackendTLSPolicyStatusAncestorsAncestorRefPatch; - /** - * Conditions describes the status of the Policy with respect to the given Ancestor. - */ - conditions: outputs.gateway.v1.BackendTLSPolicyStatusAncestorsConditionsPatch[]; - /** - * ControllerName is a domain/path string that indicates the name of the - * controller that wrote this status. This corresponds with the - * controllerName field on GatewayClass. - * - * Example: "example.net/gateway-controller". - * - * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - * valid Kubernetes names - * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - * - * Controllers MUST populate this field when writing status. Controllers should ensure that - * entries to status populated with their ControllerName are cleaned up when they are no - * longer necessary. - */ - controllerName: string; - } - /** - * Status defines the current state of BackendTLSPolicy. - */ - interface BackendTLSPolicyStatusPatch { - /** - * Ancestors is a list of ancestor resources (usually Gateways) that are - * associated with the policy, and the status of the policy with respect to - * each ancestor. When this policy attaches to a parent, the controller that - * manages the parent and the ancestors MUST add an entry to this list when - * the controller first sees the policy and SHOULD update the entry as - * appropriate when the relevant ancestor is modified. - * - * Note that choosing the relevant ancestor is left to the Policy designers; - * an important part of Policy design is designing the right object level at - * which to namespace this status. - * - * Note also that implementations MUST ONLY populate ancestor status for - * the Ancestor resources they are responsible for. Implementations MUST - * use the ControllerName field to uniquely identify the entries in this list - * that they are responsible for. - * - * Note that to achieve this, the list of PolicyAncestorStatus structs - * MUST be treated as a map with a composite key, made up of the AncestorRef - * and ControllerName fields combined. - * - * A maximum of 16 ancestors will be represented in this list. An empty list - * means the Policy is not relevant for any ancestors. - * - * If this slice is full, implementations MUST NOT add further entries. - * Instead they MUST consider the policy unimplementable and signal that - * on any related resources such as the ancestor that would be referenced - * here. For example, if this list was full on BackendTLSPolicy, no - * additional Gateways would be able to reference the Service targeted by - * the BackendTLSPolicy. - */ - ancestors: outputs.gateway.v1.BackendTLSPolicyStatusAncestorsPatch[]; - } /** * GRPCRoute provides a way to route gRPC requests. This includes the capability * to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. * Filters can be used to specify additional processing steps. Backends specify * where matching requests will be routed. * + * * GRPCRoute falls under extended support within the Gateway API. Within the * following specification, the word "MUST" indicates that an implementation * supporting GRPCRoute must conform to the indicated requirement, but an * implementation not supporting this route type need not follow the requirement * unless explicitly indicated. * + * * Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST * accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via * ALPN. If the implementation does not support this, then it MUST set the @@ -22544,6 +14105,7 @@ export declare namespace gateway { * "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections * with an upgrade from HTTP/1. * + * * Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST * support HTTP/2 over cleartext TCP (h2c, * https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial @@ -22579,14 +14141,17 @@ export declare namespace gateway { * Host header to select a GRPCRoute to process the request. This matches * the RFC 1123 definition of a hostname with 2 notable exceptions: * + * * 1. IPs are not allowed. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label MUST appear by itself as the first label. * + * * If a hostname is specified by both the Listener and GRPCRoute, there * MUST be at least one intersecting hostname for the GRPCRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches GRPCRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -22596,34 +14161,41 @@ export declare namespace gateway { * `test.example.com` and `*.example.com` would both match. On the other * hand, `example.com` and `test.example.net` would not match. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * If both the Listener and GRPCRoute have specified hostnames, any * GRPCRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * GRPCRoute specified `test.example.com` and `test.example.net`, * `test.example.net` MUST NOT be considered for a match. * + * * If both the Listener and GRPCRoute have specified hostnames, and none * match with the criteria above, then the GRPCRoute MUST NOT be accepted by * the implementation. The implementation MUST raise an 'Accepted' Condition * with a status of `False` in the corresponding RouteParentStatus. * + * * If a Route (A) of type HTTPRoute or GRPCRoute is attached to a * Listener and that listener already has another Route (B) of the other * type attached and the intersection of the hostnames of A and B is * non-empty, then the implementation MUST accept exactly one of these two * routes, determined by the following criteria, in order: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * The rejected Route MUST raise an 'Accepted' condition with a status of * 'False' in the corresponding RouteParentStatus. * + * * Support: Core */ hostnames: string[]; @@ -22639,16 +14211,21 @@ export declare namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -22658,8 +14235,10 @@ export declare namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -22667,12 +14246,14 @@ export declare namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -22680,10 +14261,12 @@ export declare namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -22695,33 +14278,21 @@ export declare namespace gateway { * Rules are a list of GRPC matchers, filters and actions. */ rules: outputs.gateway.v1.GRPCRouteSpecRules[]; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways: string; } /** * ParentReference identifies an API object (usually a Gateway) that can be considered * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -22732,23 +14303,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -22756,6 +14332,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -22763,10 +14340,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -22774,6 +14353,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -22781,6 +14361,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -22790,15 +14371,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -22807,6 +14391,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -22814,6 +14399,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -22821,10 +14407,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -22834,6 +14422,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -22843,12 +14432,15 @@ export declare namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -22859,23 +14451,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -22883,6 +14480,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -22890,10 +14488,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -22901,6 +14501,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -22908,6 +14509,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -22917,15 +14519,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -22934,6 +14539,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -22941,6 +14547,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -22948,10 +14555,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -22961,6 +14570,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -22974,14 +14584,17 @@ export declare namespace gateway { * Host header to select a GRPCRoute to process the request. This matches * the RFC 1123 definition of a hostname with 2 notable exceptions: * + * * 1. IPs are not allowed. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label MUST appear by itself as the first label. * + * * If a hostname is specified by both the Listener and GRPCRoute, there * MUST be at least one intersecting hostname for the GRPCRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches GRPCRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -22991,34 +14604,41 @@ export declare namespace gateway { * `test.example.com` and `*.example.com` would both match. On the other * hand, `example.com` and `test.example.net` would not match. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * If both the Listener and GRPCRoute have specified hostnames, any * GRPCRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * GRPCRoute specified `test.example.com` and `test.example.net`, * `test.example.net` MUST NOT be considered for a match. * + * * If both the Listener and GRPCRoute have specified hostnames, and none * match with the criteria above, then the GRPCRoute MUST NOT be accepted by * the implementation. The implementation MUST raise an 'Accepted' Condition * with a status of `False` in the corresponding RouteParentStatus. * + * * If a Route (A) of type HTTPRoute or GRPCRoute is attached to a * Listener and that listener already has another Route (B) of the other * type attached and the intersection of the hostnames of A and B is * non-empty, then the implementation MUST accept exactly one of these two * routes, determined by the following criteria, in order: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * The rejected Route MUST raise an 'Accepted' condition with a status of * 'False' in the corresponding RouteParentStatus. * + * * Support: Core */ hostnames: string[]; @@ -23034,16 +14654,21 @@ export declare namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -23053,8 +14678,10 @@ export declare namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -23062,12 +14689,14 @@ export declare namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -23075,10 +14704,12 @@ export declare namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -23090,21 +14721,6 @@ export declare namespace gateway { * Rules are a list of GRPC matchers, filters and actions. */ rules: outputs.gateway.v1.GRPCRouteSpecRulesPatch[]; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways: string; } /** * GRPCRouteRule defines the semantics for matching a gRPC request based on @@ -23116,30 +14732,38 @@ export declare namespace gateway { * BackendRefs defines the backend(s) where matching requests should be * sent. * + * * Failure behavior here depends on how many BackendRefs are specified and * how many are invalid. * + * * If *all* entries in BackendRefs are invalid, and there are also no filters * specified in this route rule, *all* traffic which matches this rule MUST * receive an `UNAVAILABLE` status. * + * * See the GRPCBackendRef definition for the rules about what makes a single * GRPCBackendRef invalid. * + * * When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for * requests that would have otherwise been routed to an invalid backend. If * multiple backends are specified, and some are invalid, the proportion of * requests that would otherwise have been routed to an invalid backend * MUST receive an `UNAVAILABLE` status. * + * * For example, if two backends are specified with equal weights, and one is * invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. * Implementations may choose how that 50 percent is determined. * + * * Support: Core for Kubernetes Service * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Core */ backendRefs: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefs[]; @@ -23147,26 +14771,32 @@ export declare namespace gateway { * Filters define the filters that are applied to requests that match * this rule. * + * * The effects of ordering of multiple behaviors are currently unspecified. * This can change in the future based on feedback during the alpha stage. * + * * Conformance-levels at this level are defined based on the type of filter: * + * * - ALL core filters MUST be supported by all implementations that support * GRPCRoute. * - Implementers are encouraged to support extended filters. * - Implementation-specific custom filters have no API guarantees across * implementations. * + * * Specifying the same filter multiple times is not supported unless explicitly * indicated in the filter. * - * If an implementation cannot support a combination of filters, it must clearly + * + * If an implementation can not support a combination of filters, it must clearly * document that limitation. In cases where incompatible or unsupported * filters are specified and cause the `Accepted` condition to be set to status * `False`, implementations may use the `IncompatibleFilters` reason to specify * this configuration error. * + * * Support: Core */ filters: outputs.gateway.v1.GRPCRouteSpecRulesFilters[]; @@ -23175,8 +14805,10 @@ export declare namespace gateway { * gRPC requests. Each match is independent, i.e. this rule will be matched * if **any** one of the matches is satisfied. * + * * For example, take the following matches configuration: * + * * ``` * matches: * - method: @@ -23188,76 +14820,90 @@ export declare namespace gateway { * service: foo.bar.v2 * ``` * + * * For a request to match against this rule, it MUST satisfy * EITHER of the two conditions: * + * * - service of foo.bar AND contains the header `version: 2` * - service of foo.bar.v2 * + * * See the documentation for GRPCRouteMatch on how to specify multiple * match conditions to be ANDed together. * + * * If no matches are specified, the implementation MUST match every gRPC request. * + * * Proxy or Load Balancer routing configuration generated from GRPCRoutes * MUST prioritize rules based on the following criteria, continuing on * ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. * Precedence MUST be given to the rule with the largest number of: * + * * * Characters in a matching non-wildcard hostname. * * Characters in a matching hostname. * * Characters in a matching service. * * Characters in a matching method. * * Header matches. * + * * If ties still exist across multiple Routes, matching precedence MUST be * determined in order of the following criteria, continuing on ties: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * If ties still exist within the Route that has been given precedence, * matching precedence MUST be granted to the first matching rule meeting * the above criteria. */ matches: outputs.gateway.v1.GRPCRouteSpecRulesMatches[]; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name: string; sessionPersistence: outputs.gateway.v1.GRPCRouteSpecRulesSessionPersistence; } /** * GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * */ interface GRPCRouteSpecRulesBackendRefs { /** * Filters defined at this level MUST be executed if and only if the * request is being forwarded to the backend defined here. * + * * Support: Implementation-specific (For broader support of filters, use the * Filters field in GRPCRouteRule.) */ @@ -23271,16 +14917,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -23292,11 +14942,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -23316,11 +14968,13 @@ export declare namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight: number; @@ -23342,14 +14996,17 @@ export declare namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations supporting GRPCRoute MUST support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by specific vendors. * In the future, filters showing convergence in behavior across multiple * implementations will be considered for inclusion in extended or core @@ -23357,9 +15014,11 @@ export declare namespace gateway { * is specified using the ExtensionRef field. `Type` MUST be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. @@ -23372,8 +15031,10 @@ export declare namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * Support: Implementation-specific * + * * This filter can be used multiple times within the same rule. */ interface GRPCRouteSpecRulesBackendRefsFiltersExtensionRef { @@ -23397,8 +15058,10 @@ export declare namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * Support: Implementation-specific * + * * This filter can be used multiple times within the same rule. */ interface GRPCRouteSpecRulesBackendRefsFiltersExtensionRefPatch { @@ -23433,14 +15096,17 @@ export declare namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations supporting GRPCRoute MUST support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by specific vendors. * In the future, filters showing convergence in behavior across multiple * implementations will be considered for inclusion in extended or core @@ -23448,9 +15114,11 @@ export declare namespace gateway { * is specified using the ExtensionRef field. `Type` MUST be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. @@ -23461,6 +15129,7 @@ export declare namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifier { @@ -23469,15 +15138,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -23489,15 +15161,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -23507,15 +15182,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -23528,7 +15206,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -23548,7 +15227,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -23566,6 +15246,7 @@ export declare namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch { @@ -23574,15 +15255,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -23594,15 +15278,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -23612,15 +15299,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -23633,7 +15323,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -23653,7 +15344,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -23672,48 +15364,46 @@ export declare namespace gateway { * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirror { backendRef: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef; - fraction: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorFraction; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent: number; } /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef { @@ -23726,16 +15416,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -23747,11 +15441,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -23767,26 +15463,32 @@ export declare namespace gateway { /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch { @@ -23799,16 +15501,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -23820,11 +15526,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -23837,56 +15545,27 @@ export declare namespace gateway { */ port: number; } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorFraction { - denominator: number; - numerator: number; - } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch { - denominator: number; - numerator: number; - } /** * RequestMirror defines a schema for a filter that mirrors requests. * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorPatch { backendRef: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch; - fraction: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent: number; } /** * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifier { @@ -23895,15 +15574,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -23915,15 +15597,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -23933,15 +15618,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -23954,7 +15642,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -23974,7 +15663,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -23992,6 +15682,7 @@ export declare namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch { @@ -24000,15 +15691,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -24020,15 +15714,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -24038,15 +15735,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -24059,7 +15759,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24079,7 +15780,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24096,31 +15798,42 @@ export declare namespace gateway { /** * GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * */ interface GRPCRouteSpecRulesBackendRefsPatch { /** * Filters defined at this level MUST be executed if and only if the * request is being forwarded to the backend defined here. * + * * Support: Implementation-specific (For broader support of filters, use the * Filters field in GRPCRouteRule.) */ @@ -24134,16 +15847,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -24155,11 +15872,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -24179,11 +15898,13 @@ export declare namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight: number; @@ -24205,14 +15926,17 @@ export declare namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations supporting GRPCRoute MUST support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by specific vendors. * In the future, filters showing convergence in behavior across multiple * implementations will be considered for inclusion in extended or core @@ -24220,9 +15944,11 @@ export declare namespace gateway { * is specified using the ExtensionRef field. `Type` MUST be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. @@ -24235,8 +15961,10 @@ export declare namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * Support: Implementation-specific * + * * This filter can be used multiple times within the same rule. */ interface GRPCRouteSpecRulesFiltersExtensionRef { @@ -24260,8 +15988,10 @@ export declare namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * Support: Implementation-specific * + * * This filter can be used multiple times within the same rule. */ interface GRPCRouteSpecRulesFiltersExtensionRefPatch { @@ -24296,14 +16026,17 @@ export declare namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations supporting GRPCRoute MUST support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by specific vendors. * In the future, filters showing convergence in behavior across multiple * implementations will be considered for inclusion in extended or core @@ -24311,9 +16044,11 @@ export declare namespace gateway { * is specified using the ExtensionRef field. `Type` MUST be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. @@ -24324,6 +16059,7 @@ export declare namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ interface GRPCRouteSpecRulesFiltersRequestHeaderModifier { @@ -24332,15 +16068,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -24352,15 +16091,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -24370,15 +16112,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -24391,7 +16136,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesFiltersRequestHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24411,7 +16157,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesFiltersRequestHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24429,6 +16176,7 @@ export declare namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ interface GRPCRouteSpecRulesFiltersRequestHeaderModifierPatch { @@ -24437,15 +16185,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -24457,15 +16208,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -24475,15 +16229,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -24496,7 +16253,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesFiltersRequestHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24516,7 +16274,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesFiltersRequestHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24535,48 +16294,46 @@ export declare namespace gateway { * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ interface GRPCRouteSpecRulesFiltersRequestMirror { backendRef: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirrorBackendRef; - fraction: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirrorFraction; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent: number; } /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ interface GRPCRouteSpecRulesFiltersRequestMirrorBackendRef { @@ -24589,16 +16346,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -24610,11 +16371,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -24630,26 +16393,32 @@ export declare namespace gateway { /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ interface GRPCRouteSpecRulesFiltersRequestMirrorBackendRefPatch { @@ -24662,16 +16431,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -24683,11 +16456,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -24700,56 +16475,27 @@ export declare namespace gateway { */ port: number; } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - interface GRPCRouteSpecRulesFiltersRequestMirrorFraction { - denominator: number; - numerator: number; - } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - interface GRPCRouteSpecRulesFiltersRequestMirrorFractionPatch { - denominator: number; - numerator: number; - } /** * RequestMirror defines a schema for a filter that mirrors requests. * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ interface GRPCRouteSpecRulesFiltersRequestMirrorPatch { backendRef: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirrorBackendRefPatch; - fraction: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirrorFractionPatch; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent: number; } /** * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ interface GRPCRouteSpecRulesFiltersResponseHeaderModifier { @@ -24758,15 +16504,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -24778,15 +16527,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -24796,15 +16548,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -24817,7 +16572,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesFiltersResponseHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24837,7 +16593,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesFiltersResponseHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24855,6 +16612,7 @@ export declare namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ interface GRPCRouteSpecRulesFiltersResponseHeaderModifierPatch { @@ -24863,15 +16621,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -24883,15 +16644,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -24901,15 +16665,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -24922,7 +16689,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesFiltersResponseHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24942,7 +16710,8 @@ export declare namespace gateway { interface GRPCRouteSpecRulesFiltersResponseHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24961,9 +16730,11 @@ export declare namespace gateway { * action. Multiple match types are ANDed together, i.e. the match will * evaluate to true only if all conditions are satisfied. * + * * For example, the match below will match a gRPC request only if its service * is `foo` AND it contains the `version: v1` header: * + * * ``` * matches: * - method: @@ -24973,6 +16744,7 @@ export declare namespace gateway { * - name: "version" * value "v1" * + * * ``` */ interface GRPCRouteSpecRulesMatches { @@ -24992,6 +16764,7 @@ export declare namespace gateway { /** * Name is the name of the gRPC Header to be matched. * + * * If multiple entries specify equivalent header names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent * entries with an equivalent header name MUST be ignored. Due to the @@ -25016,6 +16789,7 @@ export declare namespace gateway { /** * Name is the name of the gRPC Header to be matched. * + * * If multiple entries specify equivalent header names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent * entries with an equivalent header name MUST be ignored. Due to the @@ -25041,6 +16815,7 @@ export declare namespace gateway { * Value of the method to match against. If left empty or omitted, will * match all services. * + * * At least one of Service and Method MUST be a non-empty string. */ method: string; @@ -25048,6 +16823,7 @@ export declare namespace gateway { * Value of the service to match against. If left empty or omitted, will * match any service. * + * * At least one of Service and Method MUST be a non-empty string. */ service: string; @@ -25055,8 +16831,10 @@ export declare namespace gateway { * Type specifies how to match against the service and/or method. * Support: Core (Exact with service and method specified) * + * * Support: Implementation-specific (Exact with method specified but no service specified) * + * * Support: Implementation-specific (RegularExpression) */ type: string; @@ -25070,6 +16848,7 @@ export declare namespace gateway { * Value of the method to match against. If left empty or omitted, will * match all services. * + * * At least one of Service and Method MUST be a non-empty string. */ method: string; @@ -25077,6 +16856,7 @@ export declare namespace gateway { * Value of the service to match against. If left empty or omitted, will * match any service. * + * * At least one of Service and Method MUST be a non-empty string. */ service: string; @@ -25084,8 +16864,10 @@ export declare namespace gateway { * Type specifies how to match against the service and/or method. * Support: Core (Exact with service and method specified) * + * * Support: Implementation-specific (Exact with method specified but no service specified) * + * * Support: Implementation-specific (RegularExpression) */ type: string; @@ -25095,9 +16877,11 @@ export declare namespace gateway { * action. Multiple match types are ANDed together, i.e. the match will * evaluate to true only if all conditions are satisfied. * + * * For example, the match below will match a gRPC request only if its service * is `foo` AND it contains the `version: v1` header: * + * * ``` * matches: * - method: @@ -25107,6 +16891,7 @@ export declare namespace gateway { * - name: "version" * value "v1" * + * * ``` */ interface GRPCRouteSpecRulesMatchesPatch { @@ -25128,30 +16913,38 @@ export declare namespace gateway { * BackendRefs defines the backend(s) where matching requests should be * sent. * + * * Failure behavior here depends on how many BackendRefs are specified and * how many are invalid. * + * * If *all* entries in BackendRefs are invalid, and there are also no filters * specified in this route rule, *all* traffic which matches this rule MUST * receive an `UNAVAILABLE` status. * + * * See the GRPCBackendRef definition for the rules about what makes a single * GRPCBackendRef invalid. * + * * When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for * requests that would have otherwise been routed to an invalid backend. If * multiple backends are specified, and some are invalid, the proportion of * requests that would otherwise have been routed to an invalid backend * MUST receive an `UNAVAILABLE` status. * + * * For example, if two backends are specified with equal weights, and one is * invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. * Implementations may choose how that 50 percent is determined. * + * * Support: Core for Kubernetes Service * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Core */ backendRefs: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsPatch[]; @@ -25159,26 +16952,32 @@ export declare namespace gateway { * Filters define the filters that are applied to requests that match * this rule. * + * * The effects of ordering of multiple behaviors are currently unspecified. * This can change in the future based on feedback during the alpha stage. * + * * Conformance-levels at this level are defined based on the type of filter: * + * * - ALL core filters MUST be supported by all implementations that support * GRPCRoute. * - Implementers are encouraged to support extended filters. * - Implementation-specific custom filters have no API guarantees across * implementations. * + * * Specifying the same filter multiple times is not supported unless explicitly * indicated in the filter. * - * If an implementation cannot support a combination of filters, it must clearly + * + * If an implementation can not support a combination of filters, it must clearly * document that limitation. In cases where incompatible or unsupported * filters are specified and cause the `Accepted` condition to be set to status * `False`, implementations may use the `IncompatibleFilters` reason to specify * this configuration error. * + * * Support: Core */ filters: outputs.gateway.v1.GRPCRouteSpecRulesFiltersPatch[]; @@ -25187,8 +16986,10 @@ export declare namespace gateway { * gRPC requests. Each match is independent, i.e. this rule will be matched * if **any** one of the matches is satisfied. * + * * For example, take the following matches configuration: * + * * ``` * matches: * - method: @@ -25200,52 +17001,56 @@ export declare namespace gateway { * service: foo.bar.v2 * ``` * + * * For a request to match against this rule, it MUST satisfy * EITHER of the two conditions: * + * * - service of foo.bar AND contains the header `version: 2` * - service of foo.bar.v2 * + * * See the documentation for GRPCRouteMatch on how to specify multiple * match conditions to be ANDed together. * + * * If no matches are specified, the implementation MUST match every gRPC request. * + * * Proxy or Load Balancer routing configuration generated from GRPCRoutes * MUST prioritize rules based on the following criteria, continuing on * ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. * Precedence MUST be given to the rule with the largest number of: * + * * * Characters in a matching non-wildcard hostname. * * Characters in a matching hostname. * * Characters in a matching service. * * Characters in a matching method. * * Header matches. * + * * If ties still exist across multiple Routes, matching precedence MUST be * determined in order of the following criteria, continuing on ties: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * If ties still exist within the Route that has been given precedence, * matching precedence MUST be granted to the first matching rule meeting * the above criteria. */ matches: outputs.gateway.v1.GRPCRouteSpecRulesMatchesPatch[]; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name: string; sessionPersistence: outputs.gateway.v1.GRPCRouteSpecRulesSessionPersistencePatch; } /** * SessionPersistence defines and configures session persistence * for the route rule. * + * * Support: Extended */ interface GRPCRouteSpecRulesSessionPersistence { @@ -25254,6 +17059,7 @@ export declare namespace gateway { * session. Once the AbsoluteTimeout duration has elapsed, the * session becomes invalid. * + * * Support: Extended */ absoluteTimeout: string; @@ -25263,6 +17069,7 @@ export declare namespace gateway { * Once the session has been idle for more than the specified * IdleTimeout duration, the session becomes invalid. * + * * Support: Extended */ idleTimeout: string; @@ -25272,6 +17079,7 @@ export declare namespace gateway { * should avoid reusing session names to prevent unintended * consequences, such as rejection or unpredictable behavior. * + * * Support: Implementation-specific */ sessionName: string; @@ -25280,8 +17088,10 @@ export declare namespace gateway { * the use a header or cookie. Defaults to cookie based session * persistence. * + * * Support: Core for "Cookie" type * + * * Support: Extended for "Header" type */ type: string; @@ -25290,6 +17100,7 @@ export declare namespace gateway { * CookieConfig provides configuration settings that are specific * to cookie-based session persistence. * + * * Support: Core */ interface GRPCRouteSpecRulesSessionPersistenceCookieConfig { @@ -25300,18 +17111,20 @@ export declare namespace gateway { * attributes, while a session cookie is deleted when the current * session ends. * + * * When set to "Permanent", AbsoluteTimeout indicates the * cookie's lifetime via the Expires or Max-Age cookie attributes * and is required. * + * * When set to "Session", AbsoluteTimeout indicates the * absolute lifetime of the cookie tracked by the gateway and * is optional. * - * Defaults to "Session". * * Support: Core for "Session" type * + * * Support: Extended for "Permanent" type */ lifetimeType: string; @@ -25320,6 +17133,7 @@ export declare namespace gateway { * CookieConfig provides configuration settings that are specific * to cookie-based session persistence. * + * * Support: Core */ interface GRPCRouteSpecRulesSessionPersistenceCookieConfigPatch { @@ -25330,18 +17144,20 @@ export declare namespace gateway { * attributes, while a session cookie is deleted when the current * session ends. * + * * When set to "Permanent", AbsoluteTimeout indicates the * cookie's lifetime via the Expires or Max-Age cookie attributes * and is required. * + * * When set to "Session", AbsoluteTimeout indicates the * absolute lifetime of the cookie tracked by the gateway and * is optional. * - * Defaults to "Session". * * Support: Core for "Session" type * + * * Support: Extended for "Permanent" type */ lifetimeType: string; @@ -25350,6 +17166,7 @@ export declare namespace gateway { * SessionPersistence defines and configures session persistence * for the route rule. * + * * Support: Extended */ interface GRPCRouteSpecRulesSessionPersistencePatch { @@ -25358,6 +17175,7 @@ export declare namespace gateway { * session. Once the AbsoluteTimeout duration has elapsed, the * session becomes invalid. * + * * Support: Extended */ absoluteTimeout: string; @@ -25367,6 +17185,7 @@ export declare namespace gateway { * Once the session has been idle for more than the specified * IdleTimeout duration, the session becomes invalid. * + * * Support: Extended */ idleTimeout: string; @@ -25376,6 +17195,7 @@ export declare namespace gateway { * should avoid reusing session names to prevent unintended * consequences, such as rejection or unpredictable behavior. * + * * Support: Implementation-specific */ sessionName: string; @@ -25384,8 +17204,10 @@ export declare namespace gateway { * the use a header or cookie. Defaults to cookie based session * persistence. * + * * Support: Core for "Cookie" type * + * * Support: Extended for "Header" type */ type: string; @@ -25402,11 +17224,13 @@ export declare namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -25422,19 +17246,23 @@ export declare namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -25444,12 +17272,15 @@ export declare namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -25459,6 +17290,22 @@ export declare namespace gateway { } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface GRPCRouteStatusParentsConditions { /** @@ -25491,11 +17338,31 @@ export declare namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface GRPCRouteStatusParentsConditionsPatch { /** @@ -25528,6 +17395,10 @@ export declare namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } @@ -25542,23 +17413,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -25566,6 +17442,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -25573,10 +17450,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -25584,6 +17463,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -25591,6 +17471,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -25600,15 +17481,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -25617,6 +17501,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -25624,6 +17509,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -25631,10 +17517,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -25644,6 +17532,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -25659,23 +17548,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -25683,6 +17577,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -25690,10 +17585,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -25701,6 +17598,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -25708,6 +17606,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -25717,15 +17616,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -25734,6 +17636,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -25741,6 +17644,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -25748,10 +17652,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -25761,6 +17667,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -25775,19 +17682,23 @@ export declare namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -25797,12 +17708,15 @@ export declare namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -25822,11 +17736,13 @@ export declare namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -25856,6 +17772,7 @@ export declare namespace gateway { * GatewayClass describes a class of Gateways available to the user for creating * Gateway resources. * + * * It is recommended that this resource be used as a template for Gateways. This * means that a Gateway is based on the state of the GatewayClass at the time it * was created and changes to the GatewayClass or associated parameters are not @@ -25864,11 +17781,13 @@ export declare namespace gateway { * If implementations choose to propagate GatewayClass changes to existing * Gateways, that MUST be clearly documented by the implementation. * + * * Whenever one or more Gateways are using a GatewayClass, implementations SHOULD * add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the * associated GatewayClass. This ensures that a GatewayClass associated with a * Gateway is not deleted while in use. * + * * GatewayClass is a Cluster level resource. */ interface GatewayClass { @@ -25895,10 +17814,13 @@ export declare namespace gateway { * ControllerName is the name of the controller that is managing Gateways of * this class. The value of this field MUST be a domain prefixed path. * + * * Example: "example.net/gateway-controller". * + * * This field is not mutable and cannot be empty. * + * * Support: Core */ controllerName: string; @@ -25913,19 +17835,21 @@ export declare namespace gateway { * parameters corresponding to the GatewayClass. This is optional if the * controller does not require any additional configuration. * + * * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, * or an implementation-specific custom resource. The resource can be * cluster-scoped or namespace-scoped. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the GatewayClass SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. + * + * If the referent cannot be found, the GatewayClass's "InvalidParameters" + * status condition will be true. + * * * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * + * * Support: Implementation-specific */ interface GatewayClassSpecParametersRef { @@ -25953,19 +17877,21 @@ export declare namespace gateway { * parameters corresponding to the GatewayClass. This is optional if the * controller does not require any additional configuration. * + * * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, * or an implementation-specific custom resource. The resource can be * cluster-scoped or namespace-scoped. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the GatewayClass SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. + * + * If the referent cannot be found, the GatewayClass's "InvalidParameters" + * status condition will be true. + * * * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * + * * Support: Implementation-specific */ interface GatewayClassSpecParametersRefPatch { @@ -25996,10 +17922,13 @@ export declare namespace gateway { * ControllerName is the name of the controller that is managing Gateways of * this class. The value of this field MUST be a domain prefixed path. * + * * Example: "example.net/gateway-controller". * + * * This field is not mutable and cannot be empty. * + * * Support: Core */ controllerName: string; @@ -26012,6 +17941,7 @@ export declare namespace gateway { /** * Status defines the current state of GatewayClass. * + * * Implementations MUST populate status on all GatewayClass resources which * specify their controller name. */ @@ -26020,18 +17950,35 @@ export declare namespace gateway { * Conditions is the current status from the controller for * this GatewayClass. * + * * Controllers should prefer to publish conditions using values * of GatewayClassConditionType for the type of each Condition. */ conditions: outputs.gateway.v1.GatewayClassStatusConditions[]; /** * SupportedFeatures is the set of features the GatewayClass support. - * It MUST be sorted in ascending alphabetical order by the Name key. + * It MUST be sorted in ascending alphabetical order. */ - supportedFeatures: outputs.gateway.v1.GatewayClassStatusSupportedFeatures[]; + supportedFeatures: string[]; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface GatewayClassStatusConditions { /** @@ -26064,11 +18011,31 @@ export declare namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface GatewayClassStatusConditionsPatch { /** @@ -26101,12 +18068,17 @@ export declare namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } /** * Status defines the current state of GatewayClass. * + * * Implementations MUST populate status on all GatewayClass resources which * specify their controller name. */ @@ -26115,29 +18087,16 @@ export declare namespace gateway { * Conditions is the current status from the controller for * this GatewayClass. * + * * Controllers should prefer to publish conditions using values * of GatewayClassConditionType for the type of each Condition. */ conditions: outputs.gateway.v1.GatewayClassStatusConditionsPatch[]; /** * SupportedFeatures is the set of features the GatewayClass support. - * It MUST be sorted in ascending alphabetical order by the Name key. + * It MUST be sorted in ascending alphabetical order. */ - supportedFeatures: outputs.gateway.v1.GatewayClassStatusSupportedFeaturesPatch[]; - } - interface GatewayClassStatusSupportedFeatures { - /** - * FeatureName is used to describe distinct features that are covered by - * conformance tests. - */ - name: string; - } - interface GatewayClassStatusSupportedFeaturesPatch { - /** - * FeatureName is used to describe distinct features that are covered by - * conformance tests. - */ - name: string; + supportedFeatures: string[]; } /** * Spec defines the desired state of Gateway. @@ -26147,7 +18106,8 @@ export declare namespace gateway { * Addresses requested for this Gateway. This is optional and behavior can * depend on the implementation. If a value is set in the spec and the * requested address is invalid or unavailable, the implementation MUST - * indicate this in an associated entry in GatewayStatus.Conditions. + * indicate this in the associated entry in GatewayStatus.Addresses. + * * * The Addresses field represents a request for the address(es) on the * "outside of the Gateway", that traffic bound for this Gateway will use. @@ -26155,38 +18115,20 @@ export declare namespace gateway { * other networking infrastructure, or some other address that traffic will * be sent to. * + * * If no Addresses are specified, the implementation MAY schedule the * Gateway in an implementation-specific manner, assigning an appropriate * set of Addresses. * + * * The implementation MUST bind all Listeners to every GatewayAddress that * it assigns to the Gateway and add a corresponding entry in * GatewayStatus.Addresses. * + * * Support: Extended */ addresses: outputs.gateway.v1.GatewaySpecAddresses[]; - allowedListeners: outputs.gateway.v1.GatewaySpecAllowedListeners; - /** - * DefaultScope, when set, configures the Gateway as a default Gateway, - * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute) - * attached to it, according to the scope configured here. - * - * If unset (the default) or set to None, the Gateway will not act as a - * default Gateway; if set, the Gateway will claim any Route with a - * matching scope set in its UseDefaultGateway field, subject to the usual - * rules about which routes the Gateway can attach to. - * - * Think carefully before using this functionality! While the normal rules - * about which Route can apply are still enforced, it is simply easier for - * the wrong Route to be accidentally attached to this Gateway in this - * configuration. If the Gateway operator is not also the operator in - * control of the scope (e.g. namespace) with tight controls and checks on - * what kind of workloads and Routes get added in that scope, we strongly - * recommend not using this just because it seems convenient, and instead - * stick to direct Route attachment. - */ - defaultScope: string; /** * GatewayClassName used for this Gateway. This is the name of a * GatewayClass resource. @@ -26198,7 +18140,6 @@ export declare namespace gateway { * logical endpoints that are bound on this Gateway's addresses. * At least one Listener MUST be specified. * - * ## Distinct Listeners * * Each Listener in a set of Listeners (for example, in a single Gateway) * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to @@ -26207,107 +18148,97 @@ export declare namespace gateway { * from multiple Gateways onto a single data plane, and these rules _also_ * apply in that case). * + * * Practically, this means that each listener in a set MUST have a unique * combination of Port, Protocol, and, if supported by the protocol, Hostname. * - * Some combinations of port, protocol, and TLS settings are considered - * Core support and MUST be supported by implementations based on the objects - * they support: * - * HTTPRoute + * Some combinations of port, protocol, and TLS settings are considered + * Core support and MUST be supported by implementations based on their + * targeted conformance profile: + * + * + * HTTP Profile + * * * 1. HTTPRoute, Port: 80, Protocol: HTTP * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided * - * TLSRoute + * + * TLS Profile + * * * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough * + * * "Distinct" Listeners have the following property: * - * **The implementation can match inbound requests to a single distinct - * Listener**. * - * When multiple Listeners share values for fields (for + * The implementation can match inbound requests to a single distinct + * Listener. When multiple Listeners share values for fields (for * example, two Listeners with the same Port value), the implementation * can match requests to only one of the Listeners using other * Listener fields. * - * When multiple listeners have the same value for the Protocol field, then - * each of the Listeners with matching Protocol values MUST have different - * values for other fields. * - * The set of fields that MUST be different for a Listener differs per protocol. - * The following rules define the rules for what fields MUST be considered for - * Listeners to be distinct with each protocol currently defined in the - * Gateway API spec. + * For example, the following Listener scenarios are distinct: * - * The set of listeners that all share a protocol value MUST have _different_ - * values for _at least one_ of these fields to be distinct: * - * * **HTTP, HTTPS, TLS**: Port, Hostname - * * **TCP, UDP**: Port + * 1. Multiple Listeners with the same Port that all use the "HTTP" + * Protocol that all have unique Hostname values. + * 2. Multiple Listeners with the same Port that use either the "HTTPS" or + * "TLS" Protocol that all have unique Hostname values. + * 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener + * with the same Protocol has the same Port value. * - * One **very** important rule to call out involves what happens when an - * implementation: * - * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol - * Listeners, and - * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP - * Protocol. + * Some fields in the Listener struct have possible values that affect + * whether the Listener is distinct. Hostname is particularly relevant + * for HTTP or HTTPS protocols. * - * In this case all the Listeners that share a port with the - * TCP Listener are not distinct and so MUST NOT be accepted. * - * If an implementation does not support TCP Protocol Listeners, then the - * previous rule does not apply, and the TCP Listeners SHOULD NOT be - * accepted. + * When using the Hostname value to select between same-Port, same-Protocol + * Listeners, the Hostname value must be different on each Listener for the + * Listener to be distinct. * - * Note that the `tls` field is not used for determining if a listener is distinct, because - * Listeners that _only_ differ on TLS config will still conflict in all cases. * - * ### Listeners that are distinct only by Hostname - * - * When the Listeners are distinct based only on Hostname, inbound request + * When the Listeners are distinct based on Hostname, inbound request * hostnames MUST match from the most specific to least specific Hostname * values to choose the correct Listener and its associated set of Routes. * - * Exact matches MUST be processed before wildcard matches, and wildcard - * matches MUST be processed before fallback (empty Hostname value) + * + * Exact matches must be processed before wildcard matches, and wildcard + * matches must be processed before fallback (empty Hostname value) * matches. For example, `"foo.example.com"` takes precedence over * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. * + * * Additionally, if there are multiple wildcard entries, more specific * wildcard entries must be processed before less specific wildcard entries. * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. - * * The precise definition here is that the higher the number of dots in the * hostname to the right of the wildcard character, the higher the precedence. * + * * The wildcard character will match any number of characters _and dots_ to * the left, however, so `"*.example.com"` will match both * `"foo.bar.example.com"` _and_ `"bar.example.com"`. * - * ## Handling indistinct Listeners * * If a set of Listeners contains Listeners that are not distinct, then those - * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted" + * Listeners are Conflicted, and the implementation MUST set the "Conflicted" * condition in the Listener Status to "True". * - * The words "indistinct" and "conflicted" are considered equivalent for the - * purpose of this documentation. * * Implementations MAY choose to accept a Gateway with some Conflicted * Listeners only if they only accept the partial Listener set that contains - * no Conflicted Listeners. + * no Conflicted Listeners. To put this another way, implementations may + * accept a partial Listener set only if they throw out *all* the conflicting + * Listeners. No picking one of the conflicting listeners as the winner. + * This also means that the Gateway must have at least one non-conflicting + * Listener in this case, otherwise it violates the requirement that at + * least one Listener must be present. * - * Specifically, an implementation MAY accept a partial Listener set subject to - * the following rules: - * - * * The implementation MUST NOT pick one conflicting Listener as the winner. - * ALL indistinct Listeners must not be accepted for processing. - * * At least one distinct Listener MUST be present, or else the Gateway effectively - * contains _no_ Listeners, and must be rejected from processing as a whole. * * The implementation MUST set a "ListenersNotValid" condition on the * Gateway Status when the Gateway contains Conflicted Listeners whether or @@ -26316,51 +18247,44 @@ export declare namespace gateway { * Accepted. Additionally, the Listener status for those listeners SHOULD * indicate which Listeners are conflicted and not Accepted. * - * ## General Listener behavior * - * Note that, for all distinct Listeners, requests SHOULD match at most one Listener. - * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a - * request to "foo.example.com" SHOULD only be routed using routes attached - * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * A Gateway's Listeners are considered "compatible" if: * - * This concept is known as "Listener Isolation", and it is an Extended feature - * of Gateway API. Implementations that do not support Listener Isolation MUST - * clearly document this, and MUST NOT claim support for the - * `GatewayHTTPListenerIsolation` feature. - * - * Implementations that _do_ support Listener Isolation SHOULD claim support - * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated - * conformance tests. - * - * ## Compatible Listeners - * - * A Gateway's Listeners are considered _compatible_ if: * * 1. They are distinct. * 2. The implementation can serve them in compliance with the Addresses * requirement that all Listeners are available on all assigned * addresses. * + * * Compatible combinations in Extended support are expected to vary across * implementations. A combination that is compatible for one implementation * may not be compatible for another. * + * * For example, an implementation that cannot serve both TCP and UDP listeners * on the same address, or cannot mix HTTPS and generic TLS listens on the same port * would not consider those cases compatible, even though they are distinct. * + * + * Note that requests SHOULD match at most one Listener. For example, if + * Listeners are defined for "foo.example.com" and "*.example.com", a + * request to "foo.example.com" SHOULD only be routed using routes attached + * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * This concept is known as "Listener Isolation". Implementations that do + * not support Listener Isolation MUST clearly document this. + * + * * Implementations MAY merge separate Gateways onto a single set of * Addresses if all Listeners across all Gateways are compatible. * - * In a future release the MinItems=1 requirement MAY be dropped. * * Support: Core */ listeners: outputs.gateway.v1.GatewaySpecListeners[]; - tls: outputs.gateway.v1.GatewaySpecTls; } /** - * GatewaySpecAddress describes an address that can be bound to a Gateway. + * GatewayAddress describes an address that can be bound to a Gateway. */ interface GatewaySpecAddresses { /** @@ -26368,18 +18292,16 @@ export declare namespace gateway { */ type: string; /** - * When a value is unspecified, an implementation SHOULD automatically - * assign an address matching the requested type if possible. + * Value of the address. The validity of the values will depend + * on the type and support by the controller. * - * If an implementation does not support an empty value, they MUST set the - * "Programmed" condition in status to False with a reason of "AddressNotAssigned". * * Examples: `1.2.3.4`, `128::1`, `my-ip-address`. */ value: string; } /** - * GatewaySpecAddress describes an address that can be bound to a Gateway. + * GatewayAddress describes an address that can be bound to a Gateway. */ interface GatewaySpecAddressesPatch { /** @@ -26387,164 +18309,32 @@ export declare namespace gateway { */ type: string; /** - * When a value is unspecified, an implementation SHOULD automatically - * assign an address matching the requested type if possible. + * Value of the address. The validity of the values will depend + * on the type and support by the controller. * - * If an implementation does not support an empty value, they MUST set the - * "Programmed" condition in status to False with a reason of "AddressNotAssigned". * * Examples: `1.2.3.4`, `128::1`, `my-ip-address`. */ value: string; } - /** - * AllowedListeners defines which ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - interface GatewaySpecAllowedListeners { - namespaces: outputs.gateway.v1.GatewaySpecAllowedListenersNamespaces; - } - /** - * Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - interface GatewaySpecAllowedListenersNamespaces { - /** - * From indicates where ListenerSets can attach to this Gateway. Possible - * values are: - * - * * Same: Only ListenerSets in the same namespace may be attached to this Gateway. - * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway. - * * All: ListenerSets in all namespaces may be attached to this Gateway. - * * None: Only listeners defined in the Gateway's spec are allowed - * - * While this feature is experimental, the default value None - */ - from: string; - selector: outputs.gateway.v1.GatewaySpecAllowedListenersNamespacesSelector; - } - /** - * Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - interface GatewaySpecAllowedListenersNamespacesPatch { - /** - * From indicates where ListenerSets can attach to this Gateway. Possible - * values are: - * - * * Same: Only ListenerSets in the same namespace may be attached to this Gateway. - * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway. - * * All: ListenerSets in all namespaces may be attached to this Gateway. - * * None: Only listeners defined in the Gateway's spec are allowed - * - * While this feature is experimental, the default value None - */ - from: string; - selector: outputs.gateway.v1.GatewaySpecAllowedListenersNamespacesSelectorPatch; - } - /** - * Selector must be specified when From is set to "Selector". In that case, - * only ListenerSets in Namespaces matching this Selector will be selected by this - * Gateway. This field is ignored for other values of "From". - */ - interface GatewaySpecAllowedListenersNamespacesSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.gateway.v1.GatewaySpecAllowedListenersNamespacesSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * Selector must be specified when From is set to "Selector". In that case, - * only ListenerSets in Namespaces matching this Selector will be selected by this - * Gateway. This field is ignored for other values of "From". - */ - interface GatewaySpecAllowedListenersNamespacesSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.gateway.v1.GatewaySpecAllowedListenersNamespacesSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * AllowedListeners defines which ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - interface GatewaySpecAllowedListenersPatch { - namespaces: outputs.gateway.v1.GatewaySpecAllowedListenersNamespacesPatch; - } /** * Infrastructure defines infrastructure level attributes about this Gateway instance. * - * Support: Extended + * + * Support: Core */ interface GatewaySpecInfrastructure { /** * Annotations that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. * + * * An implementation may chose to add additional implementation-specific annotations as they see fit. * + * * Support: Extended */ annotations: { @@ -26553,13 +18343,13 @@ export declare namespace gateway { /** * Labels that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. * For other implementations, this refers to any relevant (implementation specific) "labels" concepts. * + * * An implementation may chose to add additional implementation-specific labels as they see fit. * - * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels - * change, it SHOULD clearly warn about this behavior in documentation. * * Support: Extended */ @@ -26573,16 +18363,14 @@ export declare namespace gateway { * parameters corresponding to the Gateway. This is optional if the * controller does not require any additional configuration. * + * * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis * + * * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the Gateway SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. * * Support: Implementation-specific */ @@ -26605,16 +18393,14 @@ export declare namespace gateway { * parameters corresponding to the Gateway. This is optional if the * controller does not require any additional configuration. * + * * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis * + * * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the Gateway SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. * * Support: Implementation-specific */ @@ -26635,17 +18421,21 @@ export declare namespace gateway { /** * Infrastructure defines infrastructure level attributes about this Gateway instance. * - * Support: Extended + * + * Support: Core */ interface GatewaySpecInfrastructurePatch { /** * Annotations that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. * + * * An implementation may chose to add additional implementation-specific annotations as they see fit. * + * * Support: Extended */ annotations: { @@ -26654,13 +18444,13 @@ export declare namespace gateway { /** * Labels that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. * For other implementations, this refers to any relevant (implementation specific) "labels" concepts. * + * * An implementation may chose to add additional implementation-specific labels as they see fit. * - * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels - * change, it SHOULD clearly warn about this behavior in documentation. * * Support: Extended */ @@ -26681,36 +18471,18 @@ export declare namespace gateway { * field is ignored for protocols that don't require hostname based * matching. * + * * Implementations MUST apply Hostname matching appropriately for each of * the following protocols: * + * * * TLS: The Listener Hostname MUST match the SNI. * * HTTP: The Listener Hostname MUST match the Host header of the request. - * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header. - * Note that this does not require the SNI and Host header to be the same. - * The semantics of this are described in more detail below. + * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + * protocol layers as described above. If an implementation does not + * ensure that both the SNI and Host header match the Listener hostname, + * it MUST clearly document that. * - * To ensure security, Section 11.1 of RFC-6066 emphasizes that server - * implementations that rely on SNI hostname matching MUST also verify - * hostnames within the application protocol. - * - * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the - * reuse of a connection by responding with the HTTP 421 Misdirected Request - * status code. This indicates that the origin server has rejected the - * request because it appears to have been misdirected. - * - * To detect misdirected requests, Gateways SHOULD match the authority of - * the requests with all the SNI hostname(s) configured across all the - * Gateway Listeners on the same port and protocol: - * - * * If another Listener has an exact match or more specific wildcard entry, - * the Gateway SHOULD return a 421. - * * If the current Listener (selected by SNI matching during ClientHello) - * does not match the Host: - * * If another Listener does match the Host the Gateway SHOULD return a - * 421. - * * If no other Listener matches the Host, the Gateway MUST return a - * 404. * * For HTTPRoute and TLSRoute resources, there is an interaction with the * `spec.hostnames` array. When both listener and route specify hostnames, @@ -26718,10 +18490,12 @@ export declare namespace gateway { * accepted. For more information, refer to the Route specific Hostnames * documentation. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * Support: Core */ hostname: string; @@ -26729,6 +18503,7 @@ export declare namespace gateway { * Name is the name of the Listener. This name MUST be unique within a * Gateway. * + * * Support: Core */ name: string; @@ -26736,12 +18511,14 @@ export declare namespace gateway { * Port is the network port. Multiple listeners may use the * same port, subject to the Listener compatibility rules. * + * * Support: Core */ port: number; /** * Protocol specifies the network protocol this listener expects to receive. * + * * Support: Core */ protocol: string; @@ -26752,10 +18529,12 @@ export declare namespace gateway { * Listener and the trusted namespaces where those Route resources MAY be * present. * + * * Although a client request may match multiple route rules, only one rule * may ultimately receive the request. Matching precedence MUST be * determined in order of the following criteria: * + * * * The most specific match as defined by the Route type. * * The oldest Route based on creation timestamp. For example, a Route with * a creation timestamp of "2020-09-08 01:02:03" is given precedence over @@ -26764,6 +18543,7 @@ export declare namespace gateway { * alphabetical order (namespace/name) should be given precedence. For * example, foo/bar is given precedence over foo/baz. * + * * All valid rules within a Route attached to this Listener should be * implemented. Invalid Route rules can be ignored (sometimes that will mean * the full Route). If a Route rule transitions from valid to invalid, @@ -26771,6 +18551,7 @@ export declare namespace gateway { * example, even if a filter specified by a Route rule is invalid, the rest * of the rules within that Route should still be supported. * + * * Support: Core */ interface GatewaySpecListenersAllowedRoutes { @@ -26779,12 +18560,14 @@ export declare namespace gateway { * to this Gateway Listener. When unspecified or empty, the kinds of Routes * selected are determined using the Listener protocol. * + * * A RouteGroupKind MUST correspond to kinds of Routes that are compatible * with the application protocol specified in the Listener's Protocol field. * If an implementation does not support or recognize this resource type, it * MUST set the "ResolvedRefs" condition to False for this Listener with the * "InvalidRouteKinds" reason. * + * * Support: Core */ kinds: outputs.gateway.v1.GatewaySpecListenersAllowedRoutesKinds[]; @@ -26820,6 +18603,7 @@ export declare namespace gateway { * Namespaces indicates namespaces from which Routes may be attached to this * Listener. This is restricted to the namespace of this Gateway by default. * + * * Support: Core */ interface GatewaySpecListenersAllowedRoutesNamespaces { @@ -26827,11 +18611,13 @@ export declare namespace gateway { * From indicates where Routes will be selected for this Gateway. Possible * values are: * + * * * All: Routes in all namespaces may be used by this Gateway. * * Selector: Routes in namespaces selected by the selector may be used by * this Gateway. * * Same: Only Routes in the same namespace may be used by this Gateway. * + * * Support: Core */ from: string; @@ -26841,6 +18627,7 @@ export declare namespace gateway { * Namespaces indicates namespaces from which Routes may be attached to this * Listener. This is restricted to the namespace of this Gateway by default. * + * * Support: Core */ interface GatewaySpecListenersAllowedRoutesNamespacesPatch { @@ -26848,11 +18635,13 @@ export declare namespace gateway { * From indicates where Routes will be selected for this Gateway. Possible * values are: * + * * * All: Routes in all namespaces may be used by this Gateway. * * Selector: Routes in namespaces selected by the selector may be used by * this Gateway. * * Same: Only Routes in the same namespace may be used by this Gateway. * + * * Support: Core */ from: string; @@ -26863,6 +18652,7 @@ export declare namespace gateway { * only Routes in Namespaces matching this Selector will be selected by this * Gateway. This field is ignored for other values of "From". * + * * Support: Core */ interface GatewaySpecListenersAllowedRoutesNamespacesSelector { @@ -26928,6 +18718,7 @@ export declare namespace gateway { * only Routes in Namespaces matching this Selector will be selected by this * Gateway. This field is ignored for other values of "From". * + * * Support: Core */ interface GatewaySpecListenersAllowedRoutesNamespacesSelectorPatch { @@ -26949,10 +18740,12 @@ export declare namespace gateway { * Listener and the trusted namespaces where those Route resources MAY be * present. * + * * Although a client request may match multiple route rules, only one rule * may ultimately receive the request. Matching precedence MUST be * determined in order of the following criteria: * + * * * The most specific match as defined by the Route type. * * The oldest Route based on creation timestamp. For example, a Route with * a creation timestamp of "2020-09-08 01:02:03" is given precedence over @@ -26961,6 +18754,7 @@ export declare namespace gateway { * alphabetical order (namespace/name) should be given precedence. For * example, foo/bar is given precedence over foo/baz. * + * * All valid rules within a Route attached to this Listener should be * implemented. Invalid Route rules can be ignored (sometimes that will mean * the full Route). If a Route rule transitions from valid to invalid, @@ -26968,6 +18762,7 @@ export declare namespace gateway { * example, even if a filter specified by a Route rule is invalid, the rest * of the rules within that Route should still be supported. * + * * Support: Core */ interface GatewaySpecListenersAllowedRoutesPatch { @@ -26976,12 +18771,14 @@ export declare namespace gateway { * to this Gateway Listener. When unspecified or empty, the kinds of Routes * selected are determined using the Listener protocol. * + * * A RouteGroupKind MUST correspond to kinds of Routes that are compatible * with the application protocol specified in the Listener's Protocol field. * If an implementation does not support or recognize this resource type, it * MUST set the "ResolvedRefs" condition to False for this Listener with the * "InvalidRouteKinds" reason. * + * * Support: Core */ kinds: outputs.gateway.v1.GatewaySpecListenersAllowedRoutesKindsPatch[]; @@ -26999,36 +18796,18 @@ export declare namespace gateway { * field is ignored for protocols that don't require hostname based * matching. * + * * Implementations MUST apply Hostname matching appropriately for each of * the following protocols: * + * * * TLS: The Listener Hostname MUST match the SNI. * * HTTP: The Listener Hostname MUST match the Host header of the request. - * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header. - * Note that this does not require the SNI and Host header to be the same. - * The semantics of this are described in more detail below. + * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + * protocol layers as described above. If an implementation does not + * ensure that both the SNI and Host header match the Listener hostname, + * it MUST clearly document that. * - * To ensure security, Section 11.1 of RFC-6066 emphasizes that server - * implementations that rely on SNI hostname matching MUST also verify - * hostnames within the application protocol. - * - * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the - * reuse of a connection by responding with the HTTP 421 Misdirected Request - * status code. This indicates that the origin server has rejected the - * request because it appears to have been misdirected. - * - * To detect misdirected requests, Gateways SHOULD match the authority of - * the requests with all the SNI hostname(s) configured across all the - * Gateway Listeners on the same port and protocol: - * - * * If another Listener has an exact match or more specific wildcard entry, - * the Gateway SHOULD return a 421. - * * If the current Listener (selected by SNI matching during ClientHello) - * does not match the Host: - * * If another Listener does match the Host the Gateway SHOULD return a - * 421. - * * If no other Listener matches the Host, the Gateway MUST return a - * 404. * * For HTTPRoute and TLSRoute resources, there is an interaction with the * `spec.hostnames` array. When both listener and route specify hostnames, @@ -27036,10 +18815,12 @@ export declare namespace gateway { * accepted. For more information, refer to the Route specific Hostnames * documentation. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * Support: Core */ hostname: string; @@ -27047,6 +18828,7 @@ export declare namespace gateway { * Name is the name of the Listener. This name MUST be unique within a * Gateway. * + * * Support: Core */ name: string; @@ -27054,12 +18836,14 @@ export declare namespace gateway { * Port is the network port. Multiple listeners may use the * same port, subject to the Listener compatibility rules. * + * * Support: Core */ port: number; /** * Protocol specifies the network protocol this listener expects to receive. * + * * Support: Core */ protocol: string; @@ -27070,12 +18854,15 @@ export declare namespace gateway { * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field * if the Protocol field is "HTTP", "TCP", or "UDP". * - * The association of SNIs to Certificate defined in ListenerTLSConfig is + * + * The association of SNIs to Certificate defined in GatewayTLSConfig is * defined based on the Hostname field for this listener. * + * * The GatewayClass MUST use the longest matching SNI out of all * available certificates for any TLS handshake. * + * * Support: Core */ interface GatewaySpecListenersTls { @@ -27085,31 +18872,39 @@ export declare namespace gateway { * establish a TLS handshake for requests that match the hostname of the * associated listener. * + * * A single CertificateRef to a Kubernetes Secret has "Core" support. * Implementations MAY choose to support attaching multiple certificates to * a Listener, but this behavior is implementation-specific. * + * * References to a resource in different namespace are invalid UNLESS there * is a ReferenceGrant in the target namespace that allows the certificate * to be attached. If a ReferenceGrant does not allow this reference, the * "ResolvedRefs" condition MUST be set to False for this listener with the * "RefNotPermitted" reason. * + * * This field is required to have at least one element when the mode is set * to "Terminate" (default) and is optional otherwise. * + * * CertificateRefs can reference to standard Kubernetes resources, i.e. * Secret, or implementation-specific custom resources. * + * * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls * + * * Support: Implementation-specific (More than one reference or other resource types) */ certificateRefs: outputs.gateway.v1.GatewaySpecListenersTlsCertificateRefs[]; + frontendValidation: outputs.gateway.v1.GatewaySpecListenersTlsFrontendValidation; /** * Mode defines the TLS behavior for the TLS session initiated by the client. * There are two possible modes: * + * * - Terminate: The TLS session between the downstream client and the * Gateway is terminated at the Gateway. This mode requires certificates * to be specified in some way, such as populating the certificateRefs @@ -27119,6 +18914,7 @@ export declare namespace gateway { * the ClientHello message of the TLS protocol. The certificateRefs field * is ignored in this mode. * + * * Support: Core */ mode: string; @@ -27127,11 +18923,13 @@ export declare namespace gateway { * configuration for each implementation. For example, configuring the * minimum TLS version or supported cipher suites. * + * * A set of common keys MAY be defined by the API in the future. To avoid * any ambiguity, implementation-specific definitions MUST use * domain-prefixed names, such as `example.com/my-custom-option`. * Un-prefixed names are reserved for key names defined by Gateway API. * + * * Support: Implementation-specific */ options: { @@ -27142,9 +18940,11 @@ export declare namespace gateway { * SecretObjectReference identifies an API object including its namespace, * defaulting to Secret. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. * + * * References to objects with invalid Group and Kind are not valid, and must * be rejected by the implementation, with appropriate Conditions set * on the containing object. @@ -27167,11 +18967,13 @@ export declare namespace gateway { * Namespace is the namespace of the referenced object. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -27180,9 +18982,11 @@ export declare namespace gateway { * SecretObjectReference identifies an API object including its namespace, * defaulting to Secret. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. * + * * References to objects with invalid Group and Kind are not valid, and must * be rejected by the implementation, with appropriate Conditions set * on the containing object. @@ -27205,26 +19009,193 @@ export declare namespace gateway { * Namespace is the namespace of the referenced object. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; } + /** + * FrontendValidation holds configuration information for validating the frontend (client). + * Setting this field will require clients to send a client certificate + * required for validation during the TLS handshake. In browsers this may result in a dialog appearing + * that requests a user to specify the client certificate. + * The maximum depth of a certificate chain accepted in verification is Implementation specific. + * + * + * Support: Extended + */ + interface GatewaySpecListenersTlsFrontendValidation { + /** + * CACertificateRefs contains one or more references to + * Kubernetes objects that contain TLS certificates of + * the Certificate Authorities that can be used + * as a trust anchor to validate the certificates presented by the client. + * + * + * A single CA certificate reference to a Kubernetes ConfigMap + * has "Core" support. + * Implementations MAY choose to support attaching multiple CA certificates to + * a Listener, but this behavior is implementation-specific. + * + * + * Support: Core - A single reference to a Kubernetes ConfigMap + * with the CA certificate in a key named `ca.crt`. + * + * + * Support: Implementation-specific (More than one reference, or other kinds + * of resources). + * + * + * References to a resource in a different namespace are invalid UNLESS there + * is a ReferenceGrant in the target namespace that allows the certificate + * to be attached. If a ReferenceGrant does not allow this reference, the + * "ResolvedRefs" condition MUST be set to False for this listener with the + * "RefNotPermitted" reason. + */ + caCertificateRefs: outputs.gateway.v1.GatewaySpecListenersTlsFrontendValidationCaCertificateRefs[]; + } + /** + * ObjectReference identifies an API object including its namespace. + * + * + * The API object must be valid in the cluster; the Group and Kind must + * be registered in the cluster for this reference to be valid. + * + * + * References to objects with invalid Group and Kind are not valid, and must + * be rejected by the implementation, with appropriate Conditions set + * on the containing object. + */ + interface GatewaySpecListenersTlsFrontendValidationCaCertificateRefs { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group: string; + /** + * Kind is kind of the referent. For example "ConfigMap" or "Service". + */ + kind: string; + /** + * Name is the name of the referent. + */ + name: string; + /** + * Namespace is the namespace of the referenced object. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace: string; + } + /** + * ObjectReference identifies an API object including its namespace. + * + * + * The API object must be valid in the cluster; the Group and Kind must + * be registered in the cluster for this reference to be valid. + * + * + * References to objects with invalid Group and Kind are not valid, and must + * be rejected by the implementation, with appropriate Conditions set + * on the containing object. + */ + interface GatewaySpecListenersTlsFrontendValidationCaCertificateRefsPatch { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group: string; + /** + * Kind is kind of the referent. For example "ConfigMap" or "Service". + */ + kind: string; + /** + * Name is the name of the referent. + */ + name: string; + /** + * Namespace is the namespace of the referenced object. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace: string; + } + /** + * FrontendValidation holds configuration information for validating the frontend (client). + * Setting this field will require clients to send a client certificate + * required for validation during the TLS handshake. In browsers this may result in a dialog appearing + * that requests a user to specify the client certificate. + * The maximum depth of a certificate chain accepted in verification is Implementation specific. + * + * + * Support: Extended + */ + interface GatewaySpecListenersTlsFrontendValidationPatch { + /** + * CACertificateRefs contains one or more references to + * Kubernetes objects that contain TLS certificates of + * the Certificate Authorities that can be used + * as a trust anchor to validate the certificates presented by the client. + * + * + * A single CA certificate reference to a Kubernetes ConfigMap + * has "Core" support. + * Implementations MAY choose to support attaching multiple CA certificates to + * a Listener, but this behavior is implementation-specific. + * + * + * Support: Core - A single reference to a Kubernetes ConfigMap + * with the CA certificate in a key named `ca.crt`. + * + * + * Support: Implementation-specific (More than one reference, or other kinds + * of resources). + * + * + * References to a resource in a different namespace are invalid UNLESS there + * is a ReferenceGrant in the target namespace that allows the certificate + * to be attached. If a ReferenceGrant does not allow this reference, the + * "ResolvedRefs" condition MUST be set to False for this listener with the + * "RefNotPermitted" reason. + */ + caCertificateRefs: outputs.gateway.v1.GatewaySpecListenersTlsFrontendValidationCaCertificateRefsPatch[]; + } /** * TLS is the TLS configuration for the Listener. This field is required if * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field * if the Protocol field is "HTTP", "TCP", or "UDP". * - * The association of SNIs to Certificate defined in ListenerTLSConfig is + * + * The association of SNIs to Certificate defined in GatewayTLSConfig is * defined based on the Hostname field for this listener. * + * * The GatewayClass MUST use the longest matching SNI out of all * available certificates for any TLS handshake. * + * * Support: Core */ interface GatewaySpecListenersTlsPatch { @@ -27234,31 +19205,39 @@ export declare namespace gateway { * establish a TLS handshake for requests that match the hostname of the * associated listener. * + * * A single CertificateRef to a Kubernetes Secret has "Core" support. * Implementations MAY choose to support attaching multiple certificates to * a Listener, but this behavior is implementation-specific. * + * * References to a resource in different namespace are invalid UNLESS there * is a ReferenceGrant in the target namespace that allows the certificate * to be attached. If a ReferenceGrant does not allow this reference, the * "ResolvedRefs" condition MUST be set to False for this listener with the * "RefNotPermitted" reason. * + * * This field is required to have at least one element when the mode is set * to "Terminate" (default) and is optional otherwise. * + * * CertificateRefs can reference to standard Kubernetes resources, i.e. * Secret, or implementation-specific custom resources. * + * * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls * + * * Support: Implementation-specific (More than one reference or other resource types) */ certificateRefs: outputs.gateway.v1.GatewaySpecListenersTlsCertificateRefsPatch[]; + frontendValidation: outputs.gateway.v1.GatewaySpecListenersTlsFrontendValidationPatch; /** * Mode defines the TLS behavior for the TLS session initiated by the client. * There are two possible modes: * + * * - Terminate: The TLS session between the downstream client and the * Gateway is terminated at the Gateway. This mode requires certificates * to be specified in some way, such as populating the certificateRefs @@ -27268,6 +19247,7 @@ export declare namespace gateway { * the ClientHello message of the TLS protocol. The certificateRefs field * is ignored in this mode. * + * * Support: Core */ mode: string; @@ -27276,11 +19256,13 @@ export declare namespace gateway { * configuration for each implementation. For example, configuring the * minimum TLS version or supported cipher suites. * + * * A set of common keys MAY be defined by the API in the future. To avoid * any ambiguity, implementation-specific definitions MUST use * domain-prefixed names, such as `example.com/my-custom-option`. * Un-prefixed names are reserved for key names defined by Gateway API. * + * * Support: Implementation-specific */ options: { @@ -27295,7 +19277,8 @@ export declare namespace gateway { * Addresses requested for this Gateway. This is optional and behavior can * depend on the implementation. If a value is set in the spec and the * requested address is invalid or unavailable, the implementation MUST - * indicate this in an associated entry in GatewayStatus.Conditions. + * indicate this in the associated entry in GatewayStatus.Addresses. + * * * The Addresses field represents a request for the address(es) on the * "outside of the Gateway", that traffic bound for this Gateway will use. @@ -27303,38 +19286,20 @@ export declare namespace gateway { * other networking infrastructure, or some other address that traffic will * be sent to. * + * * If no Addresses are specified, the implementation MAY schedule the * Gateway in an implementation-specific manner, assigning an appropriate * set of Addresses. * + * * The implementation MUST bind all Listeners to every GatewayAddress that * it assigns to the Gateway and add a corresponding entry in * GatewayStatus.Addresses. * + * * Support: Extended */ addresses: outputs.gateway.v1.GatewaySpecAddressesPatch[]; - allowedListeners: outputs.gateway.v1.GatewaySpecAllowedListenersPatch; - /** - * DefaultScope, when set, configures the Gateway as a default Gateway, - * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute) - * attached to it, according to the scope configured here. - * - * If unset (the default) or set to None, the Gateway will not act as a - * default Gateway; if set, the Gateway will claim any Route with a - * matching scope set in its UseDefaultGateway field, subject to the usual - * rules about which routes the Gateway can attach to. - * - * Think carefully before using this functionality! While the normal rules - * about which Route can apply are still enforced, it is simply easier for - * the wrong Route to be accidentally attached to this Gateway in this - * configuration. If the Gateway operator is not also the operator in - * control of the scope (e.g. namespace) with tight controls and checks on - * what kind of workloads and Routes get added in that scope, we strongly - * recommend not using this just because it seems convenient, and instead - * stick to direct Route attachment. - */ - defaultScope: string; /** * GatewayClassName used for this Gateway. This is the name of a * GatewayClass resource. @@ -27346,7 +19311,6 @@ export declare namespace gateway { * logical endpoints that are bound on this Gateway's addresses. * At least one Listener MUST be specified. * - * ## Distinct Listeners * * Each Listener in a set of Listeners (for example, in a single Gateway) * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to @@ -27355,107 +19319,97 @@ export declare namespace gateway { * from multiple Gateways onto a single data plane, and these rules _also_ * apply in that case). * + * * Practically, this means that each listener in a set MUST have a unique * combination of Port, Protocol, and, if supported by the protocol, Hostname. * - * Some combinations of port, protocol, and TLS settings are considered - * Core support and MUST be supported by implementations based on the objects - * they support: * - * HTTPRoute + * Some combinations of port, protocol, and TLS settings are considered + * Core support and MUST be supported by implementations based on their + * targeted conformance profile: + * + * + * HTTP Profile + * * * 1. HTTPRoute, Port: 80, Protocol: HTTP * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided * - * TLSRoute + * + * TLS Profile + * * * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough * + * * "Distinct" Listeners have the following property: * - * **The implementation can match inbound requests to a single distinct - * Listener**. * - * When multiple Listeners share values for fields (for + * The implementation can match inbound requests to a single distinct + * Listener. When multiple Listeners share values for fields (for * example, two Listeners with the same Port value), the implementation * can match requests to only one of the Listeners using other * Listener fields. * - * When multiple listeners have the same value for the Protocol field, then - * each of the Listeners with matching Protocol values MUST have different - * values for other fields. * - * The set of fields that MUST be different for a Listener differs per protocol. - * The following rules define the rules for what fields MUST be considered for - * Listeners to be distinct with each protocol currently defined in the - * Gateway API spec. + * For example, the following Listener scenarios are distinct: * - * The set of listeners that all share a protocol value MUST have _different_ - * values for _at least one_ of these fields to be distinct: * - * * **HTTP, HTTPS, TLS**: Port, Hostname - * * **TCP, UDP**: Port + * 1. Multiple Listeners with the same Port that all use the "HTTP" + * Protocol that all have unique Hostname values. + * 2. Multiple Listeners with the same Port that use either the "HTTPS" or + * "TLS" Protocol that all have unique Hostname values. + * 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener + * with the same Protocol has the same Port value. * - * One **very** important rule to call out involves what happens when an - * implementation: * - * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol - * Listeners, and - * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP - * Protocol. + * Some fields in the Listener struct have possible values that affect + * whether the Listener is distinct. Hostname is particularly relevant + * for HTTP or HTTPS protocols. * - * In this case all the Listeners that share a port with the - * TCP Listener are not distinct and so MUST NOT be accepted. * - * If an implementation does not support TCP Protocol Listeners, then the - * previous rule does not apply, and the TCP Listeners SHOULD NOT be - * accepted. + * When using the Hostname value to select between same-Port, same-Protocol + * Listeners, the Hostname value must be different on each Listener for the + * Listener to be distinct. * - * Note that the `tls` field is not used for determining if a listener is distinct, because - * Listeners that _only_ differ on TLS config will still conflict in all cases. * - * ### Listeners that are distinct only by Hostname - * - * When the Listeners are distinct based only on Hostname, inbound request + * When the Listeners are distinct based on Hostname, inbound request * hostnames MUST match from the most specific to least specific Hostname * values to choose the correct Listener and its associated set of Routes. * - * Exact matches MUST be processed before wildcard matches, and wildcard - * matches MUST be processed before fallback (empty Hostname value) + * + * Exact matches must be processed before wildcard matches, and wildcard + * matches must be processed before fallback (empty Hostname value) * matches. For example, `"foo.example.com"` takes precedence over * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. * + * * Additionally, if there are multiple wildcard entries, more specific * wildcard entries must be processed before less specific wildcard entries. * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. - * * The precise definition here is that the higher the number of dots in the * hostname to the right of the wildcard character, the higher the precedence. * + * * The wildcard character will match any number of characters _and dots_ to * the left, however, so `"*.example.com"` will match both * `"foo.bar.example.com"` _and_ `"bar.example.com"`. * - * ## Handling indistinct Listeners * * If a set of Listeners contains Listeners that are not distinct, then those - * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted" + * Listeners are Conflicted, and the implementation MUST set the "Conflicted" * condition in the Listener Status to "True". * - * The words "indistinct" and "conflicted" are considered equivalent for the - * purpose of this documentation. * * Implementations MAY choose to accept a Gateway with some Conflicted * Listeners only if they only accept the partial Listener set that contains - * no Conflicted Listeners. + * no Conflicted Listeners. To put this another way, implementations may + * accept a partial Listener set only if they throw out *all* the conflicting + * Listeners. No picking one of the conflicting listeners as the winner. + * This also means that the Gateway must have at least one non-conflicting + * Listener in this case, otherwise it violates the requirement that at + * least one Listener must be present. * - * Specifically, an implementation MAY accept a partial Listener set subject to - * the following rules: - * - * * The implementation MUST NOT pick one conflicting Listener as the winner. - * ALL indistinct Listeners must not be accepted for processing. - * * At least one distinct Listener MUST be present, or else the Gateway effectively - * contains _no_ Listeners, and must be rejected from processing as a whole. * * The implementation MUST set a "ListenersNotValid" condition on the * Gateway Status when the Gateway contains Conflicted Listeners whether or @@ -27464,634 +19418,41 @@ export declare namespace gateway { * Accepted. Additionally, the Listener status for those listeners SHOULD * indicate which Listeners are conflicted and not Accepted. * - * ## General Listener behavior * - * Note that, for all distinct Listeners, requests SHOULD match at most one Listener. - * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a - * request to "foo.example.com" SHOULD only be routed using routes attached - * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * A Gateway's Listeners are considered "compatible" if: * - * This concept is known as "Listener Isolation", and it is an Extended feature - * of Gateway API. Implementations that do not support Listener Isolation MUST - * clearly document this, and MUST NOT claim support for the - * `GatewayHTTPListenerIsolation` feature. - * - * Implementations that _do_ support Listener Isolation SHOULD claim support - * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated - * conformance tests. - * - * ## Compatible Listeners - * - * A Gateway's Listeners are considered _compatible_ if: * * 1. They are distinct. * 2. The implementation can serve them in compliance with the Addresses * requirement that all Listeners are available on all assigned * addresses. * + * * Compatible combinations in Extended support are expected to vary across * implementations. A combination that is compatible for one implementation * may not be compatible for another. * + * * For example, an implementation that cannot serve both TCP and UDP listeners * on the same address, or cannot mix HTTPS and generic TLS listens on the same port * would not consider those cases compatible, even though they are distinct. * + * + * Note that requests SHOULD match at most one Listener. For example, if + * Listeners are defined for "foo.example.com" and "*.example.com", a + * request to "foo.example.com" SHOULD only be routed using routes attached + * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * This concept is known as "Listener Isolation". Implementations that do + * not support Listener Isolation MUST clearly document this. + * + * * Implementations MAY merge separate Gateways onto a single set of * Addresses if all Listeners across all Gateways are compatible. * - * In a future release the MinItems=1 requirement MAY be dropped. * * Support: Core */ listeners: outputs.gateway.v1.GatewaySpecListenersPatch[]; - tls: outputs.gateway.v1.GatewaySpecTlsPatch; - } - /** - * TLS specifies frontend and backend tls configuration for entire gateway. - * - * Support: Extended - */ - interface GatewaySpecTls { - backend: outputs.gateway.v1.GatewaySpecTlsBackend; - frontend: outputs.gateway.v1.GatewaySpecTlsFrontend; - } - /** - * Backend describes TLS configuration for gateway when connecting - * to backends. - * - * Note that this contains only details for the Gateway as a TLS client, - * and does _not_ imply behavior about how to choose which backend should - * get a TLS connection. That is determined by the presence of a BackendTLSPolicy. - * - * Support: Core - */ - interface GatewaySpecTlsBackend { - clientCertificateRef: outputs.gateway.v1.GatewaySpecTlsBackendClientCertificateRef; - } - /** - * ClientCertificateRef is a reference to an object that contains a Client - * Certificate and the associated private key. - * - * References to a resource in different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - * - * ClientCertificateRef can reference to standard Kubernetes resources, i.e. - * Secret, or implementation-specific custom resources. - * - * Support: Core - */ - interface GatewaySpecTlsBackendClientCertificateRef { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "Secret". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - } - /** - * ClientCertificateRef is a reference to an object that contains a Client - * Certificate and the associated private key. - * - * References to a resource in different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - * - * ClientCertificateRef can reference to standard Kubernetes resources, i.e. - * Secret, or implementation-specific custom resources. - * - * Support: Core - */ - interface GatewaySpecTlsBackendClientCertificateRefPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "Secret". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - } - /** - * Backend describes TLS configuration for gateway when connecting - * to backends. - * - * Note that this contains only details for the Gateway as a TLS client, - * and does _not_ imply behavior about how to choose which backend should - * get a TLS connection. That is determined by the presence of a BackendTLSPolicy. - * - * Support: Core - */ - interface GatewaySpecTlsBackendPatch { - clientCertificateRef: outputs.gateway.v1.GatewaySpecTlsBackendClientCertificateRefPatch; - } - /** - * Frontend describes TLS config when client connects to Gateway. - * Support: Core - */ - interface GatewaySpecTlsFrontend { - default: outputs.gateway.v1.GatewaySpecTlsFrontendDefault; - /** - * PerPort specifies tls configuration assigned per port. - * Per port configuration is optional. Once set this configuration overrides - * the default configuration for all Listeners handling HTTPS traffic - * that match this port. - * Each override port requires a unique TLS configuration. - * - * support: Core - */ - perPort: outputs.gateway.v1.GatewaySpecTlsFrontendPerPort[]; - } - /** - * Default specifies the default client certificate validation configuration - * for all Listeners handling HTTPS traffic, unless a per-port configuration - * is defined. - * - * support: Core - */ - interface GatewaySpecTlsFrontendDefault { - validation: outputs.gateway.v1.GatewaySpecTlsFrontendDefaultValidation; - } - /** - * Default specifies the default client certificate validation configuration - * for all Listeners handling HTTPS traffic, unless a per-port configuration - * is defined. - * - * support: Core - */ - interface GatewaySpecTlsFrontendDefaultPatch { - validation: outputs.gateway.v1.GatewaySpecTlsFrontendDefaultValidationPatch; - } - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - interface GatewaySpecTlsFrontendDefaultValidation { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs: outputs.gateway.v1.GatewaySpecTlsFrontendDefaultValidationCaCertificateRefs[]; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode: string; - } - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefs { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - } - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefsPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - } - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - interface GatewaySpecTlsFrontendDefaultValidationPatch { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs: outputs.gateway.v1.GatewaySpecTlsFrontendDefaultValidationCaCertificateRefsPatch[]; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode: string; - } - /** - * Frontend describes TLS config when client connects to Gateway. - * Support: Core - */ - interface GatewaySpecTlsFrontendPatch { - default: outputs.gateway.v1.GatewaySpecTlsFrontendDefaultPatch; - /** - * PerPort specifies tls configuration assigned per port. - * Per port configuration is optional. Once set this configuration overrides - * the default configuration for all Listeners handling HTTPS traffic - * that match this port. - * Each override port requires a unique TLS configuration. - * - * support: Core - */ - perPort: outputs.gateway.v1.GatewaySpecTlsFrontendPerPortPatch[]; - } - interface GatewaySpecTlsFrontendPerPort { - /** - * The Port indicates the Port Number to which the TLS configuration will be - * applied. This configuration will be applied to all Listeners handling HTTPS - * traffic that match this port. - * - * Support: Core - */ - port: number; - tls: outputs.gateway.v1.GatewaySpecTlsFrontendPerPortTls; - } - interface GatewaySpecTlsFrontendPerPortPatch { - /** - * The Port indicates the Port Number to which the TLS configuration will be - * applied. This configuration will be applied to all Listeners handling HTTPS - * traffic that match this port. - * - * Support: Core - */ - port: number; - tls: outputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsPatch; - } - /** - * TLS store the configuration that will be applied to all Listeners handling - * HTTPS traffic and matching given port. - * - * Support: Core - */ - interface GatewaySpecTlsFrontendPerPortTls { - validation: outputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsValidation; - } - /** - * TLS store the configuration that will be applied to all Listeners handling - * HTTPS traffic and matching given port. - * - * Support: Core - */ - interface GatewaySpecTlsFrontendPerPortTlsPatch { - validation: outputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsValidationPatch; - } - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - interface GatewaySpecTlsFrontendPerPortTlsValidation { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs: outputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefs[]; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode: string; - } - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefs { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - } - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefsPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - } - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - interface GatewaySpecTlsFrontendPerPortTlsValidationPatch { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs: outputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefsPatch[]; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode: string; - } - /** - * TLS specifies frontend and backend tls configuration for entire gateway. - * - * Support: Extended - */ - interface GatewaySpecTlsPatch { - backend: outputs.gateway.v1.GatewaySpecTlsBackendPatch; - frontend: outputs.gateway.v1.GatewaySpecTlsFrontendPatch; } /** * Status defines the current state of Gateway. @@ -28101,9 +19462,11 @@ export declare namespace gateway { * Addresses lists the network addresses that have been bound to the * Gateway. * + * * This list may differ from the addresses provided in the spec under some * conditions: * + * * * no addresses are specified, all addresses are dynamically assigned * * a combination of specified and dynamic addresses are assigned * * a specified address was unusable (e.g. already in use) @@ -28112,13 +19475,16 @@ export declare namespace gateway { /** * Conditions describe the current conditions of the Gateway. * + * * Implementations should prefer to express Gateway conditions * using the `GatewayConditionType` and `GatewayConditionReason` * constants so that operators and tools can converge on a common * vocabulary to describe Gateway state. * + * * Known condition types are: * + * * * "Accepted" * * "Programmed" * * "Ready" @@ -28141,6 +19507,7 @@ export declare namespace gateway { * Value of the address. The validity of the values will depend * on the type and support by the controller. * + * * Examples: `1.2.3.4`, `128::1`, `my-ip-address`. */ value: string; @@ -28157,12 +19524,29 @@ export declare namespace gateway { * Value of the address. The validity of the values will depend * on the type and support by the controller. * + * * Examples: `1.2.3.4`, `128::1`, `my-ip-address`. */ value: string; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface GatewayStatusConditions { /** @@ -28195,11 +19579,31 @@ export declare namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface GatewayStatusConditionsPatch { /** @@ -28232,6 +19636,10 @@ export declare namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } @@ -28243,6 +19651,7 @@ export declare namespace gateway { * AttachedRoutes represents the total number of Routes that have been * successfully attached to this Listener. * + * * Successful attachment of a Route to a Listener is based solely on the * combination of the AllowedRoutes field on the corresponding Listener * and the Route's ParentRefs field. A Route is successfully attached to @@ -28255,6 +19664,7 @@ export declare namespace gateway { * for Listeners with condition Accepted: false and MUST count successfully * attached Routes that may themselves have Accepted: false conditions. * + * * Uses for this field include troubleshooting Route attachment and * measuring blast radius/impact of changes to a Listener. */ @@ -28272,6 +19682,7 @@ export declare namespace gateway { * listener. This MUST represent the kinds an implementation supports for * that Listener configuration. * + * * If kinds are specified in Spec that are not supported, they MUST NOT * appear in this list and an implementation MUST set the "ResolvedRefs" * condition to "False" with the "InvalidRouteKinds" reason. If both valid @@ -28282,6 +19693,22 @@ export declare namespace gateway { } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface GatewayStatusListenersConditions { /** @@ -28314,11 +19741,31 @@ export declare namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface GatewayStatusListenersConditionsPatch { /** @@ -28351,6 +19798,10 @@ export declare namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } @@ -28362,6 +19813,7 @@ export declare namespace gateway { * AttachedRoutes represents the total number of Routes that have been * successfully attached to this Listener. * + * * Successful attachment of a Route to a Listener is based solely on the * combination of the AllowedRoutes field on the corresponding Listener * and the Route's ParentRefs field. A Route is successfully attached to @@ -28374,6 +19826,7 @@ export declare namespace gateway { * for Listeners with condition Accepted: false and MUST count successfully * attached Routes that may themselves have Accepted: false conditions. * + * * Uses for this field include troubleshooting Route attachment and * measuring blast radius/impact of changes to a Listener. */ @@ -28391,6 +19844,7 @@ export declare namespace gateway { * listener. This MUST represent the kinds an implementation supports for * that Listener configuration. * + * * If kinds are specified in Spec that are not supported, they MUST NOT * appear in this list and an implementation MUST set the "ResolvedRefs" * condition to "False" with the "InvalidRouteKinds" reason. If both valid @@ -28433,9 +19887,11 @@ export declare namespace gateway { * Addresses lists the network addresses that have been bound to the * Gateway. * + * * This list may differ from the addresses provided in the spec under some * conditions: * + * * * no addresses are specified, all addresses are dynamically assigned * * a combination of specified and dynamic addresses are assigned * * a specified address was unusable (e.g. already in use) @@ -28444,13 +19900,16 @@ export declare namespace gateway { /** * Conditions describe the current conditions of the Gateway. * + * * Implementations should prefer to express Gateway conditions * using the `GatewayConditionType` and `GatewayConditionReason` * constants so that operators and tools can converge on a common * vocabulary to describe Gateway state. * + * * Known condition types are: * + * * * "Accepted" * * "Programmed" * * "Ready" @@ -28494,17 +19953,21 @@ export declare namespace gateway { * performing a match and (absent of any applicable header modification * configuration) MUST forward this header unmodified to the backend. * + * * Valid values for Hostnames are determined by RFC 1123 definition of a * hostname with 2 notable exceptions: * + * * 1. IPs are not allowed. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label must appear by itself as the first label. * + * * If a hostname is specified by both the Listener and HTTPRoute, there * must be at least one intersecting hostname for the HTTPRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches HTTPRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -28515,31 +19978,38 @@ export declare namespace gateway { * all match. On the other hand, `example.com` and `test.example.net` would * not match. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * If both the Listener and HTTPRoute have specified hostnames, any * HTTPRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * HTTPRoute specified `test.example.com` and `test.example.net`, * `test.example.net` must not be considered for a match. * + * * If both the Listener and HTTPRoute have specified hostnames, and none * match with the criteria above, then the HTTPRoute is not accepted. The * implementation must raise an 'Accepted' Condition with a status of * `False` in the corresponding RouteParentStatus. * + * * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. * overlapping wildcard matching and exact matching hostnames), precedence must * be given to rules from the HTTPRoute with the largest number of: * + * * * Characters in a matching non-wildcard hostname. * * Characters in a matching hostname. * + * * If ties exist across multiple Routes, the matching precedence rules for * HTTPRouteMatches takes over. * + * * Support: Core */ hostnames: string[]; @@ -28555,16 +20025,21 @@ export declare namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -28574,8 +20049,10 @@ export declare namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -28583,12 +20060,14 @@ export declare namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -28596,10 +20075,12 @@ export declare namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -28611,33 +20092,21 @@ export declare namespace gateway { * Rules are a list of HTTP matchers, filters and actions. */ rules: outputs.gateway.v1.HTTPRouteSpecRules[]; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways: string; } /** * ParentReference identifies an API object (usually a Gateway) that can be considered * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -28648,23 +20117,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -28672,6 +20146,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -28679,10 +20154,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -28690,6 +20167,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -28697,6 +20175,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -28706,15 +20185,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -28723,6 +20205,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -28730,6 +20213,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -28737,10 +20221,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -28750,6 +20236,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -28759,12 +20246,15 @@ export declare namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -28775,23 +20265,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -28799,6 +20294,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -28806,10 +20302,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -28817,6 +20315,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -28824,6 +20323,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -28833,15 +20333,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -28850,6 +20353,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -28857,6 +20361,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -28864,10 +20369,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -28877,6 +20384,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -28892,17 +20400,21 @@ export declare namespace gateway { * performing a match and (absent of any applicable header modification * configuration) MUST forward this header unmodified to the backend. * + * * Valid values for Hostnames are determined by RFC 1123 definition of a * hostname with 2 notable exceptions: * + * * 1. IPs are not allowed. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label must appear by itself as the first label. * + * * If a hostname is specified by both the Listener and HTTPRoute, there * must be at least one intersecting hostname for the HTTPRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches HTTPRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -28913,31 +20425,38 @@ export declare namespace gateway { * all match. On the other hand, `example.com` and `test.example.net` would * not match. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * If both the Listener and HTTPRoute have specified hostnames, any * HTTPRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * HTTPRoute specified `test.example.com` and `test.example.net`, * `test.example.net` must not be considered for a match. * + * * If both the Listener and HTTPRoute have specified hostnames, and none * match with the criteria above, then the HTTPRoute is not accepted. The * implementation must raise an 'Accepted' Condition with a status of * `False` in the corresponding RouteParentStatus. * + * * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. * overlapping wildcard matching and exact matching hostnames), precedence must * be given to rules from the HTTPRoute with the largest number of: * + * * * Characters in a matching non-wildcard hostname. * * Characters in a matching hostname. * + * * If ties exist across multiple Routes, the matching precedence rules for * HTTPRouteMatches takes over. * + * * Support: Core */ hostnames: string[]; @@ -28953,16 +20472,21 @@ export declare namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -28972,8 +20496,10 @@ export declare namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -28981,12 +20507,14 @@ export declare namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -28994,10 +20522,12 @@ export declare namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -29009,21 +20539,6 @@ export declare namespace gateway { * Rules are a list of HTTP matchers, filters and actions. */ rules: outputs.gateway.v1.HTTPRouteSpecRulesPatch[]; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways: string; } /** * HTTPRouteRule defines semantics for matching an HTTP request based on @@ -29035,37 +20550,41 @@ export declare namespace gateway { * BackendRefs defines the backend(s) where matching requests should be * sent. * + * * Failure behavior here depends on how many BackendRefs are specified and * how many are invalid. * + * * If *all* entries in BackendRefs are invalid, and there are also no filters * specified in this route rule, *all* traffic which matches this rule MUST * receive a 500 status code. * + * * See the HTTPBackendRef definition for the rules about what makes a single * HTTPBackendRef invalid. * + * * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for * requests that would have otherwise been routed to an invalid backend. If * multiple backends are specified, and some are invalid, the proportion of * requests that would otherwise have been routed to an invalid backend * MUST receive a 500 status code. * + * * For example, if two backends are specified with equal weights, and one is * invalid, 50 percent of traffic must receive a 500. Implementations may * choose how that 50 percent is determined. * - * When a HTTPBackendRef refers to a Service that has no ready endpoints, - * implementations SHOULD return a 503 for requests to that backend instead. - * If an implementation chooses to do this, all of the above rules for 500 responses - * MUST also apply for responses that return a 503. * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Core */ backendRefs: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefs[]; @@ -29073,38 +20592,46 @@ export declare namespace gateway { * Filters define the filters that are applied to requests that match * this rule. * + * * Wherever possible, implementations SHOULD implement filters in the order * they are specified. * + * * Implementations MAY choose to implement this ordering strictly, rejecting - * any combination or order of filters that cannot be supported. If implementations + * any combination or order of filters that can not be supported. If implementations * choose a strict interpretation of filter ordering, they MUST clearly document * that behavior. * + * * To reject an invalid combination or order of filters, implementations SHOULD * consider the Route Rules with this configuration invalid. If all Route Rules * in a Route are invalid, the entire Route would be considered invalid. If only * a portion of Route Rules are invalid, implementations MUST set the * "PartiallyInvalid" condition for the Route. * + * * Conformance-levels at this level are defined based on the type of filter: * + * * - ALL core filters MUST be supported by all implementations. * - Implementers are encouraged to support extended filters. * - Implementation-specific custom filters have no API guarantees across * implementations. * + * * Specifying the same filter multiple times is not supported unless explicitly * indicated in the filter. * + * * All filters are expected to be compatible with each other except for the * URLRewrite and RequestRedirect filters, which may not be combined. If an - * implementation cannot support other combinations of filters, they must clearly + * implementation can not support other combinations of filters, they must clearly * document that limitation. In cases where incompatible or unsupported * filters are specified and cause the `Accepted` condition to be set to status * `False`, implementations may use the `IncompatibleFilters` reason to specify * this configuration error. * + * * Support: Core */ filters: outputs.gateway.v1.HTTPRouteSpecRulesFilters[]; @@ -29113,8 +20640,10 @@ export declare namespace gateway { * HTTP requests. Each match is independent, i.e. this rule will be matched * if **any** one of the matches is satisfied. * + * * For example, take the following matches configuration: * + * * ``` * matches: * - path: @@ -29126,85 +20655,100 @@ export declare namespace gateway { * value: "/v2/foo" * ``` * + * * For a request to match against this rule, a request must satisfy * EITHER of the two conditions: * + * * - path prefixed with `/foo` AND contains the header `version: v2` * - path prefix of `/v2/foo` * + * * See the documentation for HTTPRouteMatch on how to specify multiple * match conditions that should be ANDed together. * + * * If no matches are specified, the default is a prefix * path match on "/", which has the effect of matching every * HTTP request. * + * * Proxy or Load Balancer routing configuration generated from HTTPRoutes * MUST prioritize matches based on the following criteria, continuing on * ties. Across all rules specified on applicable Routes, precedence must be * given to the match having: * + * * * "Exact" path match. * * "Prefix" path match with largest number of characters. * * Method match. * * Largest number of header matches. * * Largest number of query param matches. * + * * Note: The precedence of RegularExpression path matches are implementation-specific. * + * * If ties still exist across multiple Routes, matching precedence MUST be * determined in order of the following criteria, continuing on ties: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * If ties still exist within an HTTPRoute, matching precedence MUST be granted * to the FIRST matching rule (in list order) with a match meeting the above * criteria. * + * * When no rules matching a request have been successfully attached to the * parent a request is coming from, a HTTP 404 status code MUST be returned. */ matches: outputs.gateway.v1.HTTPRouteSpecRulesMatches[]; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name: string; - retry: outputs.gateway.v1.HTTPRouteSpecRulesRetry; sessionPersistence: outputs.gateway.v1.HTTPRouteSpecRulesSessionPersistence; timeouts: outputs.gateway.v1.HTTPRouteSpecRulesTimeouts; } /** * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * */ interface HTTPRouteSpecRulesBackendRefs { /** * Filters defined at this level should be executed if and only if the * request is being forwarded to the backend defined here. * + * * Support: Implementation-specific (For broader support of filters, use the * Filters field in HTTPRouteRule.) */ @@ -29218,16 +20762,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -29239,11 +20787,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -29263,11 +20813,13 @@ export declare namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight: number; @@ -29281,9 +20833,7 @@ export declare namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ interface HTTPRouteSpecRulesBackendRefsFilters { - cors: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersCors; extensionRef: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExtensionRef; - externalAuth: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuth; requestHeaderModifier: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifier; requestMirror: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirror; requestRedirect: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirect; @@ -29292,14 +20842,17 @@ export declare namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -29308,16 +20861,20 @@ export declare namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -29325,424 +20882,16 @@ export declare namespace gateway { type: string; urlRewrite: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewrite; } - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesBackendRefsFiltersCors { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials: boolean; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders: string[]; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods: string[]; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins: string[]; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders: string[]; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge: number; - } - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesBackendRefsFiltersCorsPatch { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials: boolean; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders: string[]; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods: string[]; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins: string[]; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders: string[]; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge: number; - } /** * ExtensionRef is an optional, implementation-specific extension to the * "filter" behavior. For example, resource "myroutefilter" in group * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRef { @@ -29766,8 +20915,10 @@ export declare namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRefPatch { @@ -29785,400 +20936,6 @@ export declare namespace gateway { */ name: string; } - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuth { - backendRef: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRef; - forwardBody: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBody; - grpc: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpc; - http: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttp; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol: string; - } - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRef { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port: number; - } - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRefPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port: number; - } - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBody { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize: number; - } - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBodyPatch { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize: number; - } - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpc { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders: string[]; - } - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpcPatch { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders: string[]; - } - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttp { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders: string[]; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders: string[]; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path: string; - } - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttpPatch { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders: string[]; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders: string[]; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path: string; - } - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthPatch { - backendRef: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRefPatch; - forwardBody: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBodyPatch; - grpc: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpcPatch; - http: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttpPatch; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol: string; - } /** * HTTPRouteFilter defines processing steps that must be completed during the * request or response lifecycle. HTTPRouteFilters are meant as an extension @@ -30188,9 +20945,7 @@ export declare namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ interface HTTPRouteSpecRulesBackendRefsFiltersPatch { - cors: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersCorsPatch; extensionRef: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExtensionRefPatch; - externalAuth: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthPatch; requestHeaderModifier: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch; requestMirror: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorPatch; requestRedirect: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPatch; @@ -30199,14 +20954,17 @@ export declare namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -30215,16 +20973,20 @@ export declare namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -30236,6 +20998,7 @@ export declare namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifier { @@ -30244,15 +21007,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -30264,15 +21030,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -30282,15 +21051,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -30303,7 +21075,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -30323,7 +21096,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -30341,6 +21115,7 @@ export declare namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch { @@ -30349,15 +21124,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -30369,15 +21147,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -30387,15 +21168,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -30408,7 +21192,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -30428,7 +21213,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -30447,48 +21233,46 @@ export declare namespace gateway { * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirror { backendRef: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef; - fraction: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFraction; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent: number; } /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef { @@ -30501,16 +21285,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -30522,11 +21310,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -30542,26 +21332,32 @@ export declare namespace gateway { /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch { @@ -30574,16 +21370,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -30595,11 +21395,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -30612,56 +21414,27 @@ export declare namespace gateway { */ port: number; } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFraction { - denominator: number; - numerator: number; - } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch { - denominator: number; - numerator: number; - } /** * RequestMirror defines a schema for a filter that mirrors requests. * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorPatch { backendRef: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch; - fraction: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent: number; } /** * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirect { @@ -30670,6 +21443,7 @@ export declare namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname: string; @@ -30678,9 +21452,11 @@ export declare namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -30688,14 +21464,17 @@ export declare namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port: number; @@ -30703,29 +21482,36 @@ export declare namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme: string; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode: number; @@ -30734,6 +21520,7 @@ export declare namespace gateway { * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPatch { @@ -30742,6 +21529,7 @@ export declare namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname: string; @@ -30750,9 +21538,11 @@ export declare namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -30760,14 +21550,17 @@ export declare namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port: number; @@ -30775,29 +21568,36 @@ export declare namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme: string; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode: number; @@ -30807,6 +21607,7 @@ export declare namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPath { @@ -30821,26 +21622,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -30852,6 +21670,7 @@ export declare namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPathPatch { @@ -30866,26 +21685,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -30896,6 +21732,7 @@ export declare namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifier { @@ -30904,15 +21741,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -30924,15 +21764,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -30942,15 +21785,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -30963,7 +21809,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -30983,7 +21830,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -31001,6 +21849,7 @@ export declare namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch { @@ -31009,15 +21858,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -31029,15 +21881,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -31047,15 +21902,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -31068,7 +21926,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -31088,7 +21947,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -31105,6 +21965,7 @@ export declare namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewrite { @@ -31112,6 +21973,7 @@ export declare namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname: string; @@ -31120,6 +21982,7 @@ export declare namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePatch { @@ -31127,6 +21990,7 @@ export declare namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname: string; @@ -31135,6 +21999,7 @@ export declare namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePath { @@ -31149,26 +22014,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -31178,6 +22060,7 @@ export declare namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePathPatch { @@ -31192,26 +22075,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -31221,31 +22121,42 @@ export declare namespace gateway { /** * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * */ interface HTTPRouteSpecRulesBackendRefsPatch { /** * Filters defined at this level should be executed if and only if the * request is being forwarded to the backend defined here. * + * * Support: Implementation-specific (For broader support of filters, use the * Filters field in HTTPRouteRule.) */ @@ -31259,16 +22170,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -31280,11 +22195,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -31304,11 +22221,13 @@ export declare namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight: number; @@ -31322,9 +22241,7 @@ export declare namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ interface HTTPRouteSpecRulesFilters { - cors: outputs.gateway.v1.HTTPRouteSpecRulesFiltersCors; extensionRef: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExtensionRef; - externalAuth: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuth; requestHeaderModifier: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestHeaderModifier; requestMirror: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirror; requestRedirect: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestRedirect; @@ -31333,14 +22250,17 @@ export declare namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -31349,16 +22269,20 @@ export declare namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -31366,424 +22290,16 @@ export declare namespace gateway { type: string; urlRewrite: outputs.gateway.v1.HTTPRouteSpecRulesFiltersUrlRewrite; } - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesFiltersCors { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials: boolean; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders: string[]; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods: string[]; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins: string[]; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders: string[]; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge: number; - } - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesFiltersCorsPatch { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials: boolean; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders: string[]; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods: string[]; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins: string[]; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders: string[]; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge: number; - } /** * ExtensionRef is an optional, implementation-specific extension to the * "filter" behavior. For example, resource "myroutefilter" in group * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ interface HTTPRouteSpecRulesFiltersExtensionRef { @@ -31807,8 +22323,10 @@ export declare namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ interface HTTPRouteSpecRulesFiltersExtensionRefPatch { @@ -31826,400 +22344,6 @@ export declare namespace gateway { */ name: string; } - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesFiltersExternalAuth { - backendRef: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthBackendRef; - forwardBody: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthForwardBody; - grpc: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthGrpc; - http: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthHttp; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol: string; - } - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - interface HTTPRouteSpecRulesFiltersExternalAuthBackendRef { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port: number; - } - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - interface HTTPRouteSpecRulesFiltersExternalAuthBackendRefPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port: number; - } - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - interface HTTPRouteSpecRulesFiltersExternalAuthForwardBody { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize: number; - } - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - interface HTTPRouteSpecRulesFiltersExternalAuthForwardBodyPatch { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize: number; - } - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesFiltersExternalAuthGrpc { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders: string[]; - } - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesFiltersExternalAuthGrpcPatch { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders: string[]; - } - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesFiltersExternalAuthHttp { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders: string[]; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders: string[]; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path: string; - } - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesFiltersExternalAuthHttpPatch { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders: string[]; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders: string[]; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path: string; - } - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesFiltersExternalAuthPatch { - backendRef: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthBackendRefPatch; - forwardBody: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthForwardBodyPatch; - grpc: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthGrpcPatch; - http: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthHttpPatch; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol: string; - } /** * HTTPRouteFilter defines processing steps that must be completed during the * request or response lifecycle. HTTPRouteFilters are meant as an extension @@ -32229,9 +22353,7 @@ export declare namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ interface HTTPRouteSpecRulesFiltersPatch { - cors: outputs.gateway.v1.HTTPRouteSpecRulesFiltersCorsPatch; extensionRef: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExtensionRefPatch; - externalAuth: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthPatch; requestHeaderModifier: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestHeaderModifierPatch; requestMirror: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorPatch; requestRedirect: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestRedirectPatch; @@ -32240,14 +22362,17 @@ export declare namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -32256,16 +22381,20 @@ export declare namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -32277,6 +22406,7 @@ export declare namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ interface HTTPRouteSpecRulesFiltersRequestHeaderModifier { @@ -32285,15 +22415,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -32305,15 +22438,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -32323,15 +22459,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -32344,7 +22483,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -32364,7 +22504,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -32382,6 +22523,7 @@ export declare namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ interface HTTPRouteSpecRulesFiltersRequestHeaderModifierPatch { @@ -32390,15 +22532,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -32410,15 +22555,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -32428,15 +22576,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -32449,7 +22600,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -32469,7 +22621,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -32488,48 +22641,46 @@ export declare namespace gateway { * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersRequestMirror { backendRef: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorBackendRef; - fraction: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorFraction; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent: number; } /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRef { @@ -32542,16 +22693,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -32563,11 +22718,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -32583,26 +22740,32 @@ export declare namespace gateway { /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRefPatch { @@ -32615,16 +22778,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -32636,11 +22803,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -32653,56 +22822,27 @@ export declare namespace gateway { */ port: number; } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - interface HTTPRouteSpecRulesFiltersRequestMirrorFraction { - denominator: number; - numerator: number; - } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - interface HTTPRouteSpecRulesFiltersRequestMirrorFractionPatch { - denominator: number; - numerator: number; - } /** * RequestMirror defines a schema for a filter that mirrors requests. * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersRequestMirrorPatch { backendRef: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorBackendRefPatch; - fraction: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorFractionPatch; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent: number; } /** * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ interface HTTPRouteSpecRulesFiltersRequestRedirect { @@ -32711,6 +22851,7 @@ export declare namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname: string; @@ -32719,9 +22860,11 @@ export declare namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -32729,14 +22872,17 @@ export declare namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port: number; @@ -32744,29 +22890,36 @@ export declare namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme: string; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode: number; @@ -32775,6 +22928,7 @@ export declare namespace gateway { * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ interface HTTPRouteSpecRulesFiltersRequestRedirectPatch { @@ -32783,6 +22937,7 @@ export declare namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname: string; @@ -32791,9 +22946,11 @@ export declare namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -32801,14 +22958,17 @@ export declare namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port: number; @@ -32816,29 +22976,36 @@ export declare namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme: string; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode: number; @@ -32848,6 +23015,7 @@ export declare namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersRequestRedirectPath { @@ -32862,26 +23030,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -32893,6 +23078,7 @@ export declare namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersRequestRedirectPathPatch { @@ -32907,26 +23093,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -32937,6 +23140,7 @@ export declare namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersResponseHeaderModifier { @@ -32945,15 +23149,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -32965,15 +23172,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -32983,15 +23193,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -33004,7 +23217,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -33024,7 +23238,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -33042,6 +23257,7 @@ export declare namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersResponseHeaderModifierPatch { @@ -33050,15 +23266,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -33070,15 +23289,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -33088,15 +23310,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -33109,7 +23334,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -33129,7 +23355,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -33146,6 +23373,7 @@ export declare namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersUrlRewrite { @@ -33153,6 +23381,7 @@ export declare namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname: string; @@ -33161,6 +23390,7 @@ export declare namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersUrlRewritePatch { @@ -33168,6 +23398,7 @@ export declare namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname: string; @@ -33176,6 +23407,7 @@ export declare namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersUrlRewritePath { @@ -33190,26 +23422,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -33219,6 +23468,7 @@ export declare namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersUrlRewritePathPatch { @@ -33233,26 +23483,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -33264,18 +23531,22 @@ export declare namespace gateway { * action. Multiple match types are ANDed together, i.e. the match will * evaluate to true only if all conditions are satisfied. * + * * For example, the match below will match a HTTP request only if its path * starts with `/foo` AND it contains the `version: v1` header: * + * * ``` * match: * + * * path: * value: "/foo" * headers: * - name: "version" * value "v1" * + * * ``` */ interface HTTPRouteSpecRulesMatches { @@ -33290,6 +23561,7 @@ export declare namespace gateway { * When specified, this route will be matched only if the request has the * specified method. * + * * Support: Extended */ method: string; @@ -33299,6 +23571,7 @@ export declare namespace gateway { * values are ANDed together, meaning, a request must match all the * specified query parameters to select the route. * + * * Support: Extended */ queryParams: outputs.gateway.v1.HTTPRouteSpecRulesMatchesQueryParams[]; @@ -33310,7 +23583,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesMatchesHeaders { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent @@ -33318,6 +23592,7 @@ export declare namespace gateway { * case-insensitivity of header names, "foo" and "Foo" are considered * equivalent. * + * * When a header is repeated in an HTTP request, it is * implementation-specific behavior as to how this is represented. * Generally, proxies should follow the guidance from the RFC: @@ -33328,10 +23603,13 @@ export declare namespace gateway { /** * Type specifies how to match against the value of the header. * + * * Support: Core (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression HeaderMatchType has implementation-specific * conformance, implementations can support POSIX, PCRE or any other dialects * of regular expressions. Please read the implementation's documentation to @@ -33350,7 +23628,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesMatchesHeadersPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent @@ -33358,6 +23637,7 @@ export declare namespace gateway { * case-insensitivity of header names, "foo" and "Foo" are considered * equivalent. * + * * When a header is repeated in an HTTP request, it is * implementation-specific behavior as to how this is represented. * Generally, proxies should follow the guidance from the RFC: @@ -33368,10 +23648,13 @@ export declare namespace gateway { /** * Type specifies how to match against the value of the header. * + * * Support: Core (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression HeaderMatchType has implementation-specific * conformance, implementations can support POSIX, PCRE or any other dialects * of regular expressions. Please read the implementation's documentation to @@ -33388,18 +23671,22 @@ export declare namespace gateway { * action. Multiple match types are ANDed together, i.e. the match will * evaluate to true only if all conditions are satisfied. * + * * For example, the match below will match a HTTP request only if its path * starts with `/foo` AND it contains the `version: v1` header: * + * * ``` * match: * + * * path: * value: "/foo" * headers: * - name: "version" * value "v1" * + * * ``` */ interface HTTPRouteSpecRulesMatchesPatch { @@ -33414,6 +23701,7 @@ export declare namespace gateway { * When specified, this route will be matched only if the request has the * specified method. * + * * Support: Extended */ method: string; @@ -33423,6 +23711,7 @@ export declare namespace gateway { * values are ANDed together, meaning, a request must match all the * specified query parameters to select the route. * + * * Support: Extended */ queryParams: outputs.gateway.v1.HTTPRouteSpecRulesMatchesQueryParamsPatch[]; @@ -33435,8 +23724,10 @@ export declare namespace gateway { /** * Type specifies how to match against the path Value. * + * * Support: Core (Exact, PathPrefix) * + * * Support: Implementation-specific (RegularExpression) */ type: string; @@ -33453,8 +23744,10 @@ export declare namespace gateway { /** * Type specifies how to match against the path Value. * + * * Support: Core (Exact, PathPrefix) * + * * Support: Implementation-specific (RegularExpression) */ type: string; @@ -33473,10 +23766,12 @@ export declare namespace gateway { * exact string match. (See * https://tools.ietf.org/html/rfc7230#section-2.7.3). * + * * If multiple entries specify equivalent query param names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent * entries with an equivalent query param name MUST be ignored. * + * * If a query param is repeated in an HTTP request, the behavior is * purposely left undefined, since different data planes have different * capabilities. However, it is *recommended* that implementations should @@ -33484,6 +23779,7 @@ export declare namespace gateway { * as this behavior is expected in other load balancing contexts outside of * the Gateway API. * + * * Users SHOULD NOT route traffic based on repeated query params to guard * themselves against potential differences in the implementations. */ @@ -33491,10 +23787,13 @@ export declare namespace gateway { /** * Type specifies how to match against the value of the query parameter. * + * * Support: Extended (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression QueryParamMatchType has Implementation-specific * conformance, implementations can support POSIX, PCRE or any other * dialects of regular expressions. Please read the implementation's @@ -33516,10 +23815,12 @@ export declare namespace gateway { * exact string match. (See * https://tools.ietf.org/html/rfc7230#section-2.7.3). * + * * If multiple entries specify equivalent query param names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent * entries with an equivalent query param name MUST be ignored. * + * * If a query param is repeated in an HTTP request, the behavior is * purposely left undefined, since different data planes have different * capabilities. However, it is *recommended* that implementations should @@ -33527,6 +23828,7 @@ export declare namespace gateway { * as this behavior is expected in other load balancing contexts outside of * the Gateway API. * + * * Users SHOULD NOT route traffic based on repeated query params to guard * themselves against potential differences in the implementations. */ @@ -33534,10 +23836,13 @@ export declare namespace gateway { /** * Type specifies how to match against the value of the query parameter. * + * * Support: Extended (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression QueryParamMatchType has Implementation-specific * conformance, implementations can support POSIX, PCRE or any other * dialects of regular expressions. Please read the implementation's @@ -33559,37 +23864,41 @@ export declare namespace gateway { * BackendRefs defines the backend(s) where matching requests should be * sent. * + * * Failure behavior here depends on how many BackendRefs are specified and * how many are invalid. * + * * If *all* entries in BackendRefs are invalid, and there are also no filters * specified in this route rule, *all* traffic which matches this rule MUST * receive a 500 status code. * + * * See the HTTPBackendRef definition for the rules about what makes a single * HTTPBackendRef invalid. * + * * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for * requests that would have otherwise been routed to an invalid backend. If * multiple backends are specified, and some are invalid, the proportion of * requests that would otherwise have been routed to an invalid backend * MUST receive a 500 status code. * + * * For example, if two backends are specified with equal weights, and one is * invalid, 50 percent of traffic must receive a 500. Implementations may * choose how that 50 percent is determined. * - * When a HTTPBackendRef refers to a Service that has no ready endpoints, - * implementations SHOULD return a 503 for requests to that backend instead. - * If an implementation chooses to do this, all of the above rules for 500 responses - * MUST also apply for responses that return a 503. * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Core */ backendRefs: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsPatch[]; @@ -33597,38 +23906,46 @@ export declare namespace gateway { * Filters define the filters that are applied to requests that match * this rule. * + * * Wherever possible, implementations SHOULD implement filters in the order * they are specified. * + * * Implementations MAY choose to implement this ordering strictly, rejecting - * any combination or order of filters that cannot be supported. If implementations + * any combination or order of filters that can not be supported. If implementations * choose a strict interpretation of filter ordering, they MUST clearly document * that behavior. * + * * To reject an invalid combination or order of filters, implementations SHOULD * consider the Route Rules with this configuration invalid. If all Route Rules * in a Route are invalid, the entire Route would be considered invalid. If only * a portion of Route Rules are invalid, implementations MUST set the * "PartiallyInvalid" condition for the Route. * + * * Conformance-levels at this level are defined based on the type of filter: * + * * - ALL core filters MUST be supported by all implementations. * - Implementers are encouraged to support extended filters. * - Implementation-specific custom filters have no API guarantees across * implementations. * + * * Specifying the same filter multiple times is not supported unless explicitly * indicated in the filter. * + * * All filters are expected to be compatible with each other except for the * URLRewrite and RequestRedirect filters, which may not be combined. If an - * implementation cannot support other combinations of filters, they must clearly + * implementation can not support other combinations of filters, they must clearly * document that limitation. In cases where incompatible or unsupported * filters are specified and cause the `Accepted` condition to be set to status * `False`, implementations may use the `IncompatibleFilters` reason to specify * this configuration error. * + * * Support: Core */ filters: outputs.gateway.v1.HTTPRouteSpecRulesFiltersPatch[]; @@ -33637,8 +23954,10 @@ export declare namespace gateway { * HTTP requests. Each match is independent, i.e. this rule will be matched * if **any** one of the matches is satisfied. * + * * For example, take the following matches configuration: * + * * ``` * matches: * - path: @@ -33650,193 +23969,66 @@ export declare namespace gateway { * value: "/v2/foo" * ``` * + * * For a request to match against this rule, a request must satisfy * EITHER of the two conditions: * + * * - path prefixed with `/foo` AND contains the header `version: v2` * - path prefix of `/v2/foo` * + * * See the documentation for HTTPRouteMatch on how to specify multiple * match conditions that should be ANDed together. * + * * If no matches are specified, the default is a prefix * path match on "/", which has the effect of matching every * HTTP request. * + * * Proxy or Load Balancer routing configuration generated from HTTPRoutes * MUST prioritize matches based on the following criteria, continuing on * ties. Across all rules specified on applicable Routes, precedence must be * given to the match having: * + * * * "Exact" path match. * * "Prefix" path match with largest number of characters. * * Method match. * * Largest number of header matches. * * Largest number of query param matches. * + * * Note: The precedence of RegularExpression path matches are implementation-specific. * + * * If ties still exist across multiple Routes, matching precedence MUST be * determined in order of the following criteria, continuing on ties: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * If ties still exist within an HTTPRoute, matching precedence MUST be granted * to the FIRST matching rule (in list order) with a match meeting the above * criteria. * + * * When no rules matching a request have been successfully attached to the * parent a request is coming from, a HTTP 404 status code MUST be returned. */ matches: outputs.gateway.v1.HTTPRouteSpecRulesMatchesPatch[]; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name: string; - retry: outputs.gateway.v1.HTTPRouteSpecRulesRetryPatch; sessionPersistence: outputs.gateway.v1.HTTPRouteSpecRulesSessionPersistencePatch; timeouts: outputs.gateway.v1.HTTPRouteSpecRulesTimeoutsPatch; } - /** - * Retry defines the configuration for when to retry an HTTP request. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesRetry { - /** - * Attempts specifies the maximum number of times an individual request - * from the gateway to a backend should be retried. - * - * If the maximum number of retries has been attempted without a successful - * response from the backend, the Gateway MUST return an error. - * - * When this field is unspecified, the number of times to attempt to retry - * a backend request is implementation-specific. - * - * Support: Extended - */ - attempts: number; - /** - * Backoff specifies the minimum duration a Gateway should wait between - * retry attempts and is represented in Gateway API Duration formatting. - * - * For example, setting the `rules[].retry.backoff` field to the value - * `100ms` will cause a backend request to first be retried approximately - * 100 milliseconds after timing out or receiving a response code configured - * to be retryable. - * - * An implementation MAY use an exponential or alternative backoff strategy - * for subsequent retry attempts, MAY cap the maximum backoff duration to - * some amount greater than the specified minimum, and MAY add arbitrary - * jitter to stagger requests, as long as unsuccessful backend requests are - * not retried before the configured minimum duration. - * - * If a Request timeout (`rules[].timeouts.request`) is configured on the - * route, the entire duration of the initial request and any retry attempts - * MUST not exceed the Request timeout duration. If any retry attempts are - * still in progress when the Request timeout duration has been reached, - * these SHOULD be canceled if possible and the Gateway MUST immediately - * return a timeout error. - * - * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is - * configured on the route, any retry attempts which reach the configured - * BackendRequest timeout duration without a response SHOULD be canceled if - * possible and the Gateway should wait for at least the specified backoff - * duration before attempting to retry the backend request again. - * - * If a BackendRequest timeout is _not_ configured on the route, retry - * attempts MAY time out after an implementation default duration, or MAY - * remain pending until a configured Request timeout or implementation - * default duration for total request time is reached. - * - * When this field is unspecified, the time to wait between retry attempts - * is implementation-specific. - * - * Support: Extended - */ - backoff: string; - /** - * Codes defines the HTTP response status codes for which a backend request - * should be retried. - * - * Support: Extended - */ - codes: number[]; - } - /** - * Retry defines the configuration for when to retry an HTTP request. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesRetryPatch { - /** - * Attempts specifies the maximum number of times an individual request - * from the gateway to a backend should be retried. - * - * If the maximum number of retries has been attempted without a successful - * response from the backend, the Gateway MUST return an error. - * - * When this field is unspecified, the number of times to attempt to retry - * a backend request is implementation-specific. - * - * Support: Extended - */ - attempts: number; - /** - * Backoff specifies the minimum duration a Gateway should wait between - * retry attempts and is represented in Gateway API Duration formatting. - * - * For example, setting the `rules[].retry.backoff` field to the value - * `100ms` will cause a backend request to first be retried approximately - * 100 milliseconds after timing out or receiving a response code configured - * to be retryable. - * - * An implementation MAY use an exponential or alternative backoff strategy - * for subsequent retry attempts, MAY cap the maximum backoff duration to - * some amount greater than the specified minimum, and MAY add arbitrary - * jitter to stagger requests, as long as unsuccessful backend requests are - * not retried before the configured minimum duration. - * - * If a Request timeout (`rules[].timeouts.request`) is configured on the - * route, the entire duration of the initial request and any retry attempts - * MUST not exceed the Request timeout duration. If any retry attempts are - * still in progress when the Request timeout duration has been reached, - * these SHOULD be canceled if possible and the Gateway MUST immediately - * return a timeout error. - * - * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is - * configured on the route, any retry attempts which reach the configured - * BackendRequest timeout duration without a response SHOULD be canceled if - * possible and the Gateway should wait for at least the specified backoff - * duration before attempting to retry the backend request again. - * - * If a BackendRequest timeout is _not_ configured on the route, retry - * attempts MAY time out after an implementation default duration, or MAY - * remain pending until a configured Request timeout or implementation - * default duration for total request time is reached. - * - * When this field is unspecified, the time to wait between retry attempts - * is implementation-specific. - * - * Support: Extended - */ - backoff: string; - /** - * Codes defines the HTTP response status codes for which a backend request - * should be retried. - * - * Support: Extended - */ - codes: number[]; - } /** * SessionPersistence defines and configures session persistence * for the route rule. * + * * Support: Extended */ interface HTTPRouteSpecRulesSessionPersistence { @@ -33845,6 +24037,7 @@ export declare namespace gateway { * session. Once the AbsoluteTimeout duration has elapsed, the * session becomes invalid. * + * * Support: Extended */ absoluteTimeout: string; @@ -33854,6 +24047,7 @@ export declare namespace gateway { * Once the session has been idle for more than the specified * IdleTimeout duration, the session becomes invalid. * + * * Support: Extended */ idleTimeout: string; @@ -33863,6 +24057,7 @@ export declare namespace gateway { * should avoid reusing session names to prevent unintended * consequences, such as rejection or unpredictable behavior. * + * * Support: Implementation-specific */ sessionName: string; @@ -33871,8 +24066,10 @@ export declare namespace gateway { * the use a header or cookie. Defaults to cookie based session * persistence. * + * * Support: Core for "Cookie" type * + * * Support: Extended for "Header" type */ type: string; @@ -33881,6 +24078,7 @@ export declare namespace gateway { * CookieConfig provides configuration settings that are specific * to cookie-based session persistence. * + * * Support: Core */ interface HTTPRouteSpecRulesSessionPersistenceCookieConfig { @@ -33891,18 +24089,20 @@ export declare namespace gateway { * attributes, while a session cookie is deleted when the current * session ends. * + * * When set to "Permanent", AbsoluteTimeout indicates the * cookie's lifetime via the Expires or Max-Age cookie attributes * and is required. * + * * When set to "Session", AbsoluteTimeout indicates the * absolute lifetime of the cookie tracked by the gateway and * is optional. * - * Defaults to "Session". * * Support: Core for "Session" type * + * * Support: Extended for "Permanent" type */ lifetimeType: string; @@ -33911,6 +24111,7 @@ export declare namespace gateway { * CookieConfig provides configuration settings that are specific * to cookie-based session persistence. * + * * Support: Core */ interface HTTPRouteSpecRulesSessionPersistenceCookieConfigPatch { @@ -33921,18 +24122,20 @@ export declare namespace gateway { * attributes, while a session cookie is deleted when the current * session ends. * + * * When set to "Permanent", AbsoluteTimeout indicates the * cookie's lifetime via the Expires or Max-Age cookie attributes * and is required. * + * * When set to "Session", AbsoluteTimeout indicates the * absolute lifetime of the cookie tracked by the gateway and * is optional. * - * Defaults to "Session". * * Support: Core for "Session" type * + * * Support: Extended for "Permanent" type */ lifetimeType: string; @@ -33941,6 +24144,7 @@ export declare namespace gateway { * SessionPersistence defines and configures session persistence * for the route rule. * + * * Support: Extended */ interface HTTPRouteSpecRulesSessionPersistencePatch { @@ -33949,6 +24153,7 @@ export declare namespace gateway { * session. Once the AbsoluteTimeout duration has elapsed, the * session becomes invalid. * + * * Support: Extended */ absoluteTimeout: string; @@ -33958,6 +24163,7 @@ export declare namespace gateway { * Once the session has been idle for more than the specified * IdleTimeout duration, the session becomes invalid. * + * * Support: Extended */ idleTimeout: string; @@ -33967,6 +24173,7 @@ export declare namespace gateway { * should avoid reusing session names to prevent unintended * consequences, such as rejection or unpredictable behavior. * + * * Support: Implementation-specific */ sessionName: string; @@ -33975,8 +24182,10 @@ export declare namespace gateway { * the use a header or cookie. Defaults to cookie based session * persistence. * + * * Support: Core for "Cookie" type * + * * Support: Extended for "Header" type */ type: string; @@ -33984,6 +24193,7 @@ export declare namespace gateway { /** * Timeouts defines the timeouts that can be configured for an HTTP request. * + * * Support: Extended */ interface HTTPRouteSpecRulesTimeouts { @@ -33992,19 +24202,21 @@ export declare namespace gateway { * to a backend. This covers the time from when the request first starts being * sent from the gateway to when the full response has been received from the backend. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * An entire client HTTP transaction with a gateway, covered by the Request timeout, * may result in more than one call from the gateway to the destination backend, * for example, if automatic retries are supported. * - * The value of BackendRequest must be a Gateway API Duration string as defined by - * GEP-2257. When this field is unspecified, its behavior is implementation-specific; - * when specified, the value of BackendRequest must be no more than the value of the - * Request timeout (since the Request timeout encompasses the BackendRequest timeout). + * + * Because the Request timeout encompasses the BackendRequest timeout, the value of + * BackendRequest must be <= the value of Request timeout. + * * * Support: Extended */ @@ -34014,22 +24226,26 @@ export declare namespace gateway { * If the gateway has not been able to respond before this deadline is met, the gateway * MUST return a timeout error. * + * * For example, setting the `rules.timeouts.request` field to the value `10s` in an * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds * to complete. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * This timeout is intended to cover as close to the whole request-response transaction * as possible although an implementation MAY choose to start the timeout after the entire * request stream has been received instead of immediately after the transaction is * initiated by the client. * - * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this - * field is unspecified, request timeout behavior is implementation-specific. + * + * When this field is unspecified, request timeout behavior is implementation-specific. + * * * Support: Extended */ @@ -34038,6 +24254,7 @@ export declare namespace gateway { /** * Timeouts defines the timeouts that can be configured for an HTTP request. * + * * Support: Extended */ interface HTTPRouteSpecRulesTimeoutsPatch { @@ -34046,19 +24263,21 @@ export declare namespace gateway { * to a backend. This covers the time from when the request first starts being * sent from the gateway to when the full response has been received from the backend. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * An entire client HTTP transaction with a gateway, covered by the Request timeout, * may result in more than one call from the gateway to the destination backend, * for example, if automatic retries are supported. * - * The value of BackendRequest must be a Gateway API Duration string as defined by - * GEP-2257. When this field is unspecified, its behavior is implementation-specific; - * when specified, the value of BackendRequest must be no more than the value of the - * Request timeout (since the Request timeout encompasses the BackendRequest timeout). + * + * Because the Request timeout encompasses the BackendRequest timeout, the value of + * BackendRequest must be <= the value of Request timeout. + * * * Support: Extended */ @@ -34068,22 +24287,26 @@ export declare namespace gateway { * If the gateway has not been able to respond before this deadline is met, the gateway * MUST return a timeout error. * + * * For example, setting the `rules.timeouts.request` field to the value `10s` in an * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds * to complete. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * This timeout is intended to cover as close to the whole request-response transaction * as possible although an implementation MAY choose to start the timeout after the entire * request stream has been received instead of immediately after the transaction is * initiated by the client. * - * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this - * field is unspecified, request timeout behavior is implementation-specific. + * + * When this field is unspecified, request timeout behavior is implementation-specific. + * * * Support: Extended */ @@ -34101,11 +24324,13 @@ export declare namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -34121,19 +24346,23 @@ export declare namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -34143,12 +24372,15 @@ export declare namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -34158,6 +24390,22 @@ export declare namespace gateway { } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface HTTPRouteStatusParentsConditions { /** @@ -34190,11 +24438,31 @@ export declare namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface HTTPRouteStatusParentsConditionsPatch { /** @@ -34227,6 +24495,10 @@ export declare namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } @@ -34241,23 +24513,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -34265,6 +24542,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -34272,10 +24550,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -34283,6 +24563,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -34290,6 +24571,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -34299,15 +24581,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -34316,6 +24601,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -34323,6 +24609,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -34330,10 +24617,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -34343,6 +24632,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -34358,23 +24648,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -34382,6 +24677,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -34389,10 +24685,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -34400,6 +24698,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -34407,6 +24706,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -34416,15 +24716,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -34433,6 +24736,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -34440,6 +24744,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -34447,10 +24752,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -34460,6 +24767,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -34474,19 +24782,23 @@ export declare namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -34496,12 +24808,15 @@ export declare namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -34521,2224 +24836,4768 @@ export declare namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ parents: outputs.gateway.v1.HTTPRouteStatusParentsPatch[]; } } - namespace v1alpha1 { - /** - * XBackendTrafficPolicy defines the configuration for how traffic to a - * target backend should be handled. - */ - interface XBackendTrafficPolicy { - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - apiVersion: "gateway.networking.x-k8s.io/v1alpha1"; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - kind: "XBackendTrafficPolicy"; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - metadata: outputs.meta.v1.ObjectMeta; - spec: outputs.gateway.v1alpha1.XBackendTrafficPolicySpec; - status: outputs.gateway.v1alpha1.XBackendTrafficPolicyStatus; - } - /** - * Spec defines the desired state of BackendTrafficPolicy. - */ - interface XBackendTrafficPolicySpec { - retryConstraint: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraint; - sessionPersistence: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecSessionPersistence; - /** - * TargetRefs identifies API object(s) to apply this policy to. - * Currently, Backends (A grouping of like endpoints such as Service, - * ServiceImport, or any implementation-specific backendRef) are the only - * valid API target references. - * - * Currently, a TargetRef can not be scoped to a specific port on a - * Service. - */ - targetRefs: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecTargetRefs[]; - } - /** - * Spec defines the desired state of BackendTrafficPolicy. - */ - interface XBackendTrafficPolicySpecPatch { - retryConstraint: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintPatch; - sessionPersistence: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecSessionPersistencePatch; - /** - * TargetRefs identifies API object(s) to apply this policy to. - * Currently, Backends (A grouping of like endpoints such as Service, - * ServiceImport, or any implementation-specific backendRef) are the only - * valid API target references. - * - * Currently, a TargetRef can not be scoped to a specific port on a - * Service. - */ - targetRefs: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecTargetRefsPatch[]; - } - /** - * RetryConstraint defines the configuration for when to allow or prevent - * further retries to a target backend, by dynamically calculating a 'retry - * budget'. This budget is calculated based on the percentage of incoming - * traffic composed of retries over a given time interval. Once the budget - * is exceeded, additional retries will be rejected. - * - * For example, if the retry budget interval is 10 seconds, there have been - * 1000 active requests in the past 10 seconds, and the allowed percentage - * of requests that can be retried is 20% (the default), then 200 of those - * requests may be composed of retries. Active requests will only be - * considered for the duration of the interval when calculating the retry - * budget. Retrying the same original request multiple times within the - * retry budget interval will lead to each retry being counted towards - * calculating the budget. - * - * Configuring a RetryConstraint in BackendTrafficPolicy is compatible with - * HTTPRoute Retry settings for each HTTPRouteRule that targets the same - * backend. While the HTTPRouteRule Retry stanza can specify whether a - * request will be retried, and the number of retry attempts each client - * may perform, RetryConstraint helps prevent cascading failures such as - * retry storms during periods of consistent failures. - * - * After the retry budget has been exceeded, additional retries to the - * backend MUST return a 503 response to the client. - * - * Additional configurations for defining a constraint on retries MAY be - * defined in the future. - * - * Support: Extended - */ - interface XBackendTrafficPolicySpecRetryConstraint { - budget: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintBudget; - minRetryRate: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintMinRetryRate; - } - /** - * Budget holds the details of the retry budget configuration. - */ - interface XBackendTrafficPolicySpecRetryConstraintBudget { - /** - * Interval defines the duration in which requests will be considered - * for calculating the budget for retries. - * - * Support: Extended - */ - interval: string; - /** - * Percent defines the maximum percentage of active requests that may - * be made up of retries. - * - * Support: Extended - */ - percent: number; - } - /** - * Budget holds the details of the retry budget configuration. - */ - interface XBackendTrafficPolicySpecRetryConstraintBudgetPatch { - /** - * Interval defines the duration in which requests will be considered - * for calculating the budget for retries. - * - * Support: Extended - */ - interval: string; - /** - * Percent defines the maximum percentage of active requests that may - * be made up of retries. - * - * Support: Extended - */ - percent: number; - } - /** - * MinRetryRate defines the minimum rate of retries that will be allowable - * over a specified duration of time. - * - * The effective overall minimum rate of retries targeting the backend - * service may be much higher, as there can be any number of clients which - * are applying this setting locally. - * - * This ensures that requests can still be retried during periods of low - * traffic, where the budget for retries may be calculated as a very low - * value. - * - * Support: Extended - */ - interface XBackendTrafficPolicySpecRetryConstraintMinRetryRate { - /** - * Count specifies the number of requests per time interval. - * - * Support: Extended - */ - count: number; - /** - * Interval specifies the divisor of the rate of requests, the amount of - * time during which the given count of requests occur. - * - * Support: Extended - */ - interval: string; - } - /** - * MinRetryRate defines the minimum rate of retries that will be allowable - * over a specified duration of time. - * - * The effective overall minimum rate of retries targeting the backend - * service may be much higher, as there can be any number of clients which - * are applying this setting locally. - * - * This ensures that requests can still be retried during periods of low - * traffic, where the budget for retries may be calculated as a very low - * value. - * - * Support: Extended - */ - interface XBackendTrafficPolicySpecRetryConstraintMinRetryRatePatch { - /** - * Count specifies the number of requests per time interval. - * - * Support: Extended - */ - count: number; - /** - * Interval specifies the divisor of the rate of requests, the amount of - * time during which the given count of requests occur. - * - * Support: Extended - */ - interval: string; - } - /** - * RetryConstraint defines the configuration for when to allow or prevent - * further retries to a target backend, by dynamically calculating a 'retry - * budget'. This budget is calculated based on the percentage of incoming - * traffic composed of retries over a given time interval. Once the budget - * is exceeded, additional retries will be rejected. - * - * For example, if the retry budget interval is 10 seconds, there have been - * 1000 active requests in the past 10 seconds, and the allowed percentage - * of requests that can be retried is 20% (the default), then 200 of those - * requests may be composed of retries. Active requests will only be - * considered for the duration of the interval when calculating the retry - * budget. Retrying the same original request multiple times within the - * retry budget interval will lead to each retry being counted towards - * calculating the budget. - * - * Configuring a RetryConstraint in BackendTrafficPolicy is compatible with - * HTTPRoute Retry settings for each HTTPRouteRule that targets the same - * backend. While the HTTPRouteRule Retry stanza can specify whether a - * request will be retried, and the number of retry attempts each client - * may perform, RetryConstraint helps prevent cascading failures such as - * retry storms during periods of consistent failures. - * - * After the retry budget has been exceeded, additional retries to the - * backend MUST return a 503 response to the client. - * - * Additional configurations for defining a constraint on retries MAY be - * defined in the future. - * - * Support: Extended - */ - interface XBackendTrafficPolicySpecRetryConstraintPatch { - budget: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintBudgetPatch; - minRetryRate: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintMinRetryRatePatch; - } - /** - * SessionPersistence defines and configures session persistence - * for the backend. - * - * Support: Extended - */ - interface XBackendTrafficPolicySpecSessionPersistence { - /** - * AbsoluteTimeout defines the absolute timeout of the persistent - * session. Once the AbsoluteTimeout duration has elapsed, the - * session becomes invalid. - * - * Support: Extended - */ - absoluteTimeout: string; - cookieConfig: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecSessionPersistenceCookieConfig; - /** - * IdleTimeout defines the idle timeout of the persistent session. - * Once the session has been idle for more than the specified - * IdleTimeout duration, the session becomes invalid. - * - * Support: Extended - */ - idleTimeout: string; - /** - * SessionName defines the name of the persistent session token - * which may be reflected in the cookie or the header. Users - * should avoid reusing session names to prevent unintended - * consequences, such as rejection or unpredictable behavior. - * - * Support: Implementation-specific - */ - sessionName: string; - /** - * Type defines the type of session persistence such as through - * the use a header or cookie. Defaults to cookie based session - * persistence. - * - * Support: Core for "Cookie" type - * - * Support: Extended for "Header" type - */ - type: string; - } - /** - * CookieConfig provides configuration settings that are specific - * to cookie-based session persistence. - * - * Support: Core - */ - interface XBackendTrafficPolicySpecSessionPersistenceCookieConfig { - /** - * LifetimeType specifies whether the cookie has a permanent or - * session-based lifetime. A permanent cookie persists until its - * specified expiry time, defined by the Expires or Max-Age cookie - * attributes, while a session cookie is deleted when the current - * session ends. - * - * When set to "Permanent", AbsoluteTimeout indicates the - * cookie's lifetime via the Expires or Max-Age cookie attributes - * and is required. - * - * When set to "Session", AbsoluteTimeout indicates the - * absolute lifetime of the cookie tracked by the gateway and - * is optional. - * - * Defaults to "Session". - * - * Support: Core for "Session" type - * - * Support: Extended for "Permanent" type - */ - lifetimeType: string; - } - /** - * CookieConfig provides configuration settings that are specific - * to cookie-based session persistence. - * - * Support: Core - */ - interface XBackendTrafficPolicySpecSessionPersistenceCookieConfigPatch { - /** - * LifetimeType specifies whether the cookie has a permanent or - * session-based lifetime. A permanent cookie persists until its - * specified expiry time, defined by the Expires or Max-Age cookie - * attributes, while a session cookie is deleted when the current - * session ends. - * - * When set to "Permanent", AbsoluteTimeout indicates the - * cookie's lifetime via the Expires or Max-Age cookie attributes - * and is required. - * - * When set to "Session", AbsoluteTimeout indicates the - * absolute lifetime of the cookie tracked by the gateway and - * is optional. - * - * Defaults to "Session". - * - * Support: Core for "Session" type - * - * Support: Extended for "Permanent" type - */ - lifetimeType: string; - } - /** - * SessionPersistence defines and configures session persistence - * for the backend. - * - * Support: Extended - */ - interface XBackendTrafficPolicySpecSessionPersistencePatch { - /** - * AbsoluteTimeout defines the absolute timeout of the persistent - * session. Once the AbsoluteTimeout duration has elapsed, the - * session becomes invalid. - * - * Support: Extended - */ - absoluteTimeout: string; - cookieConfig: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecSessionPersistenceCookieConfigPatch; - /** - * IdleTimeout defines the idle timeout of the persistent session. - * Once the session has been idle for more than the specified - * IdleTimeout duration, the session becomes invalid. - * - * Support: Extended - */ - idleTimeout: string; - /** - * SessionName defines the name of the persistent session token - * which may be reflected in the cookie or the header. Users - * should avoid reusing session names to prevent unintended - * consequences, such as rejection or unpredictable behavior. - * - * Support: Implementation-specific - */ - sessionName: string; - /** - * Type defines the type of session persistence such as through - * the use a header or cookie. Defaults to cookie based session - * persistence. - * - * Support: Core for "Cookie" type - * - * Support: Extended for "Header" type - */ - type: string; - } - /** - * LocalPolicyTargetReference identifies an API object to apply a direct or - * inherited policy to. This should be used as part of Policy resources - * that can target Gateway API resources. For more information on how this - * policy attachment model works, and a sample Policy resource, refer to - * the policy attachment documentation for Gateway API. - */ - interface XBackendTrafficPolicySpecTargetRefs { - /** - * Group is the group of the target resource. - */ - group: string; - /** - * Kind is kind of the target resource. - */ - kind: string; - /** - * Name is the name of the target resource. - */ - name: string; - } - /** - * LocalPolicyTargetReference identifies an API object to apply a direct or - * inherited policy to. This should be used as part of Policy resources - * that can target Gateway API resources. For more information on how this - * policy attachment model works, and a sample Policy resource, refer to - * the policy attachment documentation for Gateway API. - */ - interface XBackendTrafficPolicySpecTargetRefsPatch { - /** - * Group is the group of the target resource. - */ - group: string; - /** - * Kind is kind of the target resource. - */ - kind: string; - /** - * Name is the name of the target resource. - */ - name: string; - } - /** - * Status defines the current state of BackendTrafficPolicy. - */ - interface XBackendTrafficPolicyStatus { - /** - * Ancestors is a list of ancestor resources (usually Gateways) that are - * associated with the policy, and the status of the policy with respect to - * each ancestor. When this policy attaches to a parent, the controller that - * manages the parent and the ancestors MUST add an entry to this list when - * the controller first sees the policy and SHOULD update the entry as - * appropriate when the relevant ancestor is modified. - * - * Note that choosing the relevant ancestor is left to the Policy designers; - * an important part of Policy design is designing the right object level at - * which to namespace this status. - * - * Note also that implementations MUST ONLY populate ancestor status for - * the Ancestor resources they are responsible for. Implementations MUST - * use the ControllerName field to uniquely identify the entries in this list - * that they are responsible for. - * - * Note that to achieve this, the list of PolicyAncestorStatus structs - * MUST be treated as a map with a composite key, made up of the AncestorRef - * and ControllerName fields combined. - * - * A maximum of 16 ancestors will be represented in this list. An empty list - * means the Policy is not relevant for any ancestors. - * - * If this slice is full, implementations MUST NOT add further entries. - * Instead they MUST consider the policy unimplementable and signal that - * on any related resources such as the ancestor that would be referenced - * here. For example, if this list was full on BackendTLSPolicy, no - * additional Gateways would be able to reference the Service targeted by - * the BackendTLSPolicy. - */ - ancestors: outputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestors[]; - } - /** - * PolicyAncestorStatus describes the status of a route with respect to an - * associated Ancestor. - * - * Ancestors refer to objects that are either the Target of a policy or above it - * in terms of object hierarchy. For example, if a policy targets a Service, the - * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and - * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most - * useful object to place Policy status on, so we recommend that implementations - * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers - * have a _very_ good reason otherwise. - * - * In the context of policy attachment, the Ancestor is used to distinguish which - * resource results in a distinct application of this policy. For example, if a policy - * targets a Service, it may have a distinct result per attached Gateway. - * - * Policies targeting the same resource may have different effects depending on the - * ancestors of those resources. For example, different Gateways targeting the same - * Service may have different capabilities, especially if they have different underlying - * implementations. - * - * For example, in BackendTLSPolicy, the Policy attaches to a Service that is - * used as a backend in a HTTPRoute that is itself attached to a Gateway. - * In this case, the relevant object for status is the Gateway, and that is the - * ancestor object referred to in this status. - * - * Note that a parent is also an ancestor, so for objects where the parent is the - * relevant object for status, this struct SHOULD still be used. - * - * This struct is intended to be used in a slice that's effectively a map, - * with a composite key made up of the AncestorRef and the ControllerName. - */ - interface XBackendTrafficPolicyStatusAncestors { - ancestorRef: outputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestorsAncestorRef; - /** - * Conditions describes the status of the Policy with respect to the given Ancestor. - */ - conditions: outputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestorsConditions[]; - /** - * ControllerName is a domain/path string that indicates the name of the - * controller that wrote this status. This corresponds with the - * controllerName field on GatewayClass. - * - * Example: "example.net/gateway-controller". - * - * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - * valid Kubernetes names - * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - * - * Controllers MUST populate this field when writing status. Controllers should ensure that - * entries to status populated with their ControllerName are cleaned up when they are no - * longer necessary. - */ - controllerName: string; - } - /** - * AncestorRef corresponds with a ParentRef in the spec that this - * PolicyAncestorStatus struct describes the status of. - */ - interface XBackendTrafficPolicyStatusAncestorsAncestorRef { - /** - * Group is the group of the referent. - * When unspecified, "gateway.networking.k8s.io" is inferred. - * To set the core API group (such as for a "Service" kind referent), - * Group must be explicitly set to "" (empty string). - * - * Support: Core - */ - group: string; - /** - * Kind is kind of the referent. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * Support for other resources is Implementation-Specific. - */ - kind: string; - /** - * Name is the name of the referent. - * - * Support: Core - */ - name: string; - /** - * Namespace is the namespace of the referent. When unspecified, this refers - * to the local namespace of the Route. - * - * Note that there are specific rules for ParentRefs which cross namespace - * boundaries. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example: - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable any other kind of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - * - * - * Support: Core - */ - namespace: string; - /** - * Port is the network port this Route targets. It can be interpreted - * differently based on the type of parent resource. - * - * When the parent resource is a Gateway, this targets all listeners - * listening on the specified port that also support this kind of Route(and - * select this Route). It's not recommended to set `Port` unless the - * networking behaviors specified in a Route must apply to a specific port - * as opposed to a listener(s) whose port(s) may be changed. When both Port - * and SectionName are specified, the name and port of the selected listener - * must match both specified values. - * - * - * When the parent resource is a Service, this targets a specific port in the - * Service spec. When both Port (experimental) and SectionName are specified, - * the name and port of the selected port must match both specified values. - * - * - * Implementations MAY choose to support other parent resources. - * Implementations supporting other types of parent resources MUST clearly - * document how/if Port is interpreted. - * - * For the purpose of status, an attachment is considered successful as - * long as the parent resource accepts it partially. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - * from the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, - * the Route MUST be considered detached from the Gateway. - * - * Support: Extended - */ - port: number; - /** - * SectionName is the name of a section within the target resource. In the - * following resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * * Service: Port name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * - * Implementations MAY choose to support attaching Routes to other resources. - * If that is the case, they MUST clearly document how SectionName is - * interpreted. - * - * When unspecified (empty string), this will reference the entire resource. - * For the purpose of status, an attachment is considered successful if at - * least one section in the parent resource accepts it. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - * the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, the - * Route MUST be considered detached from the Gateway. - * - * Support: Core - */ - sectionName: string; - } - /** - * AncestorRef corresponds with a ParentRef in the spec that this - * PolicyAncestorStatus struct describes the status of. - */ - interface XBackendTrafficPolicyStatusAncestorsAncestorRefPatch { - /** - * Group is the group of the referent. - * When unspecified, "gateway.networking.k8s.io" is inferred. - * To set the core API group (such as for a "Service" kind referent), - * Group must be explicitly set to "" (empty string). - * - * Support: Core - */ - group: string; - /** - * Kind is kind of the referent. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * Support for other resources is Implementation-Specific. - */ - kind: string; - /** - * Name is the name of the referent. - * - * Support: Core - */ - name: string; - /** - * Namespace is the namespace of the referent. When unspecified, this refers - * to the local namespace of the Route. - * - * Note that there are specific rules for ParentRefs which cross namespace - * boundaries. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example: - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable any other kind of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - * - * - * Support: Core - */ - namespace: string; - /** - * Port is the network port this Route targets. It can be interpreted - * differently based on the type of parent resource. - * - * When the parent resource is a Gateway, this targets all listeners - * listening on the specified port that also support this kind of Route(and - * select this Route). It's not recommended to set `Port` unless the - * networking behaviors specified in a Route must apply to a specific port - * as opposed to a listener(s) whose port(s) may be changed. When both Port - * and SectionName are specified, the name and port of the selected listener - * must match both specified values. - * - * - * When the parent resource is a Service, this targets a specific port in the - * Service spec. When both Port (experimental) and SectionName are specified, - * the name and port of the selected port must match both specified values. - * - * - * Implementations MAY choose to support other parent resources. - * Implementations supporting other types of parent resources MUST clearly - * document how/if Port is interpreted. - * - * For the purpose of status, an attachment is considered successful as - * long as the parent resource accepts it partially. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - * from the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, - * the Route MUST be considered detached from the Gateway. - * - * Support: Extended - */ - port: number; - /** - * SectionName is the name of a section within the target resource. In the - * following resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * * Service: Port name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * - * Implementations MAY choose to support attaching Routes to other resources. - * If that is the case, they MUST clearly document how SectionName is - * interpreted. - * - * When unspecified (empty string), this will reference the entire resource. - * For the purpose of status, an attachment is considered successful if at - * least one section in the parent resource accepts it. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - * the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, the - * Route MUST be considered detached from the Gateway. - * - * Support: Core - */ - sectionName: string; - } - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - interface XBackendTrafficPolicyStatusAncestorsConditions { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime: string; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message: string; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration: number; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason: string; - /** - * status of the condition, one of True, False, Unknown. - */ - status: string; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type: string; - } - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - interface XBackendTrafficPolicyStatusAncestorsConditionsPatch { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime: string; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message: string; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration: number; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason: string; - /** - * status of the condition, one of True, False, Unknown. - */ - status: string; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type: string; - } - /** - * PolicyAncestorStatus describes the status of a route with respect to an - * associated Ancestor. - * - * Ancestors refer to objects that are either the Target of a policy or above it - * in terms of object hierarchy. For example, if a policy targets a Service, the - * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and - * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most - * useful object to place Policy status on, so we recommend that implementations - * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers - * have a _very_ good reason otherwise. - * - * In the context of policy attachment, the Ancestor is used to distinguish which - * resource results in a distinct application of this policy. For example, if a policy - * targets a Service, it may have a distinct result per attached Gateway. - * - * Policies targeting the same resource may have different effects depending on the - * ancestors of those resources. For example, different Gateways targeting the same - * Service may have different capabilities, especially if they have different underlying - * implementations. - * - * For example, in BackendTLSPolicy, the Policy attaches to a Service that is - * used as a backend in a HTTPRoute that is itself attached to a Gateway. - * In this case, the relevant object for status is the Gateway, and that is the - * ancestor object referred to in this status. - * - * Note that a parent is also an ancestor, so for objects where the parent is the - * relevant object for status, this struct SHOULD still be used. - * - * This struct is intended to be used in a slice that's effectively a map, - * with a composite key made up of the AncestorRef and the ControllerName. - */ - interface XBackendTrafficPolicyStatusAncestorsPatch { - ancestorRef: outputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestorsAncestorRefPatch; - /** - * Conditions describes the status of the Policy with respect to the given Ancestor. - */ - conditions: outputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestorsConditionsPatch[]; - /** - * ControllerName is a domain/path string that indicates the name of the - * controller that wrote this status. This corresponds with the - * controllerName field on GatewayClass. - * - * Example: "example.net/gateway-controller". - * - * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - * valid Kubernetes names - * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - * - * Controllers MUST populate this field when writing status. Controllers should ensure that - * entries to status populated with their ControllerName are cleaned up when they are no - * longer necessary. - */ - controllerName: string; - } - /** - * Status defines the current state of BackendTrafficPolicy. - */ - interface XBackendTrafficPolicyStatusPatch { - /** - * Ancestors is a list of ancestor resources (usually Gateways) that are - * associated with the policy, and the status of the policy with respect to - * each ancestor. When this policy attaches to a parent, the controller that - * manages the parent and the ancestors MUST add an entry to this list when - * the controller first sees the policy and SHOULD update the entry as - * appropriate when the relevant ancestor is modified. - * - * Note that choosing the relevant ancestor is left to the Policy designers; - * an important part of Policy design is designing the right object level at - * which to namespace this status. - * - * Note also that implementations MUST ONLY populate ancestor status for - * the Ancestor resources they are responsible for. Implementations MUST - * use the ControllerName field to uniquely identify the entries in this list - * that they are responsible for. - * - * Note that to achieve this, the list of PolicyAncestorStatus structs - * MUST be treated as a map with a composite key, made up of the AncestorRef - * and ControllerName fields combined. - * - * A maximum of 16 ancestors will be represented in this list. An empty list - * means the Policy is not relevant for any ancestors. - * - * If this slice is full, implementations MUST NOT add further entries. - * Instead they MUST consider the policy unimplementable and signal that - * on any related resources such as the ancestor that would be referenced - * here. For example, if this list was full on BackendTLSPolicy, no - * additional Gateways would be able to reference the Service targeted by - * the BackendTLSPolicy. - */ - ancestors: outputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestorsPatch[]; - } - /** - * XListenerSet defines a set of additional listeners to attach to an existing Gateway. - * This resource provides a mechanism to merge multiple listeners into a single Gateway. - * - * The parent Gateway must explicitly allow ListenerSet attachment through its - * AllowedListeners configuration. By default, Gateways do not allow ListenerSet - * attachment. - * - * Routes can attach to a ListenerSet by specifying it as a parentRef, and can - * optionally target specific listeners using the sectionName field. - * - * Policy Attachment: - * - Policies that attach to a ListenerSet apply to all listeners defined in that resource - * - Policies do not impact listeners in the parent Gateway - * - Different ListenerSets attached to the same Gateway can have different policies - * - If an implementation cannot apply a policy to specific listeners, it should reject the policy - * - * ReferenceGrant Semantics: - * - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets - * - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners - * - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant - * - * Gateway Integration: - * - The parent Gateway's status will include an "AttachedListenerSets" condition - * - This condition will be: - * - True: when AllowedListeners is set and at least one child ListenerSet is attached - * - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false - * - Unknown: when no AllowedListeners config is present - */ - interface XListenerSet { - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - apiVersion: "gateway.networking.x-k8s.io/v1alpha1"; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - kind: "XListenerSet"; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - metadata: outputs.meta.v1.ObjectMeta; - spec: outputs.gateway.v1alpha1.XListenerSetSpec; - status: outputs.gateway.v1alpha1.XListenerSetStatus; - } - /** - * Spec defines the desired state of ListenerSet. - */ - interface XListenerSetSpec { - /** - * Listeners associated with this ListenerSet. Listeners define - * logical endpoints that are bound on this referenced parent Gateway's addresses. - * - * Listeners in a `Gateway` and their attached `ListenerSets` are concatenated - * as a list when programming the underlying infrastructure. Each listener - * name does not need to be unique across the Gateway and ListenerSets. - * See ListenerEntry.Name for more details. - * - * Implementations MUST treat the parent Gateway as having the merged - * list of all listeners from itself and attached ListenerSets using - * the following precedence: - * - * 1. "parent" Gateway - * 2. ListenerSet ordered by creation time (oldest first) - * 3. ListenerSet ordered alphabetically by "{namespace}/{name}". - * - * An implementation MAY reject listeners by setting the ListenerEntryStatus - * `Accepted` condition to False with the Reason `TooManyListeners` - * - * If a listener has a conflict, this will be reported in the - * Status.ListenerEntryStatus setting the `Conflicted` condition to True. - * - * Implementations SHOULD be cautious about what information from the - * parent or siblings are reported to avoid accidentally leaking - * sensitive information that the child would not otherwise have access - * to. This can include contents of secrets etc. - */ - listeners: outputs.gateway.v1alpha1.XListenerSetSpecListeners[]; - parentRef: outputs.gateway.v1alpha1.XListenerSetSpecParentRef; - } - interface XListenerSetSpecListeners { - allowedRoutes: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutes; - /** - * Hostname specifies the virtual hostname to match for protocol types that - * define this concept. When unspecified, all hostnames are matched. This - * field is ignored for protocols that don't require hostname based - * matching. - * - * Implementations MUST apply Hostname matching appropriately for each of - * the following protocols: - * - * * TLS: The Listener Hostname MUST match the SNI. - * * HTTP: The Listener Hostname MUST match the Host header of the request. - * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP - * protocol layers as described above. If an implementation does not - * ensure that both the SNI and Host header match the Listener hostname, - * it MUST clearly document that. - * - * For HTTPRoute and TLSRoute resources, there is an interaction with the - * `spec.hostnames` array. When both listener and route specify hostnames, - * there MUST be an intersection between the values for a Route to be - * accepted. For more information, refer to the Route specific Hostnames - * documentation. - * - * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted - * as a suffix match. That means that a match for `*.example.com` would match - * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - */ - hostname: string; - /** - * Name is the name of the Listener. This name MUST be unique within a - * ListenerSet. - * - * Name is not required to be unique across a Gateway and ListenerSets. - * Routes can attach to a Listener by having a ListenerSet as a parentRef - * and setting the SectionName - */ - name: string; - /** - * Port is the network port. Multiple listeners may use the - * same port, subject to the Listener compatibility rules. - * - * If the port is not set or specified as zero, the implementation will assign - * a unique port. If the implementation does not support dynamic port - * assignment, it MUST set `Accepted` condition to `False` with the - * `UnsupportedPort` reason. - */ - port: number; - /** - * Protocol specifies the network protocol this listener expects to receive. - */ - protocol: string; - tls: outputs.gateway.v1alpha1.XListenerSetSpecListenersTls; - } - /** - * AllowedRoutes defines the types of routes that MAY be attached to a - * Listener and the trusted namespaces where those Route resources MAY be - * present. - * - * Although a client request may match multiple route rules, only one rule - * may ultimately receive the request. Matching precedence MUST be - * determined in order of the following criteria: - * - * * The most specific match as defined by the Route type. - * * The oldest Route based on creation timestamp. For example, a Route with - * a creation timestamp of "2020-09-08 01:02:03" is given precedence over - * a Route with a creation timestamp of "2020-09-08 01:02:04". - * * If everything else is equivalent, the Route appearing first in - * alphabetical order (namespace/name) should be given precedence. For - * example, foo/bar is given precedence over foo/baz. - * - * All valid rules within a Route attached to this Listener should be - * implemented. Invalid Route rules can be ignored (sometimes that will mean - * the full Route). If a Route rule transitions from valid to invalid, - * support for that Route rule should be dropped to ensure consistency. For - * example, even if a filter specified by a Route rule is invalid, the rest - * of the rules within that Route should still be supported. - */ - interface XListenerSetSpecListenersAllowedRoutes { - /** - * Kinds specifies the groups and kinds of Routes that are allowed to bind - * to this Gateway Listener. When unspecified or empty, the kinds of Routes - * selected are determined using the Listener protocol. - * - * A RouteGroupKind MUST correspond to kinds of Routes that are compatible - * with the application protocol specified in the Listener's Protocol field. - * If an implementation does not support or recognize this resource type, it - * MUST set the "ResolvedRefs" condition to False for this Listener with the - * "InvalidRouteKinds" reason. - * - * Support: Core - */ - kinds: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesKinds[]; - namespaces: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespaces; - } - /** - * RouteGroupKind indicates the group and kind of a Route resource. - */ - interface XListenerSetSpecListenersAllowedRoutesKinds { - /** - * Group is the group of the Route. - */ - group: string; - /** - * Kind is the kind of the Route. - */ - kind: string; - } - /** - * RouteGroupKind indicates the group and kind of a Route resource. - */ - interface XListenerSetSpecListenersAllowedRoutesKindsPatch { - /** - * Group is the group of the Route. - */ - group: string; - /** - * Kind is the kind of the Route. - */ - kind: string; - } - /** - * Namespaces indicates namespaces from which Routes may be attached to this - * Listener. This is restricted to the namespace of this Gateway by default. - * - * Support: Core - */ - interface XListenerSetSpecListenersAllowedRoutesNamespaces { - /** - * From indicates where Routes will be selected for this Gateway. Possible - * values are: - * - * * All: Routes in all namespaces may be used by this Gateway. - * * Selector: Routes in namespaces selected by the selector may be used by - * this Gateway. - * * Same: Only Routes in the same namespace may be used by this Gateway. - * - * Support: Core - */ - from: string; - selector: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesSelector; - } - /** - * Namespaces indicates namespaces from which Routes may be attached to this - * Listener. This is restricted to the namespace of this Gateway by default. - * - * Support: Core - */ - interface XListenerSetSpecListenersAllowedRoutesNamespacesPatch { - /** - * From indicates where Routes will be selected for this Gateway. Possible - * values are: - * - * * All: Routes in all namespaces may be used by this Gateway. - * * Selector: Routes in namespaces selected by the selector may be used by - * this Gateway. - * * Same: Only Routes in the same namespace may be used by this Gateway. - * - * Support: Core - */ - from: string; - selector: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesSelectorPatch; - } - /** - * Selector must be specified when From is set to "Selector". In that case, - * only Routes in Namespaces matching this Selector will be selected by this - * Gateway. This field is ignored for other values of "From". - * - * Support: Core - */ - interface XListenerSetSpecListenersAllowedRoutesNamespacesSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface XListenerSetSpecListenersAllowedRoutesNamespacesSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface XListenerSetSpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * Selector must be specified when From is set to "Selector". In that case, - * only Routes in Namespaces matching this Selector will be selected by this - * Gateway. This field is ignored for other values of "From". - * - * Support: Core - */ - interface XListenerSetSpecListenersAllowedRoutesNamespacesSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * AllowedRoutes defines the types of routes that MAY be attached to a - * Listener and the trusted namespaces where those Route resources MAY be - * present. - * - * Although a client request may match multiple route rules, only one rule - * may ultimately receive the request. Matching precedence MUST be - * determined in order of the following criteria: - * - * * The most specific match as defined by the Route type. - * * The oldest Route based on creation timestamp. For example, a Route with - * a creation timestamp of "2020-09-08 01:02:03" is given precedence over - * a Route with a creation timestamp of "2020-09-08 01:02:04". - * * If everything else is equivalent, the Route appearing first in - * alphabetical order (namespace/name) should be given precedence. For - * example, foo/bar is given precedence over foo/baz. - * - * All valid rules within a Route attached to this Listener should be - * implemented. Invalid Route rules can be ignored (sometimes that will mean - * the full Route). If a Route rule transitions from valid to invalid, - * support for that Route rule should be dropped to ensure consistency. For - * example, even if a filter specified by a Route rule is invalid, the rest - * of the rules within that Route should still be supported. - */ - interface XListenerSetSpecListenersAllowedRoutesPatch { - /** - * Kinds specifies the groups and kinds of Routes that are allowed to bind - * to this Gateway Listener. When unspecified or empty, the kinds of Routes - * selected are determined using the Listener protocol. - * - * A RouteGroupKind MUST correspond to kinds of Routes that are compatible - * with the application protocol specified in the Listener's Protocol field. - * If an implementation does not support or recognize this resource type, it - * MUST set the "ResolvedRefs" condition to False for this Listener with the - * "InvalidRouteKinds" reason. - * - * Support: Core - */ - kinds: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesKindsPatch[]; - namespaces: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesPatch; - } - interface XListenerSetSpecListenersPatch { - allowedRoutes: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesPatch; - /** - * Hostname specifies the virtual hostname to match for protocol types that - * define this concept. When unspecified, all hostnames are matched. This - * field is ignored for protocols that don't require hostname based - * matching. - * - * Implementations MUST apply Hostname matching appropriately for each of - * the following protocols: - * - * * TLS: The Listener Hostname MUST match the SNI. - * * HTTP: The Listener Hostname MUST match the Host header of the request. - * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP - * protocol layers as described above. If an implementation does not - * ensure that both the SNI and Host header match the Listener hostname, - * it MUST clearly document that. - * - * For HTTPRoute and TLSRoute resources, there is an interaction with the - * `spec.hostnames` array. When both listener and route specify hostnames, - * there MUST be an intersection between the values for a Route to be - * accepted. For more information, refer to the Route specific Hostnames - * documentation. - * - * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted - * as a suffix match. That means that a match for `*.example.com` would match - * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - */ - hostname: string; - /** - * Name is the name of the Listener. This name MUST be unique within a - * ListenerSet. - * - * Name is not required to be unique across a Gateway and ListenerSets. - * Routes can attach to a Listener by having a ListenerSet as a parentRef - * and setting the SectionName - */ - name: string; - /** - * Port is the network port. Multiple listeners may use the - * same port, subject to the Listener compatibility rules. - * - * If the port is not set or specified as zero, the implementation will assign - * a unique port. If the implementation does not support dynamic port - * assignment, it MUST set `Accepted` condition to `False` with the - * `UnsupportedPort` reason. - */ - port: number; - /** - * Protocol specifies the network protocol this listener expects to receive. - */ - protocol: string; - tls: outputs.gateway.v1alpha1.XListenerSetSpecListenersTlsPatch; - } - /** - * TLS is the TLS configuration for the Listener. This field is required if - * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field - * if the Protocol field is "HTTP", "TCP", or "UDP". - * - * The association of SNIs to Certificate defined in ListenerTLSConfig is - * defined based on the Hostname field for this listener. - * - * The GatewayClass MUST use the longest matching SNI out of all - * available certificates for any TLS handshake. - */ - interface XListenerSetSpecListenersTls { - /** - * CertificateRefs contains a series of references to Kubernetes objects that - * contains TLS certificates and private keys. These certificates are used to - * establish a TLS handshake for requests that match the hostname of the - * associated listener. - * - * A single CertificateRef to a Kubernetes Secret has "Core" support. - * Implementations MAY choose to support attaching multiple certificates to - * a Listener, but this behavior is implementation-specific. - * - * References to a resource in different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - * - * This field is required to have at least one element when the mode is set - * to "Terminate" (default) and is optional otherwise. - * - * CertificateRefs can reference to standard Kubernetes resources, i.e. - * Secret, or implementation-specific custom resources. - * - * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls - * - * Support: Implementation-specific (More than one reference or other resource types) - */ - certificateRefs: outputs.gateway.v1alpha1.XListenerSetSpecListenersTlsCertificateRefs[]; - /** - * Mode defines the TLS behavior for the TLS session initiated by the client. - * There are two possible modes: - * - * - Terminate: The TLS session between the downstream client and the - * Gateway is terminated at the Gateway. This mode requires certificates - * to be specified in some way, such as populating the certificateRefs - * field. - * - Passthrough: The TLS session is NOT terminated by the Gateway. This - * implies that the Gateway can't decipher the TLS stream except for - * the ClientHello message of the TLS protocol. The certificateRefs field - * is ignored in this mode. - * - * Support: Core - */ - mode: string; - /** - * Options are a list of key/value pairs to enable extended TLS - * configuration for each implementation. For example, configuring the - * minimum TLS version or supported cipher suites. - * - * A set of common keys MAY be defined by the API in the future. To avoid - * any ambiguity, implementation-specific definitions MUST use - * domain-prefixed names, such as `example.com/my-custom-option`. - * Un-prefixed names are reserved for key names defined by Gateway API. - * - * Support: Implementation-specific - */ - options: { - [key: string]: string; - }; - } - /** - * SecretObjectReference identifies an API object including its namespace, - * defaulting to Secret. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - interface XListenerSetSpecListenersTlsCertificateRefs { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "Secret". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - } - /** - * SecretObjectReference identifies an API object including its namespace, - * defaulting to Secret. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - interface XListenerSetSpecListenersTlsCertificateRefsPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "Secret". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - } - /** - * TLS is the TLS configuration for the Listener. This field is required if - * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field - * if the Protocol field is "HTTP", "TCP", or "UDP". - * - * The association of SNIs to Certificate defined in ListenerTLSConfig is - * defined based on the Hostname field for this listener. - * - * The GatewayClass MUST use the longest matching SNI out of all - * available certificates for any TLS handshake. - */ - interface XListenerSetSpecListenersTlsPatch { - /** - * CertificateRefs contains a series of references to Kubernetes objects that - * contains TLS certificates and private keys. These certificates are used to - * establish a TLS handshake for requests that match the hostname of the - * associated listener. - * - * A single CertificateRef to a Kubernetes Secret has "Core" support. - * Implementations MAY choose to support attaching multiple certificates to - * a Listener, but this behavior is implementation-specific. - * - * References to a resource in different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - * - * This field is required to have at least one element when the mode is set - * to "Terminate" (default) and is optional otherwise. - * - * CertificateRefs can reference to standard Kubernetes resources, i.e. - * Secret, or implementation-specific custom resources. - * - * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls - * - * Support: Implementation-specific (More than one reference or other resource types) - */ - certificateRefs: outputs.gateway.v1alpha1.XListenerSetSpecListenersTlsCertificateRefsPatch[]; - /** - * Mode defines the TLS behavior for the TLS session initiated by the client. - * There are two possible modes: - * - * - Terminate: The TLS session between the downstream client and the - * Gateway is terminated at the Gateway. This mode requires certificates - * to be specified in some way, such as populating the certificateRefs - * field. - * - Passthrough: The TLS session is NOT terminated by the Gateway. This - * implies that the Gateway can't decipher the TLS stream except for - * the ClientHello message of the TLS protocol. The certificateRefs field - * is ignored in this mode. - * - * Support: Core - */ - mode: string; - /** - * Options are a list of key/value pairs to enable extended TLS - * configuration for each implementation. For example, configuring the - * minimum TLS version or supported cipher suites. - * - * A set of common keys MAY be defined by the API in the future. To avoid - * any ambiguity, implementation-specific definitions MUST use - * domain-prefixed names, such as `example.com/my-custom-option`. - * Un-prefixed names are reserved for key names defined by Gateway API. - * - * Support: Implementation-specific - */ - options: { - [key: string]: string; - }; - } - /** - * ParentRef references the Gateway that the listeners are attached to. - */ - interface XListenerSetSpecParentRef { - /** - * Group is the group of the referent. - */ - group: string; - /** - * Kind is kind of the referent. For example "Gateway". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referent. If not present, - * the namespace of the referent is assumed to be the same as - * the namespace of the referring object. - */ - namespace: string; - } - /** - * ParentRef references the Gateway that the listeners are attached to. - */ - interface XListenerSetSpecParentRefPatch { - /** - * Group is the group of the referent. - */ - group: string; - /** - * Kind is kind of the referent. For example "Gateway". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referent. If not present, - * the namespace of the referent is assumed to be the same as - * the namespace of the referring object. - */ - namespace: string; - } - /** - * Spec defines the desired state of ListenerSet. - */ - interface XListenerSetSpecPatch { - /** - * Listeners associated with this ListenerSet. Listeners define - * logical endpoints that are bound on this referenced parent Gateway's addresses. - * - * Listeners in a `Gateway` and their attached `ListenerSets` are concatenated - * as a list when programming the underlying infrastructure. Each listener - * name does not need to be unique across the Gateway and ListenerSets. - * See ListenerEntry.Name for more details. - * - * Implementations MUST treat the parent Gateway as having the merged - * list of all listeners from itself and attached ListenerSets using - * the following precedence: - * - * 1. "parent" Gateway - * 2. ListenerSet ordered by creation time (oldest first) - * 3. ListenerSet ordered alphabetically by "{namespace}/{name}". - * - * An implementation MAY reject listeners by setting the ListenerEntryStatus - * `Accepted` condition to False with the Reason `TooManyListeners` - * - * If a listener has a conflict, this will be reported in the - * Status.ListenerEntryStatus setting the `Conflicted` condition to True. - * - * Implementations SHOULD be cautious about what information from the - * parent or siblings are reported to avoid accidentally leaking - * sensitive information that the child would not otherwise have access - * to. This can include contents of secrets etc. - */ - listeners: outputs.gateway.v1alpha1.XListenerSetSpecListenersPatch[]; - parentRef: outputs.gateway.v1alpha1.XListenerSetSpecParentRefPatch; - } - /** - * Status defines the current state of ListenerSet. - */ - interface XListenerSetStatus { - /** - * Conditions describe the current conditions of the ListenerSet. - * - * Implementations MUST express ListenerSet conditions using the - * `ListenerSetConditionType` and `ListenerSetConditionReason` - * constants so that operators and tools can converge on a common - * vocabulary to describe ListenerSet state. - * - * Known condition types are: - * - * * "Accepted" - * * "Programmed" - */ - conditions: outputs.gateway.v1alpha1.XListenerSetStatusConditions[]; - /** - * Listeners provide status for each unique listener port defined in the Spec. - */ - listeners: outputs.gateway.v1alpha1.XListenerSetStatusListeners[]; - } - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - interface XListenerSetStatusConditions { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime: string; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message: string; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration: number; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason: string; - /** - * status of the condition, one of True, False, Unknown. - */ - status: string; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type: string; - } - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - interface XListenerSetStatusConditionsPatch { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime: string; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message: string; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration: number; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason: string; - /** - * status of the condition, one of True, False, Unknown. - */ - status: string; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type: string; - } - /** - * ListenerStatus is the status associated with a Listener. - */ - interface XListenerSetStatusListeners { - /** - * AttachedRoutes represents the total number of Routes that have been - * successfully attached to this Listener. - * - * Successful attachment of a Route to a Listener is based solely on the - * combination of the AllowedRoutes field on the corresponding Listener - * and the Route's ParentRefs field. A Route is successfully attached to - * a Listener when it is selected by the Listener's AllowedRoutes field - * AND the Route has a valid ParentRef selecting the whole Gateway - * resource or a specific Listener as a parent resource (more detail on - * attachment semantics can be found in the documentation on the various - * Route kinds ParentRefs fields). Listener or Route status does not impact - * successful attachment, i.e. the AttachedRoutes field count MUST be set - * for Listeners with condition Accepted: false and MUST count successfully - * attached Routes that may themselves have Accepted: false conditions. - * - * Uses for this field include troubleshooting Route attachment and - * measuring blast radius/impact of changes to a Listener. - */ - attachedRoutes: number; - /** - * Conditions describe the current condition of this listener. - */ - conditions: outputs.gateway.v1alpha1.XListenerSetStatusListenersConditions[]; - /** - * Name is the name of the Listener that this status corresponds to. - */ - name: string; - /** - * Port is the network port the listener is configured to listen on. - */ - port: number; - /** - * SupportedKinds is the list indicating the Kinds supported by this - * listener. This MUST represent the kinds an implementation supports for - * that Listener configuration. - * - * If kinds are specified in Spec that are not supported, they MUST NOT - * appear in this list and an implementation MUST set the "ResolvedRefs" - * condition to "False" with the "InvalidRouteKinds" reason. If both valid - * and invalid Route kinds are specified, the implementation MUST - * reference the valid Route kinds that have been specified. - */ - supportedKinds: outputs.gateway.v1alpha1.XListenerSetStatusListenersSupportedKinds[]; - } - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - interface XListenerSetStatusListenersConditions { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime: string; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message: string; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration: number; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason: string; - /** - * status of the condition, one of True, False, Unknown. - */ - status: string; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type: string; - } - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - interface XListenerSetStatusListenersConditionsPatch { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime: string; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message: string; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration: number; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason: string; - /** - * status of the condition, one of True, False, Unknown. - */ - status: string; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type: string; - } - /** - * ListenerStatus is the status associated with a Listener. - */ - interface XListenerSetStatusListenersPatch { - /** - * AttachedRoutes represents the total number of Routes that have been - * successfully attached to this Listener. - * - * Successful attachment of a Route to a Listener is based solely on the - * combination of the AllowedRoutes field on the corresponding Listener - * and the Route's ParentRefs field. A Route is successfully attached to - * a Listener when it is selected by the Listener's AllowedRoutes field - * AND the Route has a valid ParentRef selecting the whole Gateway - * resource or a specific Listener as a parent resource (more detail on - * attachment semantics can be found in the documentation on the various - * Route kinds ParentRefs fields). Listener or Route status does not impact - * successful attachment, i.e. the AttachedRoutes field count MUST be set - * for Listeners with condition Accepted: false and MUST count successfully - * attached Routes that may themselves have Accepted: false conditions. - * - * Uses for this field include troubleshooting Route attachment and - * measuring blast radius/impact of changes to a Listener. - */ - attachedRoutes: number; - /** - * Conditions describe the current condition of this listener. - */ - conditions: outputs.gateway.v1alpha1.XListenerSetStatusListenersConditionsPatch[]; - /** - * Name is the name of the Listener that this status corresponds to. - */ - name: string; - /** - * Port is the network port the listener is configured to listen on. - */ - port: number; - /** - * SupportedKinds is the list indicating the Kinds supported by this - * listener. This MUST represent the kinds an implementation supports for - * that Listener configuration. - * - * If kinds are specified in Spec that are not supported, they MUST NOT - * appear in this list and an implementation MUST set the "ResolvedRefs" - * condition to "False" with the "InvalidRouteKinds" reason. If both valid - * and invalid Route kinds are specified, the implementation MUST - * reference the valid Route kinds that have been specified. - */ - supportedKinds: outputs.gateway.v1alpha1.XListenerSetStatusListenersSupportedKindsPatch[]; - } - /** - * RouteGroupKind indicates the group and kind of a Route resource. - */ - interface XListenerSetStatusListenersSupportedKinds { - /** - * Group is the group of the Route. - */ - group: string; - /** - * Kind is the kind of the Route. - */ - kind: string; - } - /** - * RouteGroupKind indicates the group and kind of a Route resource. - */ - interface XListenerSetStatusListenersSupportedKindsPatch { - /** - * Group is the group of the Route. - */ - group: string; - /** - * Kind is the kind of the Route. - */ - kind: string; - } - /** - * Status defines the current state of ListenerSet. - */ - interface XListenerSetStatusPatch { - /** - * Conditions describe the current conditions of the ListenerSet. - * - * Implementations MUST express ListenerSet conditions using the - * `ListenerSetConditionType` and `ListenerSetConditionReason` - * constants so that operators and tools can converge on a common - * vocabulary to describe ListenerSet state. - * - * Known condition types are: - * - * * "Accepted" - * * "Programmed" - */ - conditions: outputs.gateway.v1alpha1.XListenerSetStatusConditionsPatch[]; - /** - * Listeners provide status for each unique listener port defined in the Spec. - */ - listeners: outputs.gateway.v1alpha1.XListenerSetStatusListenersPatch[]; - } - /** - * XMesh defines mesh-wide characteristics of a GAMMA-compliant service mesh. - */ - interface XMesh { - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - apiVersion: "gateway.networking.x-k8s.io/v1alpha1"; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - kind: "XMesh"; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - metadata: outputs.meta.v1.ObjectMeta; - spec: outputs.gateway.v1alpha1.XMeshSpec; - status: outputs.gateway.v1alpha1.XMeshStatus; - } - /** - * Spec defines the desired state of XMesh. - */ - interface XMeshSpec { - /** - * ControllerName is the name of a controller that is managing Gateway API - * resources for mesh traffic management. The value of this field MUST be a - * domain prefixed path. - * - * Example: "example.com/awesome-mesh". - * - * This field is not mutable and cannot be empty. - * - * Support: Core - */ - controllerName: string; - /** - * Description optionally provides a human-readable description of a Mesh. - */ - description: string; - parametersRef: outputs.gateway.v1alpha1.XMeshSpecParametersRef; - } - /** - * ParametersRef is an optional reference to a resource that contains - * implementation-specific configuration for this Mesh. If no - * implementation-specific parameters are needed, this field MUST be - * omitted. - * - * ParametersRef can reference a standard Kubernetes resource, i.e. - * ConfigMap, or an implementation-specific custom resource. The resource - * can be cluster-scoped or namespace-scoped. - * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the Mesh MUST be rejected - * with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. - * - * Support: Implementation-specific - */ - interface XMeshSpecParametersRef { - /** - * Group is the group of the referent. - */ - group: string; - /** - * Kind is kind of the referent. - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referent. - * This field is required when referring to a Namespace-scoped resource and - * MUST be unset when referring to a Cluster-scoped resource. - */ - namespace: string; - } - /** - * ParametersRef is an optional reference to a resource that contains - * implementation-specific configuration for this Mesh. If no - * implementation-specific parameters are needed, this field MUST be - * omitted. - * - * ParametersRef can reference a standard Kubernetes resource, i.e. - * ConfigMap, or an implementation-specific custom resource. The resource - * can be cluster-scoped or namespace-scoped. - * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the Mesh MUST be rejected - * with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. - * - * Support: Implementation-specific - */ - interface XMeshSpecParametersRefPatch { - /** - * Group is the group of the referent. - */ - group: string; - /** - * Kind is kind of the referent. - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referent. - * This field is required when referring to a Namespace-scoped resource and - * MUST be unset when referring to a Cluster-scoped resource. - */ - namespace: string; - } - /** - * Spec defines the desired state of XMesh. - */ - interface XMeshSpecPatch { - /** - * ControllerName is the name of a controller that is managing Gateway API - * resources for mesh traffic management. The value of this field MUST be a - * domain prefixed path. - * - * Example: "example.com/awesome-mesh". - * - * This field is not mutable and cannot be empty. - * - * Support: Core - */ - controllerName: string; - /** - * Description optionally provides a human-readable description of a Mesh. - */ - description: string; - parametersRef: outputs.gateway.v1alpha1.XMeshSpecParametersRefPatch; - } - /** - * Status defines the current state of XMesh. - */ - interface XMeshStatus { - /** - * Conditions is the current status from the controller for - * this Mesh. - * - * Controllers should prefer to publish conditions using values - * of MeshConditionType for the type of each Condition. - */ - conditions: outputs.gateway.v1alpha1.XMeshStatusConditions[]; - /** - * SupportedFeatures is the set of features the Mesh support. - * It MUST be sorted in ascending alphabetical order by the Name key. - */ - supportedFeatures: outputs.gateway.v1alpha1.XMeshStatusSupportedFeatures[]; - } - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - interface XMeshStatusConditions { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime: string; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message: string; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration: number; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason: string; - /** - * status of the condition, one of True, False, Unknown. - */ - status: string; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type: string; - } - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - interface XMeshStatusConditionsPatch { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime: string; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message: string; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration: number; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason: string; - /** - * status of the condition, one of True, False, Unknown. - */ - status: string; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type: string; - } - /** - * Status defines the current state of XMesh. - */ - interface XMeshStatusPatch { - /** - * Conditions is the current status from the controller for - * this Mesh. - * - * Controllers should prefer to publish conditions using values - * of MeshConditionType for the type of each Condition. - */ - conditions: outputs.gateway.v1alpha1.XMeshStatusConditionsPatch[]; - /** - * SupportedFeatures is the set of features the Mesh support. - * It MUST be sorted in ascending alphabetical order by the Name key. - */ - supportedFeatures: outputs.gateway.v1alpha1.XMeshStatusSupportedFeaturesPatch[]; - } - interface XMeshStatusSupportedFeatures { - /** - * FeatureName is used to describe distinct features that are covered by - * conformance tests. - */ - name: string; - } - interface XMeshStatusSupportedFeaturesPatch { - /** - * FeatureName is used to describe distinct features that are covered by - * conformance tests. - */ - name: string; - } - } namespace v1alpha2 { + /** + * BackendLBPolicy provides a way to define load balancing rules + * for a backend. + */ + interface BackendLBPolicy { + /** + * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + */ + apiVersion: "gateway.networking.k8s.io/v1alpha2"; + /** + * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + */ + kind: "BackendLBPolicy"; + /** + * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + */ + metadata: outputs.meta.v1.ObjectMeta; + spec: outputs.gateway.v1alpha2.BackendLBPolicySpec; + status: outputs.gateway.v1alpha2.BackendLBPolicyStatus; + } + /** + * Spec defines the desired state of BackendLBPolicy. + */ + interface BackendLBPolicySpec { + sessionPersistence: outputs.gateway.v1alpha2.BackendLBPolicySpecSessionPersistence; + /** + * TargetRef identifies an API object to apply policy to. + * Currently, Backends (i.e. Service, ServiceImport, or any + * implementation-specific backendRef) are the only valid API + * target references. + */ + targetRefs: outputs.gateway.v1alpha2.BackendLBPolicySpecTargetRefs[]; + } + /** + * Spec defines the desired state of BackendLBPolicy. + */ + interface BackendLBPolicySpecPatch { + sessionPersistence: outputs.gateway.v1alpha2.BackendLBPolicySpecSessionPersistencePatch; + /** + * TargetRef identifies an API object to apply policy to. + * Currently, Backends (i.e. Service, ServiceImport, or any + * implementation-specific backendRef) are the only valid API + * target references. + */ + targetRefs: outputs.gateway.v1alpha2.BackendLBPolicySpecTargetRefsPatch[]; + } + /** + * SessionPersistence defines and configures session persistence + * for the backend. + * + * + * Support: Extended + */ + interface BackendLBPolicySpecSessionPersistence { + /** + * AbsoluteTimeout defines the absolute timeout of the persistent + * session. Once the AbsoluteTimeout duration has elapsed, the + * session becomes invalid. + * + * + * Support: Extended + */ + absoluteTimeout: string; + cookieConfig: outputs.gateway.v1alpha2.BackendLBPolicySpecSessionPersistenceCookieConfig; + /** + * IdleTimeout defines the idle timeout of the persistent session. + * Once the session has been idle for more than the specified + * IdleTimeout duration, the session becomes invalid. + * + * + * Support: Extended + */ + idleTimeout: string; + /** + * SessionName defines the name of the persistent session token + * which may be reflected in the cookie or the header. Users + * should avoid reusing session names to prevent unintended + * consequences, such as rejection or unpredictable behavior. + * + * + * Support: Implementation-specific + */ + sessionName: string; + /** + * Type defines the type of session persistence such as through + * the use a header or cookie. Defaults to cookie based session + * persistence. + * + * + * Support: Core for "Cookie" type + * + * + * Support: Extended for "Header" type + */ + type: string; + } + /** + * CookieConfig provides configuration settings that are specific + * to cookie-based session persistence. + * + * + * Support: Core + */ + interface BackendLBPolicySpecSessionPersistenceCookieConfig { + /** + * LifetimeType specifies whether the cookie has a permanent or + * session-based lifetime. A permanent cookie persists until its + * specified expiry time, defined by the Expires or Max-Age cookie + * attributes, while a session cookie is deleted when the current + * session ends. + * + * + * When set to "Permanent", AbsoluteTimeout indicates the + * cookie's lifetime via the Expires or Max-Age cookie attributes + * and is required. + * + * + * When set to "Session", AbsoluteTimeout indicates the + * absolute lifetime of the cookie tracked by the gateway and + * is optional. + * + * + * Support: Core for "Session" type + * + * + * Support: Extended for "Permanent" type + */ + lifetimeType: string; + } + /** + * CookieConfig provides configuration settings that are specific + * to cookie-based session persistence. + * + * + * Support: Core + */ + interface BackendLBPolicySpecSessionPersistenceCookieConfigPatch { + /** + * LifetimeType specifies whether the cookie has a permanent or + * session-based lifetime. A permanent cookie persists until its + * specified expiry time, defined by the Expires or Max-Age cookie + * attributes, while a session cookie is deleted when the current + * session ends. + * + * + * When set to "Permanent", AbsoluteTimeout indicates the + * cookie's lifetime via the Expires or Max-Age cookie attributes + * and is required. + * + * + * When set to "Session", AbsoluteTimeout indicates the + * absolute lifetime of the cookie tracked by the gateway and + * is optional. + * + * + * Support: Core for "Session" type + * + * + * Support: Extended for "Permanent" type + */ + lifetimeType: string; + } + /** + * SessionPersistence defines and configures session persistence + * for the backend. + * + * + * Support: Extended + */ + interface BackendLBPolicySpecSessionPersistencePatch { + /** + * AbsoluteTimeout defines the absolute timeout of the persistent + * session. Once the AbsoluteTimeout duration has elapsed, the + * session becomes invalid. + * + * + * Support: Extended + */ + absoluteTimeout: string; + cookieConfig: outputs.gateway.v1alpha2.BackendLBPolicySpecSessionPersistenceCookieConfigPatch; + /** + * IdleTimeout defines the idle timeout of the persistent session. + * Once the session has been idle for more than the specified + * IdleTimeout duration, the session becomes invalid. + * + * + * Support: Extended + */ + idleTimeout: string; + /** + * SessionName defines the name of the persistent session token + * which may be reflected in the cookie or the header. Users + * should avoid reusing session names to prevent unintended + * consequences, such as rejection or unpredictable behavior. + * + * + * Support: Implementation-specific + */ + sessionName: string; + /** + * Type defines the type of session persistence such as through + * the use a header or cookie. Defaults to cookie based session + * persistence. + * + * + * Support: Core for "Cookie" type + * + * + * Support: Extended for "Header" type + */ + type: string; + } + /** + * LocalPolicyTargetReference identifies an API object to apply a direct or + * inherited policy to. This should be used as part of Policy resources + * that can target Gateway API resources. For more information on how this + * policy attachment model works, and a sample Policy resource, refer to + * the policy attachment documentation for Gateway API. + */ + interface BackendLBPolicySpecTargetRefs { + /** + * Group is the group of the target resource. + */ + group: string; + /** + * Kind is kind of the target resource. + */ + kind: string; + /** + * Name is the name of the target resource. + */ + name: string; + } + /** + * LocalPolicyTargetReference identifies an API object to apply a direct or + * inherited policy to. This should be used as part of Policy resources + * that can target Gateway API resources. For more information on how this + * policy attachment model works, and a sample Policy resource, refer to + * the policy attachment documentation for Gateway API. + */ + interface BackendLBPolicySpecTargetRefsPatch { + /** + * Group is the group of the target resource. + */ + group: string; + /** + * Kind is kind of the target resource. + */ + kind: string; + /** + * Name is the name of the target resource. + */ + name: string; + } + /** + * Status defines the current state of BackendLBPolicy. + */ + interface BackendLBPolicyStatus { + /** + * Ancestors is a list of ancestor resources (usually Gateways) that are + * associated with the policy, and the status of the policy with respect to + * each ancestor. When this policy attaches to a parent, the controller that + * manages the parent and the ancestors MUST add an entry to this list when + * the controller first sees the policy and SHOULD update the entry as + * appropriate when the relevant ancestor is modified. + * + * + * Note that choosing the relevant ancestor is left to the Policy designers; + * an important part of Policy design is designing the right object level at + * which to namespace this status. + * + * + * Note also that implementations MUST ONLY populate ancestor status for + * the Ancestor resources they are responsible for. Implementations MUST + * use the ControllerName field to uniquely identify the entries in this list + * that they are responsible for. + * + * + * Note that to achieve this, the list of PolicyAncestorStatus structs + * MUST be treated as a map with a composite key, made up of the AncestorRef + * and ControllerName fields combined. + * + * + * A maximum of 16 ancestors will be represented in this list. An empty list + * means the Policy is not relevant for any ancestors. + * + * + * If this slice is full, implementations MUST NOT add further entries. + * Instead they MUST consider the policy unimplementable and signal that + * on any related resources such as the ancestor that would be referenced + * here. For example, if this list was full on BackendTLSPolicy, no + * additional Gateways would be able to reference the Service targeted by + * the BackendTLSPolicy. + */ + ancestors: outputs.gateway.v1alpha2.BackendLBPolicyStatusAncestors[]; + } + /** + * PolicyAncestorStatus describes the status of a route with respect to an + * associated Ancestor. + * + * + * Ancestors refer to objects that are either the Target of a policy or above it + * in terms of object hierarchy. For example, if a policy targets a Service, the + * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and + * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most + * useful object to place Policy status on, so we recommend that implementations + * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers + * have a _very_ good reason otherwise. + * + * + * In the context of policy attachment, the Ancestor is used to distinguish which + * resource results in a distinct application of this policy. For example, if a policy + * targets a Service, it may have a distinct result per attached Gateway. + * + * + * Policies targeting the same resource may have different effects depending on the + * ancestors of those resources. For example, different Gateways targeting the same + * Service may have different capabilities, especially if they have different underlying + * implementations. + * + * + * For example, in BackendTLSPolicy, the Policy attaches to a Service that is + * used as a backend in a HTTPRoute that is itself attached to a Gateway. + * In this case, the relevant object for status is the Gateway, and that is the + * ancestor object referred to in this status. + * + * + * Note that a parent is also an ancestor, so for objects where the parent is the + * relevant object for status, this struct SHOULD still be used. + * + * + * This struct is intended to be used in a slice that's effectively a map, + * with a composite key made up of the AncestorRef and the ControllerName. + */ + interface BackendLBPolicyStatusAncestors { + ancestorRef: outputs.gateway.v1alpha2.BackendLBPolicyStatusAncestorsAncestorRef; + /** + * Conditions describes the status of the Policy with respect to the given Ancestor. + */ + conditions: outputs.gateway.v1alpha2.BackendLBPolicyStatusAncestorsConditions[]; + /** + * ControllerName is a domain/path string that indicates the name of the + * controller that wrote this status. This corresponds with the + * controllerName field on GatewayClass. + * + * + * Example: "example.net/gateway-controller". + * + * + * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + * valid Kubernetes names + * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + * + * + * Controllers MUST populate this field when writing status. Controllers should ensure that + * entries to status populated with their ControllerName are cleaned up when they are no + * longer necessary. + */ + controllerName: string; + } + /** + * AncestorRef corresponds with a ParentRef in the spec that this + * PolicyAncestorStatus struct describes the status of. + */ + interface BackendLBPolicyStatusAncestorsAncestorRef { + /** + * Group is the group of the referent. + * When unspecified, "gateway.networking.k8s.io" is inferred. + * To set the core API group (such as for a "Service" kind referent), + * Group must be explicitly set to "" (empty string). + * + * + * Support: Core + */ + group: string; + /** + * Kind is kind of the referent. + * + * + * There are two kinds of parent resources with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * Support for other resources is Implementation-Specific. + */ + kind: string; + /** + * Name is the name of the referent. + * + * + * Support: Core + */ + name: string; + /** + * Namespace is the namespace of the referent. When unspecified, this refers + * to the local namespace of the Route. + * + * + * Note that there are specific rules for ParentRefs which cross namespace + * boundaries. Cross-namespace references are only valid if they are explicitly + * allowed by something in the namespace they are referring to. For example: + * Gateway has the AllowedRoutes field, and ReferenceGrant provides a + * generic way to enable any other kind of cross-namespace reference. + * + * + * + * ParentRefs from a Route to a Service in the same namespace are "producer" + * routes, which apply default routing rules to inbound connections from + * any namespace to the Service. + * + * + * ParentRefs from a Route to a Service in a different namespace are + * "consumer" routes, and these routing rules are only applied to outbound + * connections originating from the same namespace as the Route, for which + * the intended destination of the connections are a Service targeted as a + * ParentRef of the Route. + * + * + * + * Support: Core + */ + namespace: string; + /** + * Port is the network port this Route targets. It can be interpreted + * differently based on the type of parent resource. + * + * + * When the parent resource is a Gateway, this targets all listeners + * listening on the specified port that also support this kind of Route(and + * select this Route). It's not recommended to set `Port` unless the + * networking behaviors specified in a Route must apply to a specific port + * as opposed to a listener(s) whose port(s) may be changed. When both Port + * and SectionName are specified, the name and port of the selected listener + * must match both specified values. + * + * + * + * When the parent resource is a Service, this targets a specific port in the + * Service spec. When both Port (experimental) and SectionName are specified, + * the name and port of the selected port must match both specified values. + * + * + * + * Implementations MAY choose to support other parent resources. + * Implementations supporting other types of parent resources MUST clearly + * document how/if Port is interpreted. + * + * + * For the purpose of status, an attachment is considered successful as + * long as the parent resource accepts it partially. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + * from the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, + * the Route MUST be considered detached from the Gateway. + * + * + * Support: Extended + */ + port: number; + /** + * SectionName is the name of a section within the target resource. In the + * following resources, SectionName is interpreted as the following: + * + * + * * Gateway: Listener name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * * Service: Port name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * + * + * Implementations MAY choose to support attaching Routes to other resources. + * If that is the case, they MUST clearly document how SectionName is + * interpreted. + * + * + * When unspecified (empty string), this will reference the entire resource. + * For the purpose of status, an attachment is considered successful if at + * least one section in the parent resource accepts it. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + * the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, the + * Route MUST be considered detached from the Gateway. + * + * + * Support: Core + */ + sectionName: string; + } + /** + * AncestorRef corresponds with a ParentRef in the spec that this + * PolicyAncestorStatus struct describes the status of. + */ + interface BackendLBPolicyStatusAncestorsAncestorRefPatch { + /** + * Group is the group of the referent. + * When unspecified, "gateway.networking.k8s.io" is inferred. + * To set the core API group (such as for a "Service" kind referent), + * Group must be explicitly set to "" (empty string). + * + * + * Support: Core + */ + group: string; + /** + * Kind is kind of the referent. + * + * + * There are two kinds of parent resources with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * Support for other resources is Implementation-Specific. + */ + kind: string; + /** + * Name is the name of the referent. + * + * + * Support: Core + */ + name: string; + /** + * Namespace is the namespace of the referent. When unspecified, this refers + * to the local namespace of the Route. + * + * + * Note that there are specific rules for ParentRefs which cross namespace + * boundaries. Cross-namespace references are only valid if they are explicitly + * allowed by something in the namespace they are referring to. For example: + * Gateway has the AllowedRoutes field, and ReferenceGrant provides a + * generic way to enable any other kind of cross-namespace reference. + * + * + * + * ParentRefs from a Route to a Service in the same namespace are "producer" + * routes, which apply default routing rules to inbound connections from + * any namespace to the Service. + * + * + * ParentRefs from a Route to a Service in a different namespace are + * "consumer" routes, and these routing rules are only applied to outbound + * connections originating from the same namespace as the Route, for which + * the intended destination of the connections are a Service targeted as a + * ParentRef of the Route. + * + * + * + * Support: Core + */ + namespace: string; + /** + * Port is the network port this Route targets. It can be interpreted + * differently based on the type of parent resource. + * + * + * When the parent resource is a Gateway, this targets all listeners + * listening on the specified port that also support this kind of Route(and + * select this Route). It's not recommended to set `Port` unless the + * networking behaviors specified in a Route must apply to a specific port + * as opposed to a listener(s) whose port(s) may be changed. When both Port + * and SectionName are specified, the name and port of the selected listener + * must match both specified values. + * + * + * + * When the parent resource is a Service, this targets a specific port in the + * Service spec. When both Port (experimental) and SectionName are specified, + * the name and port of the selected port must match both specified values. + * + * + * + * Implementations MAY choose to support other parent resources. + * Implementations supporting other types of parent resources MUST clearly + * document how/if Port is interpreted. + * + * + * For the purpose of status, an attachment is considered successful as + * long as the parent resource accepts it partially. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + * from the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, + * the Route MUST be considered detached from the Gateway. + * + * + * Support: Extended + */ + port: number; + /** + * SectionName is the name of a section within the target resource. In the + * following resources, SectionName is interpreted as the following: + * + * + * * Gateway: Listener name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * * Service: Port name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * + * + * Implementations MAY choose to support attaching Routes to other resources. + * If that is the case, they MUST clearly document how SectionName is + * interpreted. + * + * + * When unspecified (empty string), this will reference the entire resource. + * For the purpose of status, an attachment is considered successful if at + * least one section in the parent resource accepts it. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + * the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, the + * Route MUST be considered detached from the Gateway. + * + * + * Support: Core + */ + sectionName: string; + } + /** + * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } + */ + interface BackendLBPolicyStatusAncestorsConditions { + /** + * lastTransitionTime is the last time the condition transitioned from one status to another. + * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + */ + lastTransitionTime: string; + /** + * message is a human readable message indicating details about the transition. + * This may be an empty string. + */ + message: string; + /** + * observedGeneration represents the .metadata.generation that the condition was set based upon. + * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + * with respect to the current state of the instance. + */ + observedGeneration: number; + /** + * reason contains a programmatic identifier indicating the reason for the condition's last transition. + * Producers of specific condition types may define expected values and meanings for this field, + * and whether the values are considered a guaranteed API. + * The value should be a CamelCase string. + * This field may not be empty. + */ + reason: string; + /** + * status of the condition, one of True, False, Unknown. + */ + status: string; + /** + * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + */ + type: string; + } + /** + * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } + */ + interface BackendLBPolicyStatusAncestorsConditionsPatch { + /** + * lastTransitionTime is the last time the condition transitioned from one status to another. + * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + */ + lastTransitionTime: string; + /** + * message is a human readable message indicating details about the transition. + * This may be an empty string. + */ + message: string; + /** + * observedGeneration represents the .metadata.generation that the condition was set based upon. + * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + * with respect to the current state of the instance. + */ + observedGeneration: number; + /** + * reason contains a programmatic identifier indicating the reason for the condition's last transition. + * Producers of specific condition types may define expected values and meanings for this field, + * and whether the values are considered a guaranteed API. + * The value should be a CamelCase string. + * This field may not be empty. + */ + reason: string; + /** + * status of the condition, one of True, False, Unknown. + */ + status: string; + /** + * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + */ + type: string; + } + /** + * PolicyAncestorStatus describes the status of a route with respect to an + * associated Ancestor. + * + * + * Ancestors refer to objects that are either the Target of a policy or above it + * in terms of object hierarchy. For example, if a policy targets a Service, the + * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and + * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most + * useful object to place Policy status on, so we recommend that implementations + * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers + * have a _very_ good reason otherwise. + * + * + * In the context of policy attachment, the Ancestor is used to distinguish which + * resource results in a distinct application of this policy. For example, if a policy + * targets a Service, it may have a distinct result per attached Gateway. + * + * + * Policies targeting the same resource may have different effects depending on the + * ancestors of those resources. For example, different Gateways targeting the same + * Service may have different capabilities, especially if they have different underlying + * implementations. + * + * + * For example, in BackendTLSPolicy, the Policy attaches to a Service that is + * used as a backend in a HTTPRoute that is itself attached to a Gateway. + * In this case, the relevant object for status is the Gateway, and that is the + * ancestor object referred to in this status. + * + * + * Note that a parent is also an ancestor, so for objects where the parent is the + * relevant object for status, this struct SHOULD still be used. + * + * + * This struct is intended to be used in a slice that's effectively a map, + * with a composite key made up of the AncestorRef and the ControllerName. + */ + interface BackendLBPolicyStatusAncestorsPatch { + ancestorRef: outputs.gateway.v1alpha2.BackendLBPolicyStatusAncestorsAncestorRefPatch; + /** + * Conditions describes the status of the Policy with respect to the given Ancestor. + */ + conditions: outputs.gateway.v1alpha2.BackendLBPolicyStatusAncestorsConditionsPatch[]; + /** + * ControllerName is a domain/path string that indicates the name of the + * controller that wrote this status. This corresponds with the + * controllerName field on GatewayClass. + * + * + * Example: "example.net/gateway-controller". + * + * + * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + * valid Kubernetes names + * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + * + * + * Controllers MUST populate this field when writing status. Controllers should ensure that + * entries to status populated with their ControllerName are cleaned up when they are no + * longer necessary. + */ + controllerName: string; + } + /** + * Status defines the current state of BackendLBPolicy. + */ + interface BackendLBPolicyStatusPatch { + /** + * Ancestors is a list of ancestor resources (usually Gateways) that are + * associated with the policy, and the status of the policy with respect to + * each ancestor. When this policy attaches to a parent, the controller that + * manages the parent and the ancestors MUST add an entry to this list when + * the controller first sees the policy and SHOULD update the entry as + * appropriate when the relevant ancestor is modified. + * + * + * Note that choosing the relevant ancestor is left to the Policy designers; + * an important part of Policy design is designing the right object level at + * which to namespace this status. + * + * + * Note also that implementations MUST ONLY populate ancestor status for + * the Ancestor resources they are responsible for. Implementations MUST + * use the ControllerName field to uniquely identify the entries in this list + * that they are responsible for. + * + * + * Note that to achieve this, the list of PolicyAncestorStatus structs + * MUST be treated as a map with a composite key, made up of the AncestorRef + * and ControllerName fields combined. + * + * + * A maximum of 16 ancestors will be represented in this list. An empty list + * means the Policy is not relevant for any ancestors. + * + * + * If this slice is full, implementations MUST NOT add further entries. + * Instead they MUST consider the policy unimplementable and signal that + * on any related resources such as the ancestor that would be referenced + * here. For example, if this list was full on BackendTLSPolicy, no + * additional Gateways would be able to reference the Service targeted by + * the BackendTLSPolicy. + */ + ancestors: outputs.gateway.v1alpha2.BackendLBPolicyStatusAncestorsPatch[]; + } + /** + * GRPCRoute provides a way to route gRPC requests. This includes the capability + * to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. + * Filters can be used to specify additional processing steps. Backends specify + * where matching requests will be routed. + * + * + * GRPCRoute falls under extended support within the Gateway API. Within the + * following specification, the word "MUST" indicates that an implementation + * supporting GRPCRoute must conform to the indicated requirement, but an + * implementation not supporting this route type need not follow the requirement + * unless explicitly indicated. + * + * + * Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST + * accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via + * ALPN. If the implementation does not support this, then it MUST set the + * "Accepted" condition to "False" for the affected listener with a reason of + * "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections + * with an upgrade from HTTP/1. + * + * + * Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST + * support HTTP/2 over cleartext TCP (h2c, + * https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial + * upgrade from HTTP/1.1, i.e. with prior knowledge + * (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation + * does not support this, then it MUST set the "Accepted" condition to "False" + * for the affected listener with a reason of "UnsupportedProtocol". + * Implementations MAY also accept HTTP/2 connections with an upgrade from + * HTTP/1, i.e. without prior knowledge. + */ + interface GRPCRoute { + /** + * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + */ + apiVersion: "gateway.networking.k8s.io/v1alpha2"; + /** + * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + */ + kind: "GRPCRoute"; + /** + * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + */ + metadata: outputs.meta.v1.ObjectMeta; + spec: outputs.gateway.v1alpha2.GRPCRouteSpec; + status: outputs.gateway.v1alpha2.GRPCRouteStatus; + } + /** + * Spec defines the desired state of GRPCRoute. + */ + interface GRPCRouteSpec { + /** + * Hostnames defines a set of hostnames to match against the GRPC + * Host header to select a GRPCRoute to process the request. This matches + * the RFC 1123 definition of a hostname with 2 notable exceptions: + * + * + * 1. IPs are not allowed. + * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + * label MUST appear by itself as the first label. + * + * + * If a hostname is specified by both the Listener and GRPCRoute, there + * MUST be at least one intersecting hostname for the GRPCRoute to be + * attached to the Listener. For example: + * + * + * * A Listener with `test.example.com` as the hostname matches GRPCRoutes + * that have either not specified any hostnames, or have specified at + * least one of `test.example.com` or `*.example.com`. + * * A Listener with `*.example.com` as the hostname matches GRPCRoutes + * that have either not specified any hostnames or have specified at least + * one hostname that matches the Listener hostname. For example, + * `test.example.com` and `*.example.com` would both match. On the other + * hand, `example.com` and `test.example.net` would not match. + * + * + * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + * as a suffix match. That means that a match for `*.example.com` would match + * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + * + * + * If both the Listener and GRPCRoute have specified hostnames, any + * GRPCRoute hostnames that do not match the Listener hostname MUST be + * ignored. For example, if a Listener specified `*.example.com`, and the + * GRPCRoute specified `test.example.com` and `test.example.net`, + * `test.example.net` MUST NOT be considered for a match. + * + * + * If both the Listener and GRPCRoute have specified hostnames, and none + * match with the criteria above, then the GRPCRoute MUST NOT be accepted by + * the implementation. The implementation MUST raise an 'Accepted' Condition + * with a status of `False` in the corresponding RouteParentStatus. + * + * + * If a Route (A) of type HTTPRoute or GRPCRoute is attached to a + * Listener and that listener already has another Route (B) of the other + * type attached and the intersection of the hostnames of A and B is + * non-empty, then the implementation MUST accept exactly one of these two + * routes, determined by the following criteria, in order: + * + * + * * The oldest Route based on creation timestamp. + * * The Route appearing first in alphabetical order by + * "{namespace}/{name}". + * + * + * The rejected Route MUST raise an 'Accepted' condition with a status of + * 'False' in the corresponding RouteParentStatus. + * + * + * Support: Core + */ + hostnames: string[]; + /** + * ParentRefs references the resources (usually Gateways) that a Route wants + * to be attached to. Note that the referenced parent resource needs to + * allow this for the attachment to be complete. For Gateways, that means + * the Gateway needs to allow attachment from Routes of this kind and + * namespace. For Services, that means the Service must either be in the same + * namespace for a "producer" route, or the mesh implementation must support + * and allow "consumer" routes for the referenced Service. ReferenceGrant is + * not applicable for governing ParentRefs to Services - it is not possible to + * create a "producer" route for a Service in a different namespace from the + * Route. + * + * + * There are two kinds of parent resources with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * This API may be extended in the future to support additional kinds of parent + * resources. + * + * + * ParentRefs must be _distinct_. This means either that: + * + * + * * They select different objects. If this is the case, then parentRef + * entries are distinct. In terms of fields, this means that the + * multi-part key defined by `group`, `kind`, `namespace`, and `name` must + * be unique across all parentRef entries in the Route. + * * They do not select different objects, but for each optional field used, + * each ParentRef that selects the same object must set the same set of + * optional fields to different values. If one ParentRef sets a + * combination of optional fields, all must set the same combination. + * + * + * Some examples: + * + * + * * If one ParentRef sets `sectionName`, all ParentRefs referencing the + * same object must also set `sectionName`. + * * If one ParentRef sets `port`, all ParentRefs referencing the same + * object must also set `port`. + * * If one ParentRef sets `sectionName` and `port`, all ParentRefs + * referencing the same object must also set `sectionName` and `port`. + * + * + * It is possible to separately reference multiple distinct objects that may + * be collapsed by an implementation. For example, some implementations may + * choose to merge compatible Gateway Listeners together. If that is the + * case, the list of routes attached to those resources should also be + * merged. + * + * + * Note that for ParentRefs that cross namespace boundaries, there are specific + * rules. Cross-namespace references are only valid if they are explicitly + * allowed by something in the namespace they are referring to. For example, + * Gateway has the AllowedRoutes field, and ReferenceGrant provides a + * generic way to enable other kinds of cross-namespace reference. + * + * + * + * ParentRefs from a Route to a Service in the same namespace are "producer" + * routes, which apply default routing rules to inbound connections from + * any namespace to the Service. + * + * + * ParentRefs from a Route to a Service in a different namespace are + * "consumer" routes, and these routing rules are only applied to outbound + * connections originating from the same namespace as the Route, for which + * the intended destination of the connections are a Service targeted as a + * ParentRef of the Route. + */ + parentRefs: outputs.gateway.v1alpha2.GRPCRouteSpecParentRefs[]; + /** + * Rules are a list of GRPC matchers, filters and actions. + */ + rules: outputs.gateway.v1alpha2.GRPCRouteSpecRules[]; + } + /** + * ParentReference identifies an API object (usually a Gateway) that can be considered + * a parent of this resource (usually a route). There are two kinds of parent resources + * with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * This API may be extended in the future to support additional kinds of parent + * resources. + * + * + * The API object must be valid in the cluster; the Group and Kind must + * be registered in the cluster for this reference to be valid. + */ + interface GRPCRouteSpecParentRefs { + /** + * Group is the group of the referent. + * When unspecified, "gateway.networking.k8s.io" is inferred. + * To set the core API group (such as for a "Service" kind referent), + * Group must be explicitly set to "" (empty string). + * + * + * Support: Core + */ + group: string; + /** + * Kind is kind of the referent. + * + * + * There are two kinds of parent resources with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * Support for other resources is Implementation-Specific. + */ + kind: string; + /** + * Name is the name of the referent. + * + * + * Support: Core + */ + name: string; + /** + * Namespace is the namespace of the referent. When unspecified, this refers + * to the local namespace of the Route. + * + * + * Note that there are specific rules for ParentRefs which cross namespace + * boundaries. Cross-namespace references are only valid if they are explicitly + * allowed by something in the namespace they are referring to. For example: + * Gateway has the AllowedRoutes field, and ReferenceGrant provides a + * generic way to enable any other kind of cross-namespace reference. + * + * + * + * ParentRefs from a Route to a Service in the same namespace are "producer" + * routes, which apply default routing rules to inbound connections from + * any namespace to the Service. + * + * + * ParentRefs from a Route to a Service in a different namespace are + * "consumer" routes, and these routing rules are only applied to outbound + * connections originating from the same namespace as the Route, for which + * the intended destination of the connections are a Service targeted as a + * ParentRef of the Route. + * + * + * + * Support: Core + */ + namespace: string; + /** + * Port is the network port this Route targets. It can be interpreted + * differently based on the type of parent resource. + * + * + * When the parent resource is a Gateway, this targets all listeners + * listening on the specified port that also support this kind of Route(and + * select this Route). It's not recommended to set `Port` unless the + * networking behaviors specified in a Route must apply to a specific port + * as opposed to a listener(s) whose port(s) may be changed. When both Port + * and SectionName are specified, the name and port of the selected listener + * must match both specified values. + * + * + * + * When the parent resource is a Service, this targets a specific port in the + * Service spec. When both Port (experimental) and SectionName are specified, + * the name and port of the selected port must match both specified values. + * + * + * + * Implementations MAY choose to support other parent resources. + * Implementations supporting other types of parent resources MUST clearly + * document how/if Port is interpreted. + * + * + * For the purpose of status, an attachment is considered successful as + * long as the parent resource accepts it partially. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + * from the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, + * the Route MUST be considered detached from the Gateway. + * + * + * Support: Extended + */ + port: number; + /** + * SectionName is the name of a section within the target resource. In the + * following resources, SectionName is interpreted as the following: + * + * + * * Gateway: Listener name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * * Service: Port name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * + * + * Implementations MAY choose to support attaching Routes to other resources. + * If that is the case, they MUST clearly document how SectionName is + * interpreted. + * + * + * When unspecified (empty string), this will reference the entire resource. + * For the purpose of status, an attachment is considered successful if at + * least one section in the parent resource accepts it. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + * the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, the + * Route MUST be considered detached from the Gateway. + * + * + * Support: Core + */ + sectionName: string; + } + /** + * ParentReference identifies an API object (usually a Gateway) that can be considered + * a parent of this resource (usually a route). There are two kinds of parent resources + * with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * This API may be extended in the future to support additional kinds of parent + * resources. + * + * + * The API object must be valid in the cluster; the Group and Kind must + * be registered in the cluster for this reference to be valid. + */ + interface GRPCRouteSpecParentRefsPatch { + /** + * Group is the group of the referent. + * When unspecified, "gateway.networking.k8s.io" is inferred. + * To set the core API group (such as for a "Service" kind referent), + * Group must be explicitly set to "" (empty string). + * + * + * Support: Core + */ + group: string; + /** + * Kind is kind of the referent. + * + * + * There are two kinds of parent resources with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * Support for other resources is Implementation-Specific. + */ + kind: string; + /** + * Name is the name of the referent. + * + * + * Support: Core + */ + name: string; + /** + * Namespace is the namespace of the referent. When unspecified, this refers + * to the local namespace of the Route. + * + * + * Note that there are specific rules for ParentRefs which cross namespace + * boundaries. Cross-namespace references are only valid if they are explicitly + * allowed by something in the namespace they are referring to. For example: + * Gateway has the AllowedRoutes field, and ReferenceGrant provides a + * generic way to enable any other kind of cross-namespace reference. + * + * + * + * ParentRefs from a Route to a Service in the same namespace are "producer" + * routes, which apply default routing rules to inbound connections from + * any namespace to the Service. + * + * + * ParentRefs from a Route to a Service in a different namespace are + * "consumer" routes, and these routing rules are only applied to outbound + * connections originating from the same namespace as the Route, for which + * the intended destination of the connections are a Service targeted as a + * ParentRef of the Route. + * + * + * + * Support: Core + */ + namespace: string; + /** + * Port is the network port this Route targets. It can be interpreted + * differently based on the type of parent resource. + * + * + * When the parent resource is a Gateway, this targets all listeners + * listening on the specified port that also support this kind of Route(and + * select this Route). It's not recommended to set `Port` unless the + * networking behaviors specified in a Route must apply to a specific port + * as opposed to a listener(s) whose port(s) may be changed. When both Port + * and SectionName are specified, the name and port of the selected listener + * must match both specified values. + * + * + * + * When the parent resource is a Service, this targets a specific port in the + * Service spec. When both Port (experimental) and SectionName are specified, + * the name and port of the selected port must match both specified values. + * + * + * + * Implementations MAY choose to support other parent resources. + * Implementations supporting other types of parent resources MUST clearly + * document how/if Port is interpreted. + * + * + * For the purpose of status, an attachment is considered successful as + * long as the parent resource accepts it partially. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + * from the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, + * the Route MUST be considered detached from the Gateway. + * + * + * Support: Extended + */ + port: number; + /** + * SectionName is the name of a section within the target resource. In the + * following resources, SectionName is interpreted as the following: + * + * + * * Gateway: Listener name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * * Service: Port name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * + * + * Implementations MAY choose to support attaching Routes to other resources. + * If that is the case, they MUST clearly document how SectionName is + * interpreted. + * + * + * When unspecified (empty string), this will reference the entire resource. + * For the purpose of status, an attachment is considered successful if at + * least one section in the parent resource accepts it. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + * the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, the + * Route MUST be considered detached from the Gateway. + * + * + * Support: Core + */ + sectionName: string; + } + /** + * Spec defines the desired state of GRPCRoute. + */ + interface GRPCRouteSpecPatch { + /** + * Hostnames defines a set of hostnames to match against the GRPC + * Host header to select a GRPCRoute to process the request. This matches + * the RFC 1123 definition of a hostname with 2 notable exceptions: + * + * + * 1. IPs are not allowed. + * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + * label MUST appear by itself as the first label. + * + * + * If a hostname is specified by both the Listener and GRPCRoute, there + * MUST be at least one intersecting hostname for the GRPCRoute to be + * attached to the Listener. For example: + * + * + * * A Listener with `test.example.com` as the hostname matches GRPCRoutes + * that have either not specified any hostnames, or have specified at + * least one of `test.example.com` or `*.example.com`. + * * A Listener with `*.example.com` as the hostname matches GRPCRoutes + * that have either not specified any hostnames or have specified at least + * one hostname that matches the Listener hostname. For example, + * `test.example.com` and `*.example.com` would both match. On the other + * hand, `example.com` and `test.example.net` would not match. + * + * + * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + * as a suffix match. That means that a match for `*.example.com` would match + * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + * + * + * If both the Listener and GRPCRoute have specified hostnames, any + * GRPCRoute hostnames that do not match the Listener hostname MUST be + * ignored. For example, if a Listener specified `*.example.com`, and the + * GRPCRoute specified `test.example.com` and `test.example.net`, + * `test.example.net` MUST NOT be considered for a match. + * + * + * If both the Listener and GRPCRoute have specified hostnames, and none + * match with the criteria above, then the GRPCRoute MUST NOT be accepted by + * the implementation. The implementation MUST raise an 'Accepted' Condition + * with a status of `False` in the corresponding RouteParentStatus. + * + * + * If a Route (A) of type HTTPRoute or GRPCRoute is attached to a + * Listener and that listener already has another Route (B) of the other + * type attached and the intersection of the hostnames of A and B is + * non-empty, then the implementation MUST accept exactly one of these two + * routes, determined by the following criteria, in order: + * + * + * * The oldest Route based on creation timestamp. + * * The Route appearing first in alphabetical order by + * "{namespace}/{name}". + * + * + * The rejected Route MUST raise an 'Accepted' condition with a status of + * 'False' in the corresponding RouteParentStatus. + * + * + * Support: Core + */ + hostnames: string[]; + /** + * ParentRefs references the resources (usually Gateways) that a Route wants + * to be attached to. Note that the referenced parent resource needs to + * allow this for the attachment to be complete. For Gateways, that means + * the Gateway needs to allow attachment from Routes of this kind and + * namespace. For Services, that means the Service must either be in the same + * namespace for a "producer" route, or the mesh implementation must support + * and allow "consumer" routes for the referenced Service. ReferenceGrant is + * not applicable for governing ParentRefs to Services - it is not possible to + * create a "producer" route for a Service in a different namespace from the + * Route. + * + * + * There are two kinds of parent resources with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * This API may be extended in the future to support additional kinds of parent + * resources. + * + * + * ParentRefs must be _distinct_. This means either that: + * + * + * * They select different objects. If this is the case, then parentRef + * entries are distinct. In terms of fields, this means that the + * multi-part key defined by `group`, `kind`, `namespace`, and `name` must + * be unique across all parentRef entries in the Route. + * * They do not select different objects, but for each optional field used, + * each ParentRef that selects the same object must set the same set of + * optional fields to different values. If one ParentRef sets a + * combination of optional fields, all must set the same combination. + * + * + * Some examples: + * + * + * * If one ParentRef sets `sectionName`, all ParentRefs referencing the + * same object must also set `sectionName`. + * * If one ParentRef sets `port`, all ParentRefs referencing the same + * object must also set `port`. + * * If one ParentRef sets `sectionName` and `port`, all ParentRefs + * referencing the same object must also set `sectionName` and `port`. + * + * + * It is possible to separately reference multiple distinct objects that may + * be collapsed by an implementation. For example, some implementations may + * choose to merge compatible Gateway Listeners together. If that is the + * case, the list of routes attached to those resources should also be + * merged. + * + * + * Note that for ParentRefs that cross namespace boundaries, there are specific + * rules. Cross-namespace references are only valid if they are explicitly + * allowed by something in the namespace they are referring to. For example, + * Gateway has the AllowedRoutes field, and ReferenceGrant provides a + * generic way to enable other kinds of cross-namespace reference. + * + * + * + * ParentRefs from a Route to a Service in the same namespace are "producer" + * routes, which apply default routing rules to inbound connections from + * any namespace to the Service. + * + * + * ParentRefs from a Route to a Service in a different namespace are + * "consumer" routes, and these routing rules are only applied to outbound + * connections originating from the same namespace as the Route, for which + * the intended destination of the connections are a Service targeted as a + * ParentRef of the Route. + */ + parentRefs: outputs.gateway.v1alpha2.GRPCRouteSpecParentRefsPatch[]; + /** + * Rules are a list of GRPC matchers, filters and actions. + */ + rules: outputs.gateway.v1alpha2.GRPCRouteSpecRulesPatch[]; + } + /** + * GRPCRouteRule defines the semantics for matching a gRPC request based on + * conditions (matches), processing it (filters), and forwarding the request to + * an API object (backendRefs). + */ + interface GRPCRouteSpecRules { + /** + * BackendRefs defines the backend(s) where matching requests should be + * sent. + * + * + * Failure behavior here depends on how many BackendRefs are specified and + * how many are invalid. + * + * + * If *all* entries in BackendRefs are invalid, and there are also no filters + * specified in this route rule, *all* traffic which matches this rule MUST + * receive an `UNAVAILABLE` status. + * + * + * See the GRPCBackendRef definition for the rules about what makes a single + * GRPCBackendRef invalid. + * + * + * When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for + * requests that would have otherwise been routed to an invalid backend. If + * multiple backends are specified, and some are invalid, the proportion of + * requests that would otherwise have been routed to an invalid backend + * MUST receive an `UNAVAILABLE` status. + * + * + * For example, if two backends are specified with equal weights, and one is + * invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. + * Implementations may choose how that 50 percent is determined. + * + * + * Support: Core for Kubernetes Service + * + * + * Support: Implementation-specific for any other resource + * + * + * Support for weight: Core + */ + backendRefs: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefs[]; + /** + * Filters define the filters that are applied to requests that match + * this rule. + * + * + * The effects of ordering of multiple behaviors are currently unspecified. + * This can change in the future based on feedback during the alpha stage. + * + * + * Conformance-levels at this level are defined based on the type of filter: + * + * + * - ALL core filters MUST be supported by all implementations that support + * GRPCRoute. + * - Implementers are encouraged to support extended filters. + * - Implementation-specific custom filters have no API guarantees across + * implementations. + * + * + * Specifying the same filter multiple times is not supported unless explicitly + * indicated in the filter. + * + * + * If an implementation can not support a combination of filters, it must clearly + * document that limitation. In cases where incompatible or unsupported + * filters are specified and cause the `Accepted` condition to be set to status + * `False`, implementations may use the `IncompatibleFilters` reason to specify + * this configuration error. + * + * + * Support: Core + */ + filters: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFilters[]; + /** + * Matches define conditions used for matching the rule against incoming + * gRPC requests. Each match is independent, i.e. this rule will be matched + * if **any** one of the matches is satisfied. + * + * + * For example, take the following matches configuration: + * + * + * ``` + * matches: + * - method: + * service: foo.bar + * headers: + * values: + * version: 2 + * - method: + * service: foo.bar.v2 + * ``` + * + * + * For a request to match against this rule, it MUST satisfy + * EITHER of the two conditions: + * + * + * - service of foo.bar AND contains the header `version: 2` + * - service of foo.bar.v2 + * + * + * See the documentation for GRPCRouteMatch on how to specify multiple + * match conditions to be ANDed together. + * + * + * If no matches are specified, the implementation MUST match every gRPC request. + * + * + * Proxy or Load Balancer routing configuration generated from GRPCRoutes + * MUST prioritize rules based on the following criteria, continuing on + * ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. + * Precedence MUST be given to the rule with the largest number of: + * + * + * * Characters in a matching non-wildcard hostname. + * * Characters in a matching hostname. + * * Characters in a matching service. + * * Characters in a matching method. + * * Header matches. + * + * + * If ties still exist across multiple Routes, matching precedence MUST be + * determined in order of the following criteria, continuing on ties: + * + * + * * The oldest Route based on creation timestamp. + * * The Route appearing first in alphabetical order by + * "{namespace}/{name}". + * + * + * If ties still exist within the Route that has been given precedence, + * matching precedence MUST be granted to the first matching rule meeting + * the above criteria. + */ + matches: outputs.gateway.v1alpha2.GRPCRouteSpecRulesMatches[]; + sessionPersistence: outputs.gateway.v1alpha2.GRPCRouteSpecRulesSessionPersistence; + } + /** + * GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. + * + * + * Note that when a namespace different than the local namespace is specified, a + * ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * + * + * + * When the BackendRef points to a Kubernetes Service, implementations SHOULD + * honor the appProtocol field if it is set for the target Service Port. + * + * + * Implementations supporting appProtocol SHOULD recognize the Kubernetes + * Standard Application Protocols defined in KEP-3726. + * + * + * If a Service appProtocol isn't specified, an implementation MAY infer the + * backend protocol through its own means. Implementations MAY infer the + * protocol from the Route type referring to the backend Service. + * + * + * If a Route is not able to send traffic to the backend using the specified + * protocol then the backend is considered invalid. Implementations MUST set the + * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * + */ + interface GRPCRouteSpecRulesBackendRefs { + /** + * Filters defined at this level MUST be executed if and only if the + * request is being forwarded to the backend defined here. + * + * + * Support: Implementation-specific (For broader support of filters, use the + * Filters field in GRPCRouteRule.) + */ + filters: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFilters[]; + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group: string; + /** + * Kind is the Kubernetes resource kind of the referent. For example + * "Service". + * + * + * Defaults to "Service" when not specified. + * + * + * ExternalName services can refer to CNAME DNS records that may live + * outside of the cluster and as such are difficult to reason about in + * terms of conformance. They also may not be safe to forward to (see + * CVE-2021-25740 for more information). Implementations SHOULD NOT + * support ExternalName Services. + * + * + * Support: Core (Services with a type other than ExternalName) + * + * + * Support: Implementation-specific (Services with type ExternalName) + */ + kind: string; + /** + * Name is the name of the referent. + */ + name: string; + /** + * Namespace is the namespace of the backend. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace: string; + /** + * Port specifies the destination port number to use for this resource. + * Port is required when the referent is a Kubernetes Service. In this + * case, the port number is the service port number, not the target port. + * For other resources, destination port might be derived from the referent + * resource or this field. + */ + port: number; + /** + * Weight specifies the proportion of requests forwarded to the referenced + * backend. This is computed as weight/(sum of all weights in this + * BackendRefs list). For non-zero values, there may be some epsilon from + * the exact proportion defined here depending on the precision an + * implementation supports. Weight is not a percentage and the sum of + * weights does not need to equal 100. + * + * + * If only one backend is specified and it has a weight greater than 0, 100% + * of the traffic is forwarded to that backend. If weight is set to 0, no + * traffic should be forwarded for this entry. If unspecified, weight + * defaults to 1. + * + * + * Support for this field varies based on the context where used. + */ + weight: number; + } + /** + * GRPCRouteFilter defines processing steps that must be completed during the + * request or response lifecycle. GRPCRouteFilters are meant as an extension + * point to express processing that may be done in Gateway implementations. Some + * examples include request or response modification, implementing + * authentication strategies, rate-limiting, and traffic shaping. API + * guarantee/conformance is defined based on the type of the filter. + */ + interface GRPCRouteSpecRulesBackendRefsFilters { + extensionRef: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersExtensionRef; + requestHeaderModifier: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifier; + requestMirror: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersRequestMirror; + responseHeaderModifier: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifier; + /** + * Type identifies the type of filter to apply. As with other API fields, + * types are classified into three conformance levels: + * + * + * - Core: Filter types and their corresponding configuration defined by + * "Support: Core" in this package, e.g. "RequestHeaderModifier". All + * implementations supporting GRPCRoute MUST support core filters. + * + * + * - Extended: Filter types and their corresponding configuration defined by + * "Support: Extended" in this package, e.g. "RequestMirror". Implementers + * are encouraged to support extended filters. + * + * + * - Implementation-specific: Filters that are defined and supported by specific vendors. + * In the future, filters showing convergence in behavior across multiple + * implementations will be considered for inclusion in extended or core + * conformance levels. Filter-specific configuration for such filters + * is specified using the ExtensionRef field. `Type` MUST be set to + * "ExtensionRef" for custom filters. + * + * + * Implementers are encouraged to define custom implementation types to + * extend the core API with implementation-specific behavior. + * + * + * If a reference to a custom filter type cannot be resolved, the filter + * MUST NOT be skipped. Instead, requests that would have been processed by + * that filter MUST receive a HTTP error response. + */ + type: string; + } + /** + * ExtensionRef is an optional, implementation-specific extension to the + * "filter" behavior. For example, resource "myroutefilter" in group + * "networking.example.net"). ExtensionRef MUST NOT be used for core and + * extended filters. + * + * + * Support: Implementation-specific + * + * + * This filter can be used multiple times within the same rule. + */ + interface GRPCRouteSpecRulesBackendRefsFiltersExtensionRef { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group: string; + /** + * Kind is kind of the referent. For example "HTTPRoute" or "Service". + */ + kind: string; + /** + * Name is the name of the referent. + */ + name: string; + } + /** + * ExtensionRef is an optional, implementation-specific extension to the + * "filter" behavior. For example, resource "myroutefilter" in group + * "networking.example.net"). ExtensionRef MUST NOT be used for core and + * extended filters. + * + * + * Support: Implementation-specific + * + * + * This filter can be used multiple times within the same rule. + */ + interface GRPCRouteSpecRulesBackendRefsFiltersExtensionRefPatch { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group: string; + /** + * Kind is kind of the referent. For example "HTTPRoute" or "Service". + */ + kind: string; + /** + * Name is the name of the referent. + */ + name: string; + } + /** + * GRPCRouteFilter defines processing steps that must be completed during the + * request or response lifecycle. GRPCRouteFilters are meant as an extension + * point to express processing that may be done in Gateway implementations. Some + * examples include request or response modification, implementing + * authentication strategies, rate-limiting, and traffic shaping. API + * guarantee/conformance is defined based on the type of the filter. + */ + interface GRPCRouteSpecRulesBackendRefsFiltersPatch { + extensionRef: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersExtensionRefPatch; + requestHeaderModifier: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch; + requestMirror: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorPatch; + responseHeaderModifier: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch; + /** + * Type identifies the type of filter to apply. As with other API fields, + * types are classified into three conformance levels: + * + * + * - Core: Filter types and their corresponding configuration defined by + * "Support: Core" in this package, e.g. "RequestHeaderModifier". All + * implementations supporting GRPCRoute MUST support core filters. + * + * + * - Extended: Filter types and their corresponding configuration defined by + * "Support: Extended" in this package, e.g. "RequestMirror". Implementers + * are encouraged to support extended filters. + * + * + * - Implementation-specific: Filters that are defined and supported by specific vendors. + * In the future, filters showing convergence in behavior across multiple + * implementations will be considered for inclusion in extended or core + * conformance levels. Filter-specific configuration for such filters + * is specified using the ExtensionRef field. `Type` MUST be set to + * "ExtensionRef" for custom filters. + * + * + * Implementers are encouraged to define custom implementation types to + * extend the core API with implementation-specific behavior. + * + * + * If a reference to a custom filter type cannot be resolved, the filter + * MUST NOT be skipped. Instead, requests that would have been processed by + * that filter MUST receive a HTTP error response. + */ + type: string; + } + /** + * RequestHeaderModifier defines a schema for a filter that modifies request + * headers. + * + * + * Support: Core + */ + interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifier { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd[]; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove: string[]; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet[]; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + /** + * RequestHeaderModifier defines a schema for a filter that modifies request + * headers. + * + * + * Support: Core + */ + interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch[]; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove: string[]; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch[]; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + /** + * RequestMirror defines a schema for a filter that mirrors requests. + * Requests are sent to the specified destination, but responses from + * that destination are ignored. + * + * + * This filter can be used multiple times within the same rule. Note that + * not all implementations will be able to support mirroring to multiple + * backends. + * + * + * Support: Extended + */ + interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirror { + backendRef: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef; + } + /** + * BackendRef references a resource where mirrored requests are sent. + * + * + * Mirrored requests must be sent only to a single destination endpoint + * within this BackendRef, irrespective of how many endpoints are present + * within this BackendRef. + * + * + * If the referent cannot be found, this BackendRef is invalid and must be + * dropped from the Gateway. The controller must ensure the "ResolvedRefs" + * condition on the Route status is set to `status: False` and not configure + * this backend in the underlying implementation. + * + * + * If there is a cross-namespace reference to an *existing* object + * that is not allowed by a ReferenceGrant, the controller must ensure the + * "ResolvedRefs" condition on the Route is set to `status: False`, + * with the "RefNotPermitted" reason and not configure this backend in the + * underlying implementation. + * + * + * In either error case, the Message of the `ResolvedRefs` Condition + * should be used to provide more detail about the problem. + * + * + * Support: Extended for Kubernetes Service + * + * + * Support: Implementation-specific for any other resource + */ + interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group: string; + /** + * Kind is the Kubernetes resource kind of the referent. For example + * "Service". + * + * + * Defaults to "Service" when not specified. + * + * + * ExternalName services can refer to CNAME DNS records that may live + * outside of the cluster and as such are difficult to reason about in + * terms of conformance. They also may not be safe to forward to (see + * CVE-2021-25740 for more information). Implementations SHOULD NOT + * support ExternalName Services. + * + * + * Support: Core (Services with a type other than ExternalName) + * + * + * Support: Implementation-specific (Services with type ExternalName) + */ + kind: string; + /** + * Name is the name of the referent. + */ + name: string; + /** + * Namespace is the namespace of the backend. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace: string; + /** + * Port specifies the destination port number to use for this resource. + * Port is required when the referent is a Kubernetes Service. In this + * case, the port number is the service port number, not the target port. + * For other resources, destination port might be derived from the referent + * resource or this field. + */ + port: number; + } + /** + * BackendRef references a resource where mirrored requests are sent. + * + * + * Mirrored requests must be sent only to a single destination endpoint + * within this BackendRef, irrespective of how many endpoints are present + * within this BackendRef. + * + * + * If the referent cannot be found, this BackendRef is invalid and must be + * dropped from the Gateway. The controller must ensure the "ResolvedRefs" + * condition on the Route status is set to `status: False` and not configure + * this backend in the underlying implementation. + * + * + * If there is a cross-namespace reference to an *existing* object + * that is not allowed by a ReferenceGrant, the controller must ensure the + * "ResolvedRefs" condition on the Route is set to `status: False`, + * with the "RefNotPermitted" reason and not configure this backend in the + * underlying implementation. + * + * + * In either error case, the Message of the `ResolvedRefs` Condition + * should be used to provide more detail about the problem. + * + * + * Support: Extended for Kubernetes Service + * + * + * Support: Implementation-specific for any other resource + */ + interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group: string; + /** + * Kind is the Kubernetes resource kind of the referent. For example + * "Service". + * + * + * Defaults to "Service" when not specified. + * + * + * ExternalName services can refer to CNAME DNS records that may live + * outside of the cluster and as such are difficult to reason about in + * terms of conformance. They also may not be safe to forward to (see + * CVE-2021-25740 for more information). Implementations SHOULD NOT + * support ExternalName Services. + * + * + * Support: Core (Services with a type other than ExternalName) + * + * + * Support: Implementation-specific (Services with type ExternalName) + */ + kind: string; + /** + * Name is the name of the referent. + */ + name: string; + /** + * Namespace is the namespace of the backend. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace: string; + /** + * Port specifies the destination port number to use for this resource. + * Port is required when the referent is a Kubernetes Service. In this + * case, the port number is the service port number, not the target port. + * For other resources, destination port might be derived from the referent + * resource or this field. + */ + port: number; + } + /** + * RequestMirror defines a schema for a filter that mirrors requests. + * Requests are sent to the specified destination, but responses from + * that destination are ignored. + * + * + * This filter can be used multiple times within the same rule. Note that + * not all implementations will be able to support mirroring to multiple + * backends. + * + * + * Support: Extended + */ + interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorPatch { + backendRef: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch; + } + /** + * ResponseHeaderModifier defines a schema for a filter that modifies response + * headers. + * + * + * Support: Extended + */ + interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifier { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd[]; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove: string[]; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet[]; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + /** + * ResponseHeaderModifier defines a schema for a filter that modifies response + * headers. + * + * + * Support: Extended + */ + interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch[]; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove: string[]; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch[]; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + /** + * GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. + * + * + * Note that when a namespace different than the local namespace is specified, a + * ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * + * + * + * When the BackendRef points to a Kubernetes Service, implementations SHOULD + * honor the appProtocol field if it is set for the target Service Port. + * + * + * Implementations supporting appProtocol SHOULD recognize the Kubernetes + * Standard Application Protocols defined in KEP-3726. + * + * + * If a Service appProtocol isn't specified, an implementation MAY infer the + * backend protocol through its own means. Implementations MAY infer the + * protocol from the Route type referring to the backend Service. + * + * + * If a Route is not able to send traffic to the backend using the specified + * protocol then the backend is considered invalid. Implementations MUST set the + * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * + */ + interface GRPCRouteSpecRulesBackendRefsPatch { + /** + * Filters defined at this level MUST be executed if and only if the + * request is being forwarded to the backend defined here. + * + * + * Support: Implementation-specific (For broader support of filters, use the + * Filters field in GRPCRouteRule.) + */ + filters: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersPatch[]; + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group: string; + /** + * Kind is the Kubernetes resource kind of the referent. For example + * "Service". + * + * + * Defaults to "Service" when not specified. + * + * + * ExternalName services can refer to CNAME DNS records that may live + * outside of the cluster and as such are difficult to reason about in + * terms of conformance. They also may not be safe to forward to (see + * CVE-2021-25740 for more information). Implementations SHOULD NOT + * support ExternalName Services. + * + * + * Support: Core (Services with a type other than ExternalName) + * + * + * Support: Implementation-specific (Services with type ExternalName) + */ + kind: string; + /** + * Name is the name of the referent. + */ + name: string; + /** + * Namespace is the namespace of the backend. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace: string; + /** + * Port specifies the destination port number to use for this resource. + * Port is required when the referent is a Kubernetes Service. In this + * case, the port number is the service port number, not the target port. + * For other resources, destination port might be derived from the referent + * resource or this field. + */ + port: number; + /** + * Weight specifies the proportion of requests forwarded to the referenced + * backend. This is computed as weight/(sum of all weights in this + * BackendRefs list). For non-zero values, there may be some epsilon from + * the exact proportion defined here depending on the precision an + * implementation supports. Weight is not a percentage and the sum of + * weights does not need to equal 100. + * + * + * If only one backend is specified and it has a weight greater than 0, 100% + * of the traffic is forwarded to that backend. If weight is set to 0, no + * traffic should be forwarded for this entry. If unspecified, weight + * defaults to 1. + * + * + * Support for this field varies based on the context where used. + */ + weight: number; + } + /** + * GRPCRouteFilter defines processing steps that must be completed during the + * request or response lifecycle. GRPCRouteFilters are meant as an extension + * point to express processing that may be done in Gateway implementations. Some + * examples include request or response modification, implementing + * authentication strategies, rate-limiting, and traffic shaping. API + * guarantee/conformance is defined based on the type of the filter. + */ + interface GRPCRouteSpecRulesFilters { + extensionRef: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersExtensionRef; + requestHeaderModifier: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersRequestHeaderModifier; + requestMirror: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersRequestMirror; + responseHeaderModifier: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersResponseHeaderModifier; + /** + * Type identifies the type of filter to apply. As with other API fields, + * types are classified into three conformance levels: + * + * + * - Core: Filter types and their corresponding configuration defined by + * "Support: Core" in this package, e.g. "RequestHeaderModifier". All + * implementations supporting GRPCRoute MUST support core filters. + * + * + * - Extended: Filter types and their corresponding configuration defined by + * "Support: Extended" in this package, e.g. "RequestMirror". Implementers + * are encouraged to support extended filters. + * + * + * - Implementation-specific: Filters that are defined and supported by specific vendors. + * In the future, filters showing convergence in behavior across multiple + * implementations will be considered for inclusion in extended or core + * conformance levels. Filter-specific configuration for such filters + * is specified using the ExtensionRef field. `Type` MUST be set to + * "ExtensionRef" for custom filters. + * + * + * Implementers are encouraged to define custom implementation types to + * extend the core API with implementation-specific behavior. + * + * + * If a reference to a custom filter type cannot be resolved, the filter + * MUST NOT be skipped. Instead, requests that would have been processed by + * that filter MUST receive a HTTP error response. + */ + type: string; + } + /** + * ExtensionRef is an optional, implementation-specific extension to the + * "filter" behavior. For example, resource "myroutefilter" in group + * "networking.example.net"). ExtensionRef MUST NOT be used for core and + * extended filters. + * + * + * Support: Implementation-specific + * + * + * This filter can be used multiple times within the same rule. + */ + interface GRPCRouteSpecRulesFiltersExtensionRef { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group: string; + /** + * Kind is kind of the referent. For example "HTTPRoute" or "Service". + */ + kind: string; + /** + * Name is the name of the referent. + */ + name: string; + } + /** + * ExtensionRef is an optional, implementation-specific extension to the + * "filter" behavior. For example, resource "myroutefilter" in group + * "networking.example.net"). ExtensionRef MUST NOT be used for core and + * extended filters. + * + * + * Support: Implementation-specific + * + * + * This filter can be used multiple times within the same rule. + */ + interface GRPCRouteSpecRulesFiltersExtensionRefPatch { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group: string; + /** + * Kind is kind of the referent. For example "HTTPRoute" or "Service". + */ + kind: string; + /** + * Name is the name of the referent. + */ + name: string; + } + /** + * GRPCRouteFilter defines processing steps that must be completed during the + * request or response lifecycle. GRPCRouteFilters are meant as an extension + * point to express processing that may be done in Gateway implementations. Some + * examples include request or response modification, implementing + * authentication strategies, rate-limiting, and traffic shaping. API + * guarantee/conformance is defined based on the type of the filter. + */ + interface GRPCRouteSpecRulesFiltersPatch { + extensionRef: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersExtensionRefPatch; + requestHeaderModifier: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersRequestHeaderModifierPatch; + requestMirror: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersRequestMirrorPatch; + responseHeaderModifier: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersResponseHeaderModifierPatch; + /** + * Type identifies the type of filter to apply. As with other API fields, + * types are classified into three conformance levels: + * + * + * - Core: Filter types and their corresponding configuration defined by + * "Support: Core" in this package, e.g. "RequestHeaderModifier". All + * implementations supporting GRPCRoute MUST support core filters. + * + * + * - Extended: Filter types and their corresponding configuration defined by + * "Support: Extended" in this package, e.g. "RequestMirror". Implementers + * are encouraged to support extended filters. + * + * + * - Implementation-specific: Filters that are defined and supported by specific vendors. + * In the future, filters showing convergence in behavior across multiple + * implementations will be considered for inclusion in extended or core + * conformance levels. Filter-specific configuration for such filters + * is specified using the ExtensionRef field. `Type` MUST be set to + * "ExtensionRef" for custom filters. + * + * + * Implementers are encouraged to define custom implementation types to + * extend the core API with implementation-specific behavior. + * + * + * If a reference to a custom filter type cannot be resolved, the filter + * MUST NOT be skipped. Instead, requests that would have been processed by + * that filter MUST receive a HTTP error response. + */ + type: string; + } + /** + * RequestHeaderModifier defines a schema for a filter that modifies request + * headers. + * + * + * Support: Core + */ + interface GRPCRouteSpecRulesFiltersRequestHeaderModifier { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersRequestHeaderModifierAdd[]; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove: string[]; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersRequestHeaderModifierSet[]; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesFiltersRequestHeaderModifierAdd { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesFiltersRequestHeaderModifierAddPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + /** + * RequestHeaderModifier defines a schema for a filter that modifies request + * headers. + * + * + * Support: Core + */ + interface GRPCRouteSpecRulesFiltersRequestHeaderModifierPatch { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersRequestHeaderModifierAddPatch[]; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove: string[]; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersRequestHeaderModifierSetPatch[]; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesFiltersRequestHeaderModifierSet { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesFiltersRequestHeaderModifierSetPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + /** + * RequestMirror defines a schema for a filter that mirrors requests. + * Requests are sent to the specified destination, but responses from + * that destination are ignored. + * + * + * This filter can be used multiple times within the same rule. Note that + * not all implementations will be able to support mirroring to multiple + * backends. + * + * + * Support: Extended + */ + interface GRPCRouteSpecRulesFiltersRequestMirror { + backendRef: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersRequestMirrorBackendRef; + } + /** + * BackendRef references a resource where mirrored requests are sent. + * + * + * Mirrored requests must be sent only to a single destination endpoint + * within this BackendRef, irrespective of how many endpoints are present + * within this BackendRef. + * + * + * If the referent cannot be found, this BackendRef is invalid and must be + * dropped from the Gateway. The controller must ensure the "ResolvedRefs" + * condition on the Route status is set to `status: False` and not configure + * this backend in the underlying implementation. + * + * + * If there is a cross-namespace reference to an *existing* object + * that is not allowed by a ReferenceGrant, the controller must ensure the + * "ResolvedRefs" condition on the Route is set to `status: False`, + * with the "RefNotPermitted" reason and not configure this backend in the + * underlying implementation. + * + * + * In either error case, the Message of the `ResolvedRefs` Condition + * should be used to provide more detail about the problem. + * + * + * Support: Extended for Kubernetes Service + * + * + * Support: Implementation-specific for any other resource + */ + interface GRPCRouteSpecRulesFiltersRequestMirrorBackendRef { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group: string; + /** + * Kind is the Kubernetes resource kind of the referent. For example + * "Service". + * + * + * Defaults to "Service" when not specified. + * + * + * ExternalName services can refer to CNAME DNS records that may live + * outside of the cluster and as such are difficult to reason about in + * terms of conformance. They also may not be safe to forward to (see + * CVE-2021-25740 for more information). Implementations SHOULD NOT + * support ExternalName Services. + * + * + * Support: Core (Services with a type other than ExternalName) + * + * + * Support: Implementation-specific (Services with type ExternalName) + */ + kind: string; + /** + * Name is the name of the referent. + */ + name: string; + /** + * Namespace is the namespace of the backend. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace: string; + /** + * Port specifies the destination port number to use for this resource. + * Port is required when the referent is a Kubernetes Service. In this + * case, the port number is the service port number, not the target port. + * For other resources, destination port might be derived from the referent + * resource or this field. + */ + port: number; + } + /** + * BackendRef references a resource where mirrored requests are sent. + * + * + * Mirrored requests must be sent only to a single destination endpoint + * within this BackendRef, irrespective of how many endpoints are present + * within this BackendRef. + * + * + * If the referent cannot be found, this BackendRef is invalid and must be + * dropped from the Gateway. The controller must ensure the "ResolvedRefs" + * condition on the Route status is set to `status: False` and not configure + * this backend in the underlying implementation. + * + * + * If there is a cross-namespace reference to an *existing* object + * that is not allowed by a ReferenceGrant, the controller must ensure the + * "ResolvedRefs" condition on the Route is set to `status: False`, + * with the "RefNotPermitted" reason and not configure this backend in the + * underlying implementation. + * + * + * In either error case, the Message of the `ResolvedRefs` Condition + * should be used to provide more detail about the problem. + * + * + * Support: Extended for Kubernetes Service + * + * + * Support: Implementation-specific for any other resource + */ + interface GRPCRouteSpecRulesFiltersRequestMirrorBackendRefPatch { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group: string; + /** + * Kind is the Kubernetes resource kind of the referent. For example + * "Service". + * + * + * Defaults to "Service" when not specified. + * + * + * ExternalName services can refer to CNAME DNS records that may live + * outside of the cluster and as such are difficult to reason about in + * terms of conformance. They also may not be safe to forward to (see + * CVE-2021-25740 for more information). Implementations SHOULD NOT + * support ExternalName Services. + * + * + * Support: Core (Services with a type other than ExternalName) + * + * + * Support: Implementation-specific (Services with type ExternalName) + */ + kind: string; + /** + * Name is the name of the referent. + */ + name: string; + /** + * Namespace is the namespace of the backend. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace: string; + /** + * Port specifies the destination port number to use for this resource. + * Port is required when the referent is a Kubernetes Service. In this + * case, the port number is the service port number, not the target port. + * For other resources, destination port might be derived from the referent + * resource or this field. + */ + port: number; + } + /** + * RequestMirror defines a schema for a filter that mirrors requests. + * Requests are sent to the specified destination, but responses from + * that destination are ignored. + * + * + * This filter can be used multiple times within the same rule. Note that + * not all implementations will be able to support mirroring to multiple + * backends. + * + * + * Support: Extended + */ + interface GRPCRouteSpecRulesFiltersRequestMirrorPatch { + backendRef: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersRequestMirrorBackendRefPatch; + } + /** + * ResponseHeaderModifier defines a schema for a filter that modifies response + * headers. + * + * + * Support: Extended + */ + interface GRPCRouteSpecRulesFiltersResponseHeaderModifier { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersResponseHeaderModifierAdd[]; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove: string[]; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersResponseHeaderModifierSet[]; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesFiltersResponseHeaderModifierAdd { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesFiltersResponseHeaderModifierAddPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + /** + * ResponseHeaderModifier defines a schema for a filter that modifies response + * headers. + * + * + * Support: Extended + */ + interface GRPCRouteSpecRulesFiltersResponseHeaderModifierPatch { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersResponseHeaderModifierAddPatch[]; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove: string[]; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersResponseHeaderModifierSetPatch[]; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesFiltersResponseHeaderModifierSet { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + interface GRPCRouteSpecRulesFiltersResponseHeaderModifierSetPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + /** + * GRPCRouteMatch defines the predicate used to match requests to a given + * action. Multiple match types are ANDed together, i.e. the match will + * evaluate to true only if all conditions are satisfied. + * + * + * For example, the match below will match a gRPC request only if its service + * is `foo` AND it contains the `version: v1` header: + * + * + * ``` + * matches: + * - method: + * type: Exact + * service: "foo" + * headers: + * - name: "version" + * value "v1" + * + * + * ``` + */ + interface GRPCRouteSpecRulesMatches { + /** + * Headers specifies gRPC request header matchers. Multiple match values are + * ANDed together, meaning, a request MUST match all the specified headers + * to select the route. + */ + headers: outputs.gateway.v1alpha2.GRPCRouteSpecRulesMatchesHeaders[]; + method: outputs.gateway.v1alpha2.GRPCRouteSpecRulesMatchesMethod; + } + /** + * GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request + * headers. + */ + interface GRPCRouteSpecRulesMatchesHeaders { + /** + * Name is the name of the gRPC Header to be matched. + * + * + * If multiple entries specify equivalent header names, only the first + * entry with an equivalent name MUST be considered for a match. Subsequent + * entries with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Type specifies how to match against the value of the header. + */ + type: string; + /** + * Value is the value of the gRPC Header to be matched. + */ + value: string; + } + /** + * GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request + * headers. + */ + interface GRPCRouteSpecRulesMatchesHeadersPatch { + /** + * Name is the name of the gRPC Header to be matched. + * + * + * If multiple entries specify equivalent header names, only the first + * entry with an equivalent name MUST be considered for a match. Subsequent + * entries with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Type specifies how to match against the value of the header. + */ + type: string; + /** + * Value is the value of the gRPC Header to be matched. + */ + value: string; + } + /** + * Method specifies a gRPC request service/method matcher. If this field is + * not specified, all services and methods will match. + */ + interface GRPCRouteSpecRulesMatchesMethod { + /** + * Value of the method to match against. If left empty or omitted, will + * match all services. + * + * + * At least one of Service and Method MUST be a non-empty string. + */ + method: string; + /** + * Value of the service to match against. If left empty or omitted, will + * match any service. + * + * + * At least one of Service and Method MUST be a non-empty string. + */ + service: string; + /** + * Type specifies how to match against the service and/or method. + * Support: Core (Exact with service and method specified) + * + * + * Support: Implementation-specific (Exact with method specified but no service specified) + * + * + * Support: Implementation-specific (RegularExpression) + */ + type: string; + } + /** + * Method specifies a gRPC request service/method matcher. If this field is + * not specified, all services and methods will match. + */ + interface GRPCRouteSpecRulesMatchesMethodPatch { + /** + * Value of the method to match against. If left empty or omitted, will + * match all services. + * + * + * At least one of Service and Method MUST be a non-empty string. + */ + method: string; + /** + * Value of the service to match against. If left empty or omitted, will + * match any service. + * + * + * At least one of Service and Method MUST be a non-empty string. + */ + service: string; + /** + * Type specifies how to match against the service and/or method. + * Support: Core (Exact with service and method specified) + * + * + * Support: Implementation-specific (Exact with method specified but no service specified) + * + * + * Support: Implementation-specific (RegularExpression) + */ + type: string; + } + /** + * GRPCRouteMatch defines the predicate used to match requests to a given + * action. Multiple match types are ANDed together, i.e. the match will + * evaluate to true only if all conditions are satisfied. + * + * + * For example, the match below will match a gRPC request only if its service + * is `foo` AND it contains the `version: v1` header: + * + * + * ``` + * matches: + * - method: + * type: Exact + * service: "foo" + * headers: + * - name: "version" + * value "v1" + * + * + * ``` + */ + interface GRPCRouteSpecRulesMatchesPatch { + /** + * Headers specifies gRPC request header matchers. Multiple match values are + * ANDed together, meaning, a request MUST match all the specified headers + * to select the route. + */ + headers: outputs.gateway.v1alpha2.GRPCRouteSpecRulesMatchesHeadersPatch[]; + method: outputs.gateway.v1alpha2.GRPCRouteSpecRulesMatchesMethodPatch; + } + /** + * GRPCRouteRule defines the semantics for matching a gRPC request based on + * conditions (matches), processing it (filters), and forwarding the request to + * an API object (backendRefs). + */ + interface GRPCRouteSpecRulesPatch { + /** + * BackendRefs defines the backend(s) where matching requests should be + * sent. + * + * + * Failure behavior here depends on how many BackendRefs are specified and + * how many are invalid. + * + * + * If *all* entries in BackendRefs are invalid, and there are also no filters + * specified in this route rule, *all* traffic which matches this rule MUST + * receive an `UNAVAILABLE` status. + * + * + * See the GRPCBackendRef definition for the rules about what makes a single + * GRPCBackendRef invalid. + * + * + * When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for + * requests that would have otherwise been routed to an invalid backend. If + * multiple backends are specified, and some are invalid, the proportion of + * requests that would otherwise have been routed to an invalid backend + * MUST receive an `UNAVAILABLE` status. + * + * + * For example, if two backends are specified with equal weights, and one is + * invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. + * Implementations may choose how that 50 percent is determined. + * + * + * Support: Core for Kubernetes Service + * + * + * Support: Implementation-specific for any other resource + * + * + * Support for weight: Core + */ + backendRefs: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsPatch[]; + /** + * Filters define the filters that are applied to requests that match + * this rule. + * + * + * The effects of ordering of multiple behaviors are currently unspecified. + * This can change in the future based on feedback during the alpha stage. + * + * + * Conformance-levels at this level are defined based on the type of filter: + * + * + * - ALL core filters MUST be supported by all implementations that support + * GRPCRoute. + * - Implementers are encouraged to support extended filters. + * - Implementation-specific custom filters have no API guarantees across + * implementations. + * + * + * Specifying the same filter multiple times is not supported unless explicitly + * indicated in the filter. + * + * + * If an implementation can not support a combination of filters, it must clearly + * document that limitation. In cases where incompatible or unsupported + * filters are specified and cause the `Accepted` condition to be set to status + * `False`, implementations may use the `IncompatibleFilters` reason to specify + * this configuration error. + * + * + * Support: Core + */ + filters: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersPatch[]; + /** + * Matches define conditions used for matching the rule against incoming + * gRPC requests. Each match is independent, i.e. this rule will be matched + * if **any** one of the matches is satisfied. + * + * + * For example, take the following matches configuration: + * + * + * ``` + * matches: + * - method: + * service: foo.bar + * headers: + * values: + * version: 2 + * - method: + * service: foo.bar.v2 + * ``` + * + * + * For a request to match against this rule, it MUST satisfy + * EITHER of the two conditions: + * + * + * - service of foo.bar AND contains the header `version: 2` + * - service of foo.bar.v2 + * + * + * See the documentation for GRPCRouteMatch on how to specify multiple + * match conditions to be ANDed together. + * + * + * If no matches are specified, the implementation MUST match every gRPC request. + * + * + * Proxy or Load Balancer routing configuration generated from GRPCRoutes + * MUST prioritize rules based on the following criteria, continuing on + * ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. + * Precedence MUST be given to the rule with the largest number of: + * + * + * * Characters in a matching non-wildcard hostname. + * * Characters in a matching hostname. + * * Characters in a matching service. + * * Characters in a matching method. + * * Header matches. + * + * + * If ties still exist across multiple Routes, matching precedence MUST be + * determined in order of the following criteria, continuing on ties: + * + * + * * The oldest Route based on creation timestamp. + * * The Route appearing first in alphabetical order by + * "{namespace}/{name}". + * + * + * If ties still exist within the Route that has been given precedence, + * matching precedence MUST be granted to the first matching rule meeting + * the above criteria. + */ + matches: outputs.gateway.v1alpha2.GRPCRouteSpecRulesMatchesPatch[]; + sessionPersistence: outputs.gateway.v1alpha2.GRPCRouteSpecRulesSessionPersistencePatch; + } + /** + * SessionPersistence defines and configures session persistence + * for the route rule. + * + * + * Support: Extended + */ + interface GRPCRouteSpecRulesSessionPersistence { + /** + * AbsoluteTimeout defines the absolute timeout of the persistent + * session. Once the AbsoluteTimeout duration has elapsed, the + * session becomes invalid. + * + * + * Support: Extended + */ + absoluteTimeout: string; + cookieConfig: outputs.gateway.v1alpha2.GRPCRouteSpecRulesSessionPersistenceCookieConfig; + /** + * IdleTimeout defines the idle timeout of the persistent session. + * Once the session has been idle for more than the specified + * IdleTimeout duration, the session becomes invalid. + * + * + * Support: Extended + */ + idleTimeout: string; + /** + * SessionName defines the name of the persistent session token + * which may be reflected in the cookie or the header. Users + * should avoid reusing session names to prevent unintended + * consequences, such as rejection or unpredictable behavior. + * + * + * Support: Implementation-specific + */ + sessionName: string; + /** + * Type defines the type of session persistence such as through + * the use a header or cookie. Defaults to cookie based session + * persistence. + * + * + * Support: Core for "Cookie" type + * + * + * Support: Extended for "Header" type + */ + type: string; + } + /** + * CookieConfig provides configuration settings that are specific + * to cookie-based session persistence. + * + * + * Support: Core + */ + interface GRPCRouteSpecRulesSessionPersistenceCookieConfig { + /** + * LifetimeType specifies whether the cookie has a permanent or + * session-based lifetime. A permanent cookie persists until its + * specified expiry time, defined by the Expires or Max-Age cookie + * attributes, while a session cookie is deleted when the current + * session ends. + * + * + * When set to "Permanent", AbsoluteTimeout indicates the + * cookie's lifetime via the Expires or Max-Age cookie attributes + * and is required. + * + * + * When set to "Session", AbsoluteTimeout indicates the + * absolute lifetime of the cookie tracked by the gateway and + * is optional. + * + * + * Support: Core for "Session" type + * + * + * Support: Extended for "Permanent" type + */ + lifetimeType: string; + } + /** + * CookieConfig provides configuration settings that are specific + * to cookie-based session persistence. + * + * + * Support: Core + */ + interface GRPCRouteSpecRulesSessionPersistenceCookieConfigPatch { + /** + * LifetimeType specifies whether the cookie has a permanent or + * session-based lifetime. A permanent cookie persists until its + * specified expiry time, defined by the Expires or Max-Age cookie + * attributes, while a session cookie is deleted when the current + * session ends. + * + * + * When set to "Permanent", AbsoluteTimeout indicates the + * cookie's lifetime via the Expires or Max-Age cookie attributes + * and is required. + * + * + * When set to "Session", AbsoluteTimeout indicates the + * absolute lifetime of the cookie tracked by the gateway and + * is optional. + * + * + * Support: Core for "Session" type + * + * + * Support: Extended for "Permanent" type + */ + lifetimeType: string; + } + /** + * SessionPersistence defines and configures session persistence + * for the route rule. + * + * + * Support: Extended + */ + interface GRPCRouteSpecRulesSessionPersistencePatch { + /** + * AbsoluteTimeout defines the absolute timeout of the persistent + * session. Once the AbsoluteTimeout duration has elapsed, the + * session becomes invalid. + * + * + * Support: Extended + */ + absoluteTimeout: string; + cookieConfig: outputs.gateway.v1alpha2.GRPCRouteSpecRulesSessionPersistenceCookieConfigPatch; + /** + * IdleTimeout defines the idle timeout of the persistent session. + * Once the session has been idle for more than the specified + * IdleTimeout duration, the session becomes invalid. + * + * + * Support: Extended + */ + idleTimeout: string; + /** + * SessionName defines the name of the persistent session token + * which may be reflected in the cookie or the header. Users + * should avoid reusing session names to prevent unintended + * consequences, such as rejection or unpredictable behavior. + * + * + * Support: Implementation-specific + */ + sessionName: string; + /** + * Type defines the type of session persistence such as through + * the use a header or cookie. Defaults to cookie based session + * persistence. + * + * + * Support: Core for "Cookie" type + * + * + * Support: Extended for "Header" type + */ + type: string; + } + /** + * Status defines the current state of GRPCRoute. + */ + interface GRPCRouteStatus { + /** + * Parents is a list of parent resources (usually Gateways) that are + * associated with the route, and the status of the route with respect to + * each parent. When this route attaches to a parent, the controller that + * manages the parent must add an entry to this list when the controller + * first sees the route and should update the entry as appropriate when the + * route or gateway is modified. + * + * + * Note that parent references that cannot be resolved by an implementation + * of this API will not be added to this list. Implementations of this API + * can only populate Route status for the Gateways/parent resources they are + * responsible for. + * + * + * A maximum of 32 Gateways will be represented in this list. An empty list + * means the route has not been attached to any Gateway. + */ + parents: outputs.gateway.v1alpha2.GRPCRouteStatusParents[]; + } + /** + * RouteParentStatus describes the status of a route with respect to an + * associated Parent. + */ + interface GRPCRouteStatusParents { + /** + * Conditions describes the status of the route with respect to the Gateway. + * Note that the route's availability is also subject to the Gateway's own + * status conditions and listener status. + * + * + * If the Route's ParentRef specifies an existing Gateway that supports + * Routes of this kind AND that Gateway's controller has sufficient access, + * then that Gateway's controller MUST set the "Accepted" condition on the + * Route, to indicate whether the route has been accepted or rejected by the + * Gateway, and why. + * + * + * A Route MUST be considered "Accepted" if at least one of the Route's + * rules is implemented by the Gateway. + * + * + * There are a number of cases where the "Accepted" condition may not be set + * due to lack of controller visibility, that includes when: + * + * + * * The Route refers to a non-existent parent. + * * The Route is of a type that the controller does not support. + * * The Route is in a namespace the controller does not have access to. + */ + conditions: outputs.gateway.v1alpha2.GRPCRouteStatusParentsConditions[]; + /** + * ControllerName is a domain/path string that indicates the name of the + * controller that wrote this status. This corresponds with the + * controllerName field on GatewayClass. + * + * + * Example: "example.net/gateway-controller". + * + * + * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + * valid Kubernetes names + * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + * + * + * Controllers MUST populate this field when writing status. Controllers should ensure that + * entries to status populated with their ControllerName are cleaned up when they are no + * longer necessary. + */ + controllerName: string; + parentRef: outputs.gateway.v1alpha2.GRPCRouteStatusParentsParentRef; + } + /** + * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } + */ + interface GRPCRouteStatusParentsConditions { + /** + * lastTransitionTime is the last time the condition transitioned from one status to another. + * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + */ + lastTransitionTime: string; + /** + * message is a human readable message indicating details about the transition. + * This may be an empty string. + */ + message: string; + /** + * observedGeneration represents the .metadata.generation that the condition was set based upon. + * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + * with respect to the current state of the instance. + */ + observedGeneration: number; + /** + * reason contains a programmatic identifier indicating the reason for the condition's last transition. + * Producers of specific condition types may define expected values and meanings for this field, + * and whether the values are considered a guaranteed API. + * The value should be a CamelCase string. + * This field may not be empty. + */ + reason: string; + /** + * status of the condition, one of True, False, Unknown. + */ + status: string; + /** + * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + */ + type: string; + } + /** + * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } + */ + interface GRPCRouteStatusParentsConditionsPatch { + /** + * lastTransitionTime is the last time the condition transitioned from one status to another. + * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + */ + lastTransitionTime: string; + /** + * message is a human readable message indicating details about the transition. + * This may be an empty string. + */ + message: string; + /** + * observedGeneration represents the .metadata.generation that the condition was set based upon. + * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + * with respect to the current state of the instance. + */ + observedGeneration: number; + /** + * reason contains a programmatic identifier indicating the reason for the condition's last transition. + * Producers of specific condition types may define expected values and meanings for this field, + * and whether the values are considered a guaranteed API. + * The value should be a CamelCase string. + * This field may not be empty. + */ + reason: string; + /** + * status of the condition, one of True, False, Unknown. + */ + status: string; + /** + * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + */ + type: string; + } + /** + * ParentRef corresponds with a ParentRef in the spec that this + * RouteParentStatus struct describes the status of. + */ + interface GRPCRouteStatusParentsParentRef { + /** + * Group is the group of the referent. + * When unspecified, "gateway.networking.k8s.io" is inferred. + * To set the core API group (such as for a "Service" kind referent), + * Group must be explicitly set to "" (empty string). + * + * + * Support: Core + */ + group: string; + /** + * Kind is kind of the referent. + * + * + * There are two kinds of parent resources with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * Support for other resources is Implementation-Specific. + */ + kind: string; + /** + * Name is the name of the referent. + * + * + * Support: Core + */ + name: string; + /** + * Namespace is the namespace of the referent. When unspecified, this refers + * to the local namespace of the Route. + * + * + * Note that there are specific rules for ParentRefs which cross namespace + * boundaries. Cross-namespace references are only valid if they are explicitly + * allowed by something in the namespace they are referring to. For example: + * Gateway has the AllowedRoutes field, and ReferenceGrant provides a + * generic way to enable any other kind of cross-namespace reference. + * + * + * + * ParentRefs from a Route to a Service in the same namespace are "producer" + * routes, which apply default routing rules to inbound connections from + * any namespace to the Service. + * + * + * ParentRefs from a Route to a Service in a different namespace are + * "consumer" routes, and these routing rules are only applied to outbound + * connections originating from the same namespace as the Route, for which + * the intended destination of the connections are a Service targeted as a + * ParentRef of the Route. + * + * + * + * Support: Core + */ + namespace: string; + /** + * Port is the network port this Route targets. It can be interpreted + * differently based on the type of parent resource. + * + * + * When the parent resource is a Gateway, this targets all listeners + * listening on the specified port that also support this kind of Route(and + * select this Route). It's not recommended to set `Port` unless the + * networking behaviors specified in a Route must apply to a specific port + * as opposed to a listener(s) whose port(s) may be changed. When both Port + * and SectionName are specified, the name and port of the selected listener + * must match both specified values. + * + * + * + * When the parent resource is a Service, this targets a specific port in the + * Service spec. When both Port (experimental) and SectionName are specified, + * the name and port of the selected port must match both specified values. + * + * + * + * Implementations MAY choose to support other parent resources. + * Implementations supporting other types of parent resources MUST clearly + * document how/if Port is interpreted. + * + * + * For the purpose of status, an attachment is considered successful as + * long as the parent resource accepts it partially. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + * from the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, + * the Route MUST be considered detached from the Gateway. + * + * + * Support: Extended + */ + port: number; + /** + * SectionName is the name of a section within the target resource. In the + * following resources, SectionName is interpreted as the following: + * + * + * * Gateway: Listener name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * * Service: Port name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * + * + * Implementations MAY choose to support attaching Routes to other resources. + * If that is the case, they MUST clearly document how SectionName is + * interpreted. + * + * + * When unspecified (empty string), this will reference the entire resource. + * For the purpose of status, an attachment is considered successful if at + * least one section in the parent resource accepts it. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + * the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, the + * Route MUST be considered detached from the Gateway. + * + * + * Support: Core + */ + sectionName: string; + } + /** + * ParentRef corresponds with a ParentRef in the spec that this + * RouteParentStatus struct describes the status of. + */ + interface GRPCRouteStatusParentsParentRefPatch { + /** + * Group is the group of the referent. + * When unspecified, "gateway.networking.k8s.io" is inferred. + * To set the core API group (such as for a "Service" kind referent), + * Group must be explicitly set to "" (empty string). + * + * + * Support: Core + */ + group: string; + /** + * Kind is kind of the referent. + * + * + * There are two kinds of parent resources with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * Support for other resources is Implementation-Specific. + */ + kind: string; + /** + * Name is the name of the referent. + * + * + * Support: Core + */ + name: string; + /** + * Namespace is the namespace of the referent. When unspecified, this refers + * to the local namespace of the Route. + * + * + * Note that there are specific rules for ParentRefs which cross namespace + * boundaries. Cross-namespace references are only valid if they are explicitly + * allowed by something in the namespace they are referring to. For example: + * Gateway has the AllowedRoutes field, and ReferenceGrant provides a + * generic way to enable any other kind of cross-namespace reference. + * + * + * + * ParentRefs from a Route to a Service in the same namespace are "producer" + * routes, which apply default routing rules to inbound connections from + * any namespace to the Service. + * + * + * ParentRefs from a Route to a Service in a different namespace are + * "consumer" routes, and these routing rules are only applied to outbound + * connections originating from the same namespace as the Route, for which + * the intended destination of the connections are a Service targeted as a + * ParentRef of the Route. + * + * + * + * Support: Core + */ + namespace: string; + /** + * Port is the network port this Route targets. It can be interpreted + * differently based on the type of parent resource. + * + * + * When the parent resource is a Gateway, this targets all listeners + * listening on the specified port that also support this kind of Route(and + * select this Route). It's not recommended to set `Port` unless the + * networking behaviors specified in a Route must apply to a specific port + * as opposed to a listener(s) whose port(s) may be changed. When both Port + * and SectionName are specified, the name and port of the selected listener + * must match both specified values. + * + * + * + * When the parent resource is a Service, this targets a specific port in the + * Service spec. When both Port (experimental) and SectionName are specified, + * the name and port of the selected port must match both specified values. + * + * + * + * Implementations MAY choose to support other parent resources. + * Implementations supporting other types of parent resources MUST clearly + * document how/if Port is interpreted. + * + * + * For the purpose of status, an attachment is considered successful as + * long as the parent resource accepts it partially. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + * from the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, + * the Route MUST be considered detached from the Gateway. + * + * + * Support: Extended + */ + port: number; + /** + * SectionName is the name of a section within the target resource. In the + * following resources, SectionName is interpreted as the following: + * + * + * * Gateway: Listener name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * * Service: Port name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * + * + * Implementations MAY choose to support attaching Routes to other resources. + * If that is the case, they MUST clearly document how SectionName is + * interpreted. + * + * + * When unspecified (empty string), this will reference the entire resource. + * For the purpose of status, an attachment is considered successful if at + * least one section in the parent resource accepts it. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + * the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, the + * Route MUST be considered detached from the Gateway. + * + * + * Support: Core + */ + sectionName: string; + } + /** + * RouteParentStatus describes the status of a route with respect to an + * associated Parent. + */ + interface GRPCRouteStatusParentsPatch { + /** + * Conditions describes the status of the route with respect to the Gateway. + * Note that the route's availability is also subject to the Gateway's own + * status conditions and listener status. + * + * + * If the Route's ParentRef specifies an existing Gateway that supports + * Routes of this kind AND that Gateway's controller has sufficient access, + * then that Gateway's controller MUST set the "Accepted" condition on the + * Route, to indicate whether the route has been accepted or rejected by the + * Gateway, and why. + * + * + * A Route MUST be considered "Accepted" if at least one of the Route's + * rules is implemented by the Gateway. + * + * + * There are a number of cases where the "Accepted" condition may not be set + * due to lack of controller visibility, that includes when: + * + * + * * The Route refers to a non-existent parent. + * * The Route is of a type that the controller does not support. + * * The Route is in a namespace the controller does not have access to. + */ + conditions: outputs.gateway.v1alpha2.GRPCRouteStatusParentsConditionsPatch[]; + /** + * ControllerName is a domain/path string that indicates the name of the + * controller that wrote this status. This corresponds with the + * controllerName field on GatewayClass. + * + * + * Example: "example.net/gateway-controller". + * + * + * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + * valid Kubernetes names + * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + * + * + * Controllers MUST populate this field when writing status. Controllers should ensure that + * entries to status populated with their ControllerName are cleaned up when they are no + * longer necessary. + */ + controllerName: string; + parentRef: outputs.gateway.v1alpha2.GRPCRouteStatusParentsParentRefPatch; + } + /** + * Status defines the current state of GRPCRoute. + */ + interface GRPCRouteStatusPatch { + /** + * Parents is a list of parent resources (usually Gateways) that are + * associated with the route, and the status of the route with respect to + * each parent. When this route attaches to a parent, the controller that + * manages the parent must add an entry to this list when the controller + * first sees the route and should update the entry as appropriate when the + * route or gateway is modified. + * + * + * Note that parent references that cannot be resolved by an implementation + * of this API will not be added to this list. Implementations of this API + * can only populate Route status for the Gateways/parent resources they are + * responsible for. + * + * + * A maximum of 32 Gateways will be represented in this list. An empty list + * means the route has not been attached to any Gateway. + */ + parents: outputs.gateway.v1alpha2.GRPCRouteStatusParentsPatch[]; + } + /** + * ReferenceGrant identifies kinds of resources in other namespaces that are + * trusted to reference the specified kinds of resources in the same namespace + * as the policy. + * + * + * Each ReferenceGrant can be used to represent a unique trust relationship. + * Additional Reference Grants can be used to add to the set of trusted + * sources of inbound references for the namespace they are defined within. + * + * + * A ReferenceGrant is required for all cross-namespace references in Gateway API + * (with the exception of cross-namespace Route-Gateway attachment, which is + * governed by the AllowedRoutes configuration on the Gateway, and cross-namespace + * Service ParentRefs on a "consumer" mesh Route, which defines routing rules + * applicable only to workloads in the Route namespace). ReferenceGrants allowing + * a reference from a Route to a Service are only applicable to BackendRefs. + * + * + * ReferenceGrant is a form of runtime verification allowing users to assert + * which cross-namespace object references are permitted. Implementations that + * support ReferenceGrant MUST NOT permit cross-namespace references which have + * no grant, and MUST respond to the removal of a grant by revoking the access + * that the grant allowed. + */ + interface ReferenceGrant { + /** + * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + */ + apiVersion: "gateway.networking.k8s.io/v1alpha2"; + /** + * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + */ + kind: "ReferenceGrant"; + /** + * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + */ + metadata: outputs.meta.v1.ObjectMeta; + spec: outputs.gateway.v1alpha2.ReferenceGrantSpec; + } + /** + * Spec defines the desired state of ReferenceGrant. + */ + interface ReferenceGrantSpec { + /** + * From describes the trusted namespaces and kinds that can reference the + * resources described in "To". Each entry in this list MUST be considered + * to be an additional place that references can be valid from, or to put + * this another way, entries MUST be combined using OR. + * + * + * Support: Core + */ + from: outputs.gateway.v1alpha2.ReferenceGrantSpecFrom[]; + /** + * To describes the resources that may be referenced by the resources + * described in "From". Each entry in this list MUST be considered to be an + * additional place that references can be valid to, or to put this another + * way, entries MUST be combined using OR. + * + * + * Support: Core + */ + to: outputs.gateway.v1alpha2.ReferenceGrantSpecTo[]; + } + /** + * ReferenceGrantFrom describes trusted namespaces and kinds. + */ + interface ReferenceGrantSpecFrom { + /** + * Group is the group of the referent. + * When empty, the Kubernetes core API group is inferred. + * + * + * Support: Core + */ + group: string; + /** + * Kind is the kind of the referent. Although implementations may support + * additional resources, the following types are part of the "Core" + * support level for this field. + * + * + * When used to permit a SecretObjectReference: + * + * + * * Gateway + * + * + * When used to permit a BackendObjectReference: + * + * + * * GRPCRoute + * * HTTPRoute + * * TCPRoute + * * TLSRoute + * * UDPRoute + */ + kind: string; + /** + * Namespace is the namespace of the referent. + * + * + * Support: Core + */ + namespace: string; + } + /** + * ReferenceGrantFrom describes trusted namespaces and kinds. + */ + interface ReferenceGrantSpecFromPatch { + /** + * Group is the group of the referent. + * When empty, the Kubernetes core API group is inferred. + * + * + * Support: Core + */ + group: string; + /** + * Kind is the kind of the referent. Although implementations may support + * additional resources, the following types are part of the "Core" + * support level for this field. + * + * + * When used to permit a SecretObjectReference: + * + * + * * Gateway + * + * + * When used to permit a BackendObjectReference: + * + * + * * GRPCRoute + * * HTTPRoute + * * TCPRoute + * * TLSRoute + * * UDPRoute + */ + kind: string; + /** + * Namespace is the namespace of the referent. + * + * + * Support: Core + */ + namespace: string; + } + /** + * Spec defines the desired state of ReferenceGrant. + */ + interface ReferenceGrantSpecPatch { + /** + * From describes the trusted namespaces and kinds that can reference the + * resources described in "To". Each entry in this list MUST be considered + * to be an additional place that references can be valid from, or to put + * this another way, entries MUST be combined using OR. + * + * + * Support: Core + */ + from: outputs.gateway.v1alpha2.ReferenceGrantSpecFromPatch[]; + /** + * To describes the resources that may be referenced by the resources + * described in "From". Each entry in this list MUST be considered to be an + * additional place that references can be valid to, or to put this another + * way, entries MUST be combined using OR. + * + * + * Support: Core + */ + to: outputs.gateway.v1alpha2.ReferenceGrantSpecToPatch[]; + } + /** + * ReferenceGrantTo describes what Kinds are allowed as targets of the + * references. + */ + interface ReferenceGrantSpecTo { + /** + * Group is the group of the referent. + * When empty, the Kubernetes core API group is inferred. + * + * + * Support: Core + */ + group: string; + /** + * Kind is the kind of the referent. Although implementations may support + * additional resources, the following types are part of the "Core" + * support level for this field: + * + * + * * Secret when used to permit a SecretObjectReference + * * Service when used to permit a BackendObjectReference + */ + kind: string; + /** + * Name is the name of the referent. When unspecified, this policy + * refers to all resources of the specified Group and Kind in the local + * namespace. + */ + name: string; + } + /** + * ReferenceGrantTo describes what Kinds are allowed as targets of the + * references. + */ + interface ReferenceGrantSpecToPatch { + /** + * Group is the group of the referent. + * When empty, the Kubernetes core API group is inferred. + * + * + * Support: Core + */ + group: string; + /** + * Kind is the kind of the referent. Although implementations may support + * additional resources, the following types are part of the "Core" + * support level for this field: + * + * + * * Secret when used to permit a SecretObjectReference + * * Service when used to permit a BackendObjectReference + */ + kind: string; + /** + * Name is the name of the referent. When unspecified, this policy + * refers to all resources of the specified Group and Kind in the local + * namespace. + */ + name: string; + } /** * TCPRoute provides a way to route TCP requests. When combined with a Gateway * listener, it can be used to forward connections on the port specified by the @@ -36776,16 +29635,21 @@ export declare namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -36795,8 +29659,10 @@ export declare namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -36804,12 +29670,14 @@ export declare namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -36817,10 +29685,12 @@ export declare namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -36832,33 +29702,21 @@ export declare namespace gateway { * Rules are a list of TCP matchers and actions. */ rules: outputs.gateway.v1alpha2.TCPRouteSpecRules[]; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways: string; } /** * ParentReference identifies an API object (usually a Gateway) that can be considered * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -36869,23 +29727,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -36893,6 +29756,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -36900,10 +29764,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -36911,6 +29777,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -36918,6 +29785,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -36927,15 +29795,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -36944,6 +29815,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -36951,6 +29823,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -36958,10 +29831,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -36971,6 +29846,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -36980,12 +29856,15 @@ export declare namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -36996,23 +29875,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -37020,6 +29904,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -37027,10 +29912,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -37038,6 +29925,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -37045,6 +29933,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -37054,15 +29943,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -37071,6 +29963,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -37078,6 +29971,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -37085,10 +29979,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -37098,6 +29994,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -37118,16 +30015,21 @@ export declare namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -37137,8 +30039,10 @@ export declare namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -37146,12 +30050,14 @@ export declare namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -37159,10 +30065,12 @@ export declare namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -37174,21 +30082,6 @@ export declare namespace gateway { * Rules are a list of TCP matchers and actions. */ rules: outputs.gateway.v1alpha2.TCPRouteSpecRulesPatch[]; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways: string; } /** * TCPRouteRule is the configuration for a given rule. @@ -37196,53 +30089,61 @@ export declare namespace gateway { interface TCPRouteSpecRules { /** * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or a + * sent. If unspecified or invalid (refers to a non-existent resource or a * Service with no endpoints), the underlying implementation MUST actively * reject connection attempts to this backend. Connection rejections must * respect weight; if an invalid backend is requested to have 80% of * connections, then 80% of connections must be rejected instead. * + * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Extended */ backendRefs: outputs.gateway.v1alpha2.TCPRouteSpecRulesBackendRefs[]; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name: string; } /** * BackendRef defines how a Route should forward a request to a Kubernetes * resource. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. * * + * + * + * * Note that when the BackendTLSPolicy object is enabled by the implementation, * there are some extra rules about validity to consider here. See the fields * where this struct is used for more information about the exact behavior. @@ -37257,16 +30158,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -37278,11 +30183,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -37302,11 +30209,13 @@ export declare namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight: number; @@ -37315,27 +30224,37 @@ export declare namespace gateway { * BackendRef defines how a Route should forward a request to a Kubernetes * resource. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. * * + * + * + * * Note that when the BackendTLSPolicy object is enabled by the implementation, * there are some extra rules about validity to consider here. See the fields * where this struct is used for more information about the exact behavior. @@ -37350,16 +30269,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -37371,11 +30294,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -37395,11 +30320,13 @@ export declare namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight: number; @@ -37410,27 +30337,25 @@ export declare namespace gateway { interface TCPRouteSpecRulesPatch { /** * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or a + * sent. If unspecified or invalid (refers to a non-existent resource or a * Service with no endpoints), the underlying implementation MUST actively * reject connection attempts to this backend. Connection rejections must * respect weight; if an invalid backend is requested to have 80% of * connections, then 80% of connections must be rejected instead. * + * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Extended */ backendRefs: outputs.gateway.v1alpha2.TCPRouteSpecRulesBackendRefsPatch[]; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name: string; } /** * Status defines the current state of TCPRoute. @@ -37444,11 +30369,13 @@ export declare namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -37464,19 +30391,23 @@ export declare namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -37486,12 +30417,15 @@ export declare namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -37501,6 +30435,22 @@ export declare namespace gateway { } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface TCPRouteStatusParentsConditions { /** @@ -37533,11 +30483,31 @@ export declare namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface TCPRouteStatusParentsConditionsPatch { /** @@ -37570,6 +30540,10 @@ export declare namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } @@ -37584,23 +30558,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -37608,6 +30587,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -37615,10 +30595,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -37626,6 +30608,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -37633,6 +30616,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -37642,15 +30626,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -37659,6 +30646,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -37666,6 +30654,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -37673,10 +30662,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -37686,6 +30677,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -37701,23 +30693,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -37725,6 +30722,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -37732,10 +30730,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -37743,6 +30743,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -37750,6 +30751,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -37759,15 +30761,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -37776,6 +30781,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -37783,6 +30789,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -37790,10 +30797,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -37803,6 +30812,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -37817,19 +30827,23 @@ export declare namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -37839,12 +30853,15 @@ export declare namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -37864,11 +30881,13 @@ export declare namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -37879,6 +30898,7 @@ export declare namespace gateway { * to match against TLS-specific metadata. This allows more flexibility * in matching streams for a given TLS listener. * + * * If you need to forward traffic to a single target for a TLS listener, you * could choose to use a TCPRoute with a TLS listener. */ @@ -37907,14 +30927,17 @@ export declare namespace gateway { * SNI attribute of TLS ClientHello message in TLS handshake. This matches * the RFC 1123 definition of a hostname with 2 notable exceptions: * + * * 1. IPs are not allowed in SNI names per RFC 6066. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label must appear by itself as the first label. * + * * If a hostname is specified by both the Listener and TLSRoute, there * must be at least one intersecting hostname for the TLSRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches TLSRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -37924,17 +30947,20 @@ export declare namespace gateway { * `test.example.com` and `*.example.com` would both match. On the other * hand, `example.com` and `test.example.net` would not match. * + * * If both the Listener and TLSRoute have specified hostnames, any * TLSRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * TLSRoute specified `test.example.com` and `test.example.net`, * `test.example.net` must not be considered for a match. * + * * If both the Listener and TLSRoute have specified hostnames, and none * match with the criteria above, then the TLSRoute is not accepted. The * implementation must raise an 'Accepted' Condition with a status of * `False` in the corresponding RouteParentStatus. * + * * Support: Core */ hostnames: string[]; @@ -37950,16 +30976,21 @@ export declare namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -37969,8 +31000,10 @@ export declare namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -37978,12 +31011,14 @@ export declare namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -37991,10 +31026,12 @@ export declare namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -38006,33 +31043,21 @@ export declare namespace gateway { * Rules are a list of TLS matchers and actions. */ rules: outputs.gateway.v1alpha2.TLSRouteSpecRules[]; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways: string; } /** * ParentReference identifies an API object (usually a Gateway) that can be considered * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -38043,23 +31068,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -38067,6 +31097,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -38074,10 +31105,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -38085,6 +31118,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -38092,6 +31126,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -38101,15 +31136,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -38118,6 +31156,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -38125,6 +31164,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -38132,10 +31172,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -38145,6 +31187,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -38154,12 +31197,15 @@ export declare namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -38170,23 +31216,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -38194,6 +31245,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -38201,10 +31253,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -38212,6 +31266,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -38219,6 +31274,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -38228,15 +31284,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -38245,6 +31304,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -38252,6 +31312,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -38259,10 +31320,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -38272,6 +31335,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -38285,14 +31349,17 @@ export declare namespace gateway { * SNI attribute of TLS ClientHello message in TLS handshake. This matches * the RFC 1123 definition of a hostname with 2 notable exceptions: * + * * 1. IPs are not allowed in SNI names per RFC 6066. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label must appear by itself as the first label. * + * * If a hostname is specified by both the Listener and TLSRoute, there * must be at least one intersecting hostname for the TLSRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches TLSRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -38302,17 +31369,20 @@ export declare namespace gateway { * `test.example.com` and `*.example.com` would both match. On the other * hand, `example.com` and `test.example.net` would not match. * + * * If both the Listener and TLSRoute have specified hostnames, any * TLSRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * TLSRoute specified `test.example.com` and `test.example.net`, * `test.example.net` must not be considered for a match. * + * * If both the Listener and TLSRoute have specified hostnames, and none * match with the criteria above, then the TLSRoute is not accepted. The * implementation must raise an 'Accepted' Condition with a status of * `False` in the corresponding RouteParentStatus. * + * * Support: Core */ hostnames: string[]; @@ -38328,16 +31398,21 @@ export declare namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -38347,8 +31422,10 @@ export declare namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -38356,12 +31433,14 @@ export declare namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -38369,10 +31448,12 @@ export declare namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -38384,21 +31465,6 @@ export declare namespace gateway { * Rules are a list of TLS matchers and actions. */ rules: outputs.gateway.v1alpha2.TLSRouteSpecRulesPatch[]; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways: string; } /** * TLSRouteRule is the configuration for a given rule. @@ -38406,7 +31472,7 @@ export declare namespace gateway { interface TLSRouteSpecRules { /** * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or + * sent. If unspecified or invalid (refers to a non-existent resource or * a Service with no endpoints), the rule performs no forwarding; if no * filters are specified that would result in a response being sent, the * underlying implementation must actively reject request attempts to this @@ -38415,47 +31481,55 @@ export declare namespace gateway { * requested to have 80% of requests, then 80% of requests must be rejected * instead. * + * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Extended */ backendRefs: outputs.gateway.v1alpha2.TLSRouteSpecRulesBackendRefs[]; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name: string; } /** * BackendRef defines how a Route should forward a request to a Kubernetes * resource. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. * * + * + * + * * Note that when the BackendTLSPolicy object is enabled by the implementation, * there are some extra rules about validity to consider here. See the fields * where this struct is used for more information about the exact behavior. @@ -38470,16 +31544,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -38491,11 +31569,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -38515,11 +31595,13 @@ export declare namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight: number; @@ -38528,27 +31610,37 @@ export declare namespace gateway { * BackendRef defines how a Route should forward a request to a Kubernetes * resource. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. * * + * + * + * * Note that when the BackendTLSPolicy object is enabled by the implementation, * there are some extra rules about validity to consider here. See the fields * where this struct is used for more information about the exact behavior. @@ -38563,16 +31655,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -38584,11 +31680,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -38608,11 +31706,13 @@ export declare namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight: number; @@ -38623,7 +31723,7 @@ export declare namespace gateway { interface TLSRouteSpecRulesPatch { /** * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or + * sent. If unspecified or invalid (refers to a non-existent resource or * a Service with no endpoints), the rule performs no forwarding; if no * filters are specified that would result in a response being sent, the * underlying implementation must actively reject request attempts to this @@ -38632,21 +31732,19 @@ export declare namespace gateway { * requested to have 80% of requests, then 80% of requests must be rejected * instead. * + * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Extended */ backendRefs: outputs.gateway.v1alpha2.TLSRouteSpecRulesBackendRefsPatch[]; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name: string; } /** * Status defines the current state of TLSRoute. @@ -38660,11 +31758,13 @@ export declare namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -38680,19 +31780,23 @@ export declare namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -38702,12 +31806,15 @@ export declare namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -38717,6 +31824,22 @@ export declare namespace gateway { } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface TLSRouteStatusParentsConditions { /** @@ -38749,11 +31872,31 @@ export declare namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface TLSRouteStatusParentsConditionsPatch { /** @@ -38786,6 +31929,10 @@ export declare namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } @@ -38800,23 +31947,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -38824,6 +31976,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -38831,10 +31984,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -38842,6 +31997,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -38849,6 +32005,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -38858,15 +32015,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -38875,6 +32035,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -38882,6 +32043,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -38889,10 +32051,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -38902,6 +32066,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -38917,23 +32082,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -38941,6 +32111,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -38948,10 +32119,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -38959,6 +32132,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -38966,6 +32140,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -38975,15 +32150,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -38992,6 +32170,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -38999,6 +32178,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -39006,10 +32186,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -39019,6 +32201,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -39033,19 +32216,23 @@ export declare namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -39055,12 +32242,15 @@ export declare namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -39080,11 +32270,13 @@ export declare namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -39127,16 +32319,21 @@ export declare namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -39146,8 +32343,10 @@ export declare namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -39155,12 +32354,14 @@ export declare namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -39168,10 +32369,12 @@ export declare namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -39183,33 +32386,21 @@ export declare namespace gateway { * Rules are a list of UDP matchers and actions. */ rules: outputs.gateway.v1alpha2.UDPRouteSpecRules[]; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways: string; } /** * ParentReference identifies an API object (usually a Gateway) that can be considered * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -39220,23 +32411,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -39244,6 +32440,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -39251,10 +32448,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -39262,6 +32461,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -39269,6 +32469,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -39278,15 +32479,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -39295,6 +32499,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -39302,6 +32507,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -39309,10 +32515,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -39322,6 +32530,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -39331,12 +32540,15 @@ export declare namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -39347,23 +32559,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -39371,6 +32588,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -39378,10 +32596,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -39389,6 +32609,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -39396,6 +32617,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -39405,15 +32627,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -39422,6 +32647,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -39429,6 +32655,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -39436,10 +32663,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -39449,6 +32678,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -39469,16 +32699,21 @@ export declare namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -39488,8 +32723,10 @@ export declare namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -39497,12 +32734,14 @@ export declare namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -39510,10 +32749,12 @@ export declare namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -39525,21 +32766,6 @@ export declare namespace gateway { * Rules are a list of UDP matchers and actions. */ rules: outputs.gateway.v1alpha2.UDPRouteSpecRulesPatch[]; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways: string; } /** * UDPRouteRule is the configuration for a given rule. @@ -39547,53 +32773,61 @@ export declare namespace gateway { interface UDPRouteSpecRules { /** * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or a + * sent. If unspecified or invalid (refers to a non-existent resource or a * Service with no endpoints), the underlying implementation MUST actively * reject connection attempts to this backend. Packet drops must * respect weight; if an invalid backend is requested to have 80% of * the packets, then 80% of packets must be dropped instead. * + * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Extended */ backendRefs: outputs.gateway.v1alpha2.UDPRouteSpecRulesBackendRefs[]; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name: string; } /** * BackendRef defines how a Route should forward a request to a Kubernetes * resource. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. * * + * + * + * * Note that when the BackendTLSPolicy object is enabled by the implementation, * there are some extra rules about validity to consider here. See the fields * where this struct is used for more information about the exact behavior. @@ -39608,16 +32842,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -39629,11 +32867,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -39653,11 +32893,13 @@ export declare namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight: number; @@ -39666,27 +32908,37 @@ export declare namespace gateway { * BackendRef defines how a Route should forward a request to a Kubernetes * resource. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. * * + * + * + * * Note that when the BackendTLSPolicy object is enabled by the implementation, * there are some extra rules about validity to consider here. See the fields * where this struct is used for more information about the exact behavior. @@ -39701,16 +32953,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -39722,11 +32978,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -39746,11 +33004,13 @@ export declare namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight: number; @@ -39761,27 +33021,25 @@ export declare namespace gateway { interface UDPRouteSpecRulesPatch { /** * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or a + * sent. If unspecified or invalid (refers to a non-existent resource or a * Service with no endpoints), the underlying implementation MUST actively * reject connection attempts to this backend. Packet drops must * respect weight; if an invalid backend is requested to have 80% of * the packets, then 80% of packets must be dropped instead. * + * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Extended */ backendRefs: outputs.gateway.v1alpha2.UDPRouteSpecRulesBackendRefsPatch[]; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name: string; } /** * Status defines the current state of UDPRoute. @@ -39795,11 +33053,13 @@ export declare namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -39815,19 +33075,23 @@ export declare namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -39837,12 +33101,15 @@ export declare namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -39852,6 +33119,22 @@ export declare namespace gateway { } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface UDPRouteStatusParentsConditions { /** @@ -39884,11 +33167,31 @@ export declare namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface UDPRouteStatusParentsConditionsPatch { /** @@ -39921,6 +33224,10 @@ export declare namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } @@ -39935,23 +33242,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -39959,6 +33271,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -39966,10 +33279,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -39977,6 +33292,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -39984,6 +33300,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -39993,15 +33310,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -40010,6 +33330,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -40017,6 +33338,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -40024,10 +33346,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -40037,6 +33361,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -40052,23 +33377,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -40076,6 +33406,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -40083,10 +33414,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -40094,6 +33427,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -40101,6 +33435,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -40110,15 +33445,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -40127,6 +33465,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -40134,6 +33473,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -40141,10 +33481,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -40154,6 +33496,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -40168,19 +33511,23 @@ export declare namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -40190,12 +33537,15 @@ export declare namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -40215,11 +33565,13 @@ export declare namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -40251,21 +33603,6 @@ export declare namespace gateway { * Spec defines the desired state of BackendTLSPolicy. */ interface BackendTLSPolicySpec { - /** - * Options are a list of key/value pairs to enable extended TLS - * configuration for each implementation. For example, configuring the - * minimum TLS version or supported cipher suites. - * - * A set of common keys MAY be defined by the API in the future. To avoid - * any ambiguity, implementation-specific definitions MUST use - * domain-prefixed names, such as `example.com/my-custom-option`. - * Un-prefixed names are reserved for key names defined by Gateway API. - * - * Support: Implementation-specific - */ - options: { - [key: string]: string; - }; /** * TargetRefs identifies an API object to apply the policy to. * Only Services have Extended support. Implementations MAY support @@ -40274,32 +33611,10 @@ export declare namespace gateway { * by default, but this default may change in the future to provide * a more granular application of the policy. * - * TargetRefs must be _distinct_. This means either that: - * - * * They select different targets. If this is the case, then targetRef - * entries are distinct. In terms of fields, this means that the - * multi-part key defined by `group`, `kind`, and `name` must - * be unique across all targetRef entries in the BackendTLSPolicy. - * * They select different sectionNames in the same target. - * - * When more than one BackendTLSPolicy selects the same target and - * sectionName, implementations MUST determine precedence using the - * following criteria, continuing on ties: - * - * * The older policy by creation timestamp takes precedence. For - * example, a policy with a creation timestamp of "2021-07-15 - * 01:02:03" MUST be given precedence over a policy with a - * creation timestamp of "2021-07-15 01:02:04". - * * The policy appearing first in alphabetical order by {name}. - * For example, a policy named `bar` is given precedence over a - * policy named `baz`. - * - * For any BackendTLSPolicy that does not take precedence, the - * implementation MUST ensure the `Accepted` Condition is set to - * `status: False`, with Reason `Conflicted`. * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ targetRefs: outputs.gateway.v1alpha3.BackendTLSPolicySpecTargetRefs[]; @@ -40309,21 +33624,6 @@ export declare namespace gateway { * Spec defines the desired state of BackendTLSPolicy. */ interface BackendTLSPolicySpecPatch { - /** - * Options are a list of key/value pairs to enable extended TLS - * configuration for each implementation. For example, configuring the - * minimum TLS version or supported cipher suites. - * - * A set of common keys MAY be defined by the API in the future. To avoid - * any ambiguity, implementation-specific definitions MUST use - * domain-prefixed names, such as `example.com/my-custom-option`. - * Un-prefixed names are reserved for key names defined by Gateway API. - * - * Support: Implementation-specific - */ - options: { - [key: string]: string; - }; /** * TargetRefs identifies an API object to apply the policy to. * Only Services have Extended support. Implementations MAY support @@ -40332,32 +33632,10 @@ export declare namespace gateway { * by default, but this default may change in the future to provide * a more granular application of the policy. * - * TargetRefs must be _distinct_. This means either that: - * - * * They select different targets. If this is the case, then targetRef - * entries are distinct. In terms of fields, this means that the - * multi-part key defined by `group`, `kind`, and `name` must - * be unique across all targetRef entries in the BackendTLSPolicy. - * * They select different sectionNames in the same target. - * - * When more than one BackendTLSPolicy selects the same target and - * sectionName, implementations MUST determine precedence using the - * following criteria, continuing on ties: - * - * * The older policy by creation timestamp takes precedence. For - * example, a policy with a creation timestamp of "2021-07-15 - * 01:02:03" MUST be given precedence over a policy with a - * creation timestamp of "2021-07-15 01:02:04". - * * The policy appearing first in alphabetical order by {name}. - * For example, a policy named `bar` is given precedence over a - * policy named `baz`. - * - * For any BackendTLSPolicy that does not take precedence, the - * implementation MUST ensure the `Accepted` Condition is set to - * `status: False`, with Reason `Conflicted`. * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ targetRefs: outputs.gateway.v1alpha3.BackendTLSPolicySpecTargetRefsPatch[]; @@ -40370,6 +33648,7 @@ export declare namespace gateway { * mode works, and a sample Policy resource, refer to the policy attachment * documentation for Gateway API. * + * * Note: This should only be used for direct policy attachment when references * to SectionName are actually needed. In all other cases, * LocalPolicyTargetReference should be used. @@ -40392,10 +33671,12 @@ export declare namespace gateway { * unspecified, this targetRef targets the entire resource. In the following * resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name * * HTTPRoute: HTTPRouteRule name * * Service: Port name * + * * If a SectionName is specified, but does not exist on the targeted object, * the Policy must fail to attach, and the policy implementation should record * a `ResolvedRefs` or similar Condition in the Policy's status. @@ -40409,6 +33690,7 @@ export declare namespace gateway { * mode works, and a sample Policy resource, refer to the policy attachment * documentation for Gateway API. * + * * Note: This should only be used for direct policy attachment when references * to SectionName are actually needed. In all other cases, * LocalPolicyTargetReference should be used. @@ -40431,10 +33713,12 @@ export declare namespace gateway { * unspecified, this targetRef targets the entire resource. In the following * resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name * * HTTPRoute: HTTPRouteRule name * * Service: Port name * + * * If a SectionName is specified, but does not exist on the targeted object, * the Policy must fail to attach, and the policy implementation should record * a `ResolvedRefs` or similar Condition in the Policy's status. @@ -40450,81 +33734,55 @@ export declare namespace gateway { * contain a PEM-encoded TLS CA certificate bundle, which is used to * validate a TLS handshake between the Gateway and backend Pod. * + * * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, - * not both. If CACertificateRefs is empty or unspecified, the configuration for + * not both. If CACertifcateRefs is empty or unspecified, the configuration for * WellKnownCACertificates MUST be honored instead if supported by the implementation. * - * A CACertificateRef is invalid if: * - * * It refers to a resource that cannot be resolved (e.g., the referenced resource - * does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key - * named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef` - * and the Message of the Condition must indicate which reference is invalid and why. + * References to a resource in a different namespace are invalid for the + * moment, although we will revisit this in the future. * - * * It refers to an unknown or unsupported kind of resource. In this case, the Reason - * must be set to `InvalidKind` and the Message of the Condition must explain which - * kind of resource is unknown or unsupported. - * - * * It refers to a resource in another namespace. This may change in future - * spec updates. - * - * Implementations MAY choose to perform further validation of the certificate - * content (e.g., checking expiry or enforcing specific formats). In such cases, - * an implementation-specific Reason and Message must be set for the invalid reference. - * - * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on - * the BackendTLSPolicy is set to `status: False`, with a Reason and Message - * that indicate the cause of the error. Connections using an invalid - * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error - * response. If ALL CACertificateRefs are invalid, the implementation MUST also - * ensure the `Accepted` Condition on the BackendTLSPolicy is set to - * `status: False`, with a Reason `NoValidCACertificate`. * * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support. * Implementations MAY choose to support attaching multiple certificates to * a backend, but this behavior is implementation-specific. * + * * Support: Core - An optional single reference to a Kubernetes ConfigMap, * with the CA certificate in a key named `ca.crt`. * - * Support: Implementation-specific - More than one reference, other kinds - * of resources, or a single reference that includes multiple certificates. + * + * Support: Implementation-specific (More than one reference, or other kinds + * of resources). */ caCertificateRefs: outputs.gateway.v1alpha3.BackendTLSPolicySpecValidationCaCertificateRefs[]; /** * Hostname is used for two purposes in the connection between Gateways and * backends: * + * * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). * 2. Hostname MUST be used for authentication and MUST match the certificate - * served by the matching backend, unless SubjectAltNames is specified. - * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection - * but MUST NOT be used for authentication. If you want to use the value - * of the Hostname field for authentication, you MUST add it to the SubjectAltNames list. + * served by the matching backend. + * * * Support: Core */ hostname: string; - /** - * SubjectAltNames contains one or more Subject Alternative Names. - * When specified the certificate served from the backend MUST - * have at least one Subject Alternate Name matching one of the specified SubjectAltNames. - * - * Support: Extended - */ - subjectAltNames: outputs.gateway.v1alpha3.BackendTLSPolicySpecValidationSubjectAltNames[]; /** * WellKnownCACertificates specifies whether system CA certificates may be used in * the TLS handshake between the gateway and backend pod. * + * * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs * must be specified with at least one entry for a valid configuration. Only one of - * CACertificateRefs or WellKnownCACertificates may be specified, not both. - * If an implementation does not support the WellKnownCACertificates field, or - * the supplied value is not recognized, the implementation MUST ensure the - * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with - * a Reason `Invalid`. + * CACertificateRefs or WellKnownCACertificates may be specified, not both. If an + * implementation does not support the WellKnownCACertificates field or the value + * supplied is not supported, the Status Conditions on the Policy MUST be + * updated to include an Accepted: False Condition with Reason: Invalid. + * * * Support: Implementation-specific */ @@ -40536,6 +33794,7 @@ export declare namespace gateway { * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. * + * * References to objects with invalid Group and Kind are not valid, and must * be rejected by the implementation, with appropriate Conditions set * on the containing object. @@ -40561,6 +33820,7 @@ export declare namespace gateway { * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. * + * * References to objects with invalid Group and Kind are not valid, and must * be rejected by the implementation, with appropriate Conditions set * on the containing object. @@ -40589,140 +33849,60 @@ export declare namespace gateway { * contain a PEM-encoded TLS CA certificate bundle, which is used to * validate a TLS handshake between the Gateway and backend Pod. * + * * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, - * not both. If CACertificateRefs is empty or unspecified, the configuration for + * not both. If CACertifcateRefs is empty or unspecified, the configuration for * WellKnownCACertificates MUST be honored instead if supported by the implementation. * - * A CACertificateRef is invalid if: * - * * It refers to a resource that cannot be resolved (e.g., the referenced resource - * does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key - * named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef` - * and the Message of the Condition must indicate which reference is invalid and why. + * References to a resource in a different namespace are invalid for the + * moment, although we will revisit this in the future. * - * * It refers to an unknown or unsupported kind of resource. In this case, the Reason - * must be set to `InvalidKind` and the Message of the Condition must explain which - * kind of resource is unknown or unsupported. - * - * * It refers to a resource in another namespace. This may change in future - * spec updates. - * - * Implementations MAY choose to perform further validation of the certificate - * content (e.g., checking expiry or enforcing specific formats). In such cases, - * an implementation-specific Reason and Message must be set for the invalid reference. - * - * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on - * the BackendTLSPolicy is set to `status: False`, with a Reason and Message - * that indicate the cause of the error. Connections using an invalid - * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error - * response. If ALL CACertificateRefs are invalid, the implementation MUST also - * ensure the `Accepted` Condition on the BackendTLSPolicy is set to - * `status: False`, with a Reason `NoValidCACertificate`. * * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support. * Implementations MAY choose to support attaching multiple certificates to * a backend, but this behavior is implementation-specific. * + * * Support: Core - An optional single reference to a Kubernetes ConfigMap, * with the CA certificate in a key named `ca.crt`. * - * Support: Implementation-specific - More than one reference, other kinds - * of resources, or a single reference that includes multiple certificates. + * + * Support: Implementation-specific (More than one reference, or other kinds + * of resources). */ caCertificateRefs: outputs.gateway.v1alpha3.BackendTLSPolicySpecValidationCaCertificateRefsPatch[]; /** * Hostname is used for two purposes in the connection between Gateways and * backends: * + * * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). * 2. Hostname MUST be used for authentication and MUST match the certificate - * served by the matching backend, unless SubjectAltNames is specified. - * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection - * but MUST NOT be used for authentication. If you want to use the value - * of the Hostname field for authentication, you MUST add it to the SubjectAltNames list. + * served by the matching backend. + * * * Support: Core */ hostname: string; - /** - * SubjectAltNames contains one or more Subject Alternative Names. - * When specified the certificate served from the backend MUST - * have at least one Subject Alternate Name matching one of the specified SubjectAltNames. - * - * Support: Extended - */ - subjectAltNames: outputs.gateway.v1alpha3.BackendTLSPolicySpecValidationSubjectAltNamesPatch[]; /** * WellKnownCACertificates specifies whether system CA certificates may be used in * the TLS handshake between the gateway and backend pod. * + * * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs * must be specified with at least one entry for a valid configuration. Only one of - * CACertificateRefs or WellKnownCACertificates may be specified, not both. - * If an implementation does not support the WellKnownCACertificates field, or - * the supplied value is not recognized, the implementation MUST ensure the - * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with - * a Reason `Invalid`. + * CACertificateRefs or WellKnownCACertificates may be specified, not both. If an + * implementation does not support the WellKnownCACertificates field or the value + * supplied is not supported, the Status Conditions on the Policy MUST be + * updated to include an Accepted: False Condition with Reason: Invalid. + * * * Support: Implementation-specific */ wellKnownCACertificates: string; } - /** - * SubjectAltName represents Subject Alternative Name. - */ - interface BackendTLSPolicySpecValidationSubjectAltNames { - /** - * Hostname contains Subject Alternative Name specified in DNS name format. - * Required when Type is set to Hostname, ignored otherwise. - * - * Support: Core - */ - hostname: string; - /** - * Type determines the format of the Subject Alternative Name. Always required. - * - * Support: Core - */ - type: string; - /** - * URI contains Subject Alternative Name specified in a full URI format. - * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. - * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa". - * Required when Type is set to URI, ignored otherwise. - * - * Support: Core - */ - uri: string; - } - /** - * SubjectAltName represents Subject Alternative Name. - */ - interface BackendTLSPolicySpecValidationSubjectAltNamesPatch { - /** - * Hostname contains Subject Alternative Name specified in DNS name format. - * Required when Type is set to Hostname, ignored otherwise. - * - * Support: Core - */ - hostname: string; - /** - * Type determines the format of the Subject Alternative Name. Always required. - * - * Support: Core - */ - type: string; - /** - * URI contains Subject Alternative Name specified in a full URI format. - * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. - * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa". - * Required when Type is set to URI, ignored otherwise. - * - * Support: Core - */ - uri: string; - } /** * Status defines the current state of BackendTLSPolicy. */ @@ -40735,22 +33915,27 @@ export declare namespace gateway { * the controller first sees the policy and SHOULD update the entry as * appropriate when the relevant ancestor is modified. * + * * Note that choosing the relevant ancestor is left to the Policy designers; * an important part of Policy design is designing the right object level at * which to namespace this status. * + * * Note also that implementations MUST ONLY populate ancestor status for * the Ancestor resources they are responsible for. Implementations MUST * use the ControllerName field to uniquely identify the entries in this list * that they are responsible for. * + * * Note that to achieve this, the list of PolicyAncestorStatus structs * MUST be treated as a map with a composite key, made up of the AncestorRef * and ControllerName fields combined. * + * * A maximum of 16 ancestors will be represented in this list. An empty list * means the Policy is not relevant for any ancestors. * + * * If this slice is full, implementations MUST NOT add further entries. * Instead they MUST consider the policy unimplementable and signal that * on any related resources such as the ancestor that would be referenced @@ -40764,6 +33949,7 @@ export declare namespace gateway { * PolicyAncestorStatus describes the status of a route with respect to an * associated Ancestor. * + * * Ancestors refer to objects that are either the Target of a policy or above it * in terms of object hierarchy. For example, if a policy targets a Service, the * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and @@ -40772,23 +33958,28 @@ export declare namespace gateway { * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers * have a _very_ good reason otherwise. * + * * In the context of policy attachment, the Ancestor is used to distinguish which * resource results in a distinct application of this policy. For example, if a policy * targets a Service, it may have a distinct result per attached Gateway. * + * * Policies targeting the same resource may have different effects depending on the * ancestors of those resources. For example, different Gateways targeting the same * Service may have different capabilities, especially if they have different underlying * implementations. * + * * For example, in BackendTLSPolicy, the Policy attaches to a Service that is * used as a backend in a HTTPRoute that is itself attached to a Gateway. * In this case, the relevant object for status is the Gateway, and that is the * ancestor object referred to in this status. * + * * Note that a parent is also an ancestor, so for objects where the parent is the * relevant object for status, this struct SHOULD still be used. * + * * This struct is intended to be used in a slice that's effectively a map, * with a composite key made up of the AncestorRef and the ControllerName. */ @@ -40803,12 +33994,15 @@ export declare namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -40826,23 +34020,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -40850,6 +34049,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -40857,10 +34057,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -40868,6 +34070,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -40875,6 +34078,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -40884,15 +34088,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -40901,6 +34108,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -40908,6 +34116,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -40915,10 +34124,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -40928,6 +34139,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -40943,23 +34155,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -40967,6 +34184,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -40974,10 +34192,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -40985,6 +34205,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -40992,6 +34213,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -41001,15 +34223,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -41018,6 +34243,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -41025,6 +34251,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -41032,10 +34259,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -41045,12 +34274,29 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface BackendTLSPolicyStatusAncestorsConditions { /** @@ -41083,11 +34329,31 @@ export declare namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface BackendTLSPolicyStatusAncestorsConditionsPatch { /** @@ -41120,6 +34386,10 @@ export declare namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } @@ -41127,6 +34397,7 @@ export declare namespace gateway { * PolicyAncestorStatus describes the status of a route with respect to an * associated Ancestor. * + * * Ancestors refer to objects that are either the Target of a policy or above it * in terms of object hierarchy. For example, if a policy targets a Service, the * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and @@ -41135,23 +34406,28 @@ export declare namespace gateway { * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers * have a _very_ good reason otherwise. * + * * In the context of policy attachment, the Ancestor is used to distinguish which * resource results in a distinct application of this policy. For example, if a policy * targets a Service, it may have a distinct result per attached Gateway. * + * * Policies targeting the same resource may have different effects depending on the * ancestors of those resources. For example, different Gateways targeting the same * Service may have different capabilities, especially if they have different underlying * implementations. * + * * For example, in BackendTLSPolicy, the Policy attaches to a Service that is * used as a backend in a HTTPRoute that is itself attached to a Gateway. * In this case, the relevant object for status is the Gateway, and that is the * ancestor object referred to in this status. * + * * Note that a parent is also an ancestor, so for objects where the parent is the * relevant object for status, this struct SHOULD still be used. * + * * This struct is intended to be used in a slice that's effectively a map, * with a composite key made up of the AncestorRef and the ControllerName. */ @@ -41166,12 +34442,15 @@ export declare namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -41190,22 +34469,27 @@ export declare namespace gateway { * the controller first sees the policy and SHOULD update the entry as * appropriate when the relevant ancestor is modified. * + * * Note that choosing the relevant ancestor is left to the Policy designers; * an important part of Policy design is designing the right object level at * which to namespace this status. * + * * Note also that implementations MUST ONLY populate ancestor status for * the Ancestor resources they are responsible for. Implementations MUST * use the ControllerName field to uniquely identify the entries in this list * that they are responsible for. * + * * Note that to achieve this, the list of PolicyAncestorStatus structs * MUST be treated as a map with a composite key, made up of the AncestorRef * and ControllerName fields combined. * + * * A maximum of 16 ancestors will be represented in this list. An empty list * means the Policy is not relevant for any ancestors. * + * * If this slice is full, implementations MUST NOT add further entries. * Instead they MUST consider the policy unimplementable and signal that * on any related resources such as the ancestor that would be referenced @@ -41215,1222 +34499,6 @@ export declare namespace gateway { */ ancestors: outputs.gateway.v1alpha3.BackendTLSPolicyStatusAncestorsPatch[]; } - /** - * The TLSRoute resource is similar to TCPRoute, but can be configured - * to match against TLS-specific metadata. This allows more flexibility - * in matching streams for a given TLS listener. - * - * If you need to forward traffic to a single target for a TLS listener, you - * could choose to use a TCPRoute with a TLS listener. - */ - interface TLSRoute { - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - apiVersion: "gateway.networking.k8s.io/v1alpha3"; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - kind: "TLSRoute"; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - metadata: outputs.meta.v1.ObjectMeta; - spec: outputs.gateway.v1alpha3.TLSRouteSpec; - status: outputs.gateway.v1alpha3.TLSRouteStatus; - } - /** - * Spec defines the desired state of TLSRoute. - */ - interface TLSRouteSpec { - /** - * Hostnames defines a set of SNI hostnames that should match against the - * SNI attribute of TLS ClientHello message in TLS handshake. This matches - * the RFC 1123 definition of a hostname with 2 notable exceptions: - * - * 1. IPs are not allowed in SNI hostnames per RFC 6066. - * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - * label must appear by itself as the first label. - * - * If a hostname is specified by both the Listener and TLSRoute, there - * must be at least one intersecting hostname for the TLSRoute to be - * attached to the Listener. For example: - * - * * A Listener with `test.example.com` as the hostname matches TLSRoutes - * that have specified at least one of `test.example.com` or - * `*.example.com`. - * * A Listener with `*.example.com` as the hostname matches TLSRoutes - * that have specified at least one hostname that matches the Listener - * hostname. For example, `test.example.com` and `*.example.com` would both - * match. On the other hand, `example.com` and `test.example.net` would not - * match. - * - * If both the Listener and TLSRoute have specified hostnames, any - * TLSRoute hostnames that do not match the Listener hostname MUST be - * ignored. For example, if a Listener specified `*.example.com`, and the - * TLSRoute specified `test.example.com` and `test.example.net`, - * `test.example.net` must not be considered for a match. - * - * If both the Listener and TLSRoute have specified hostnames, and none - * match with the criteria above, then the TLSRoute is not accepted. The - * implementation must raise an 'Accepted' Condition with a status of - * `False` in the corresponding RouteParentStatus. - * - * Support: Core - */ - hostnames: string[]; - /** - * ParentRefs references the resources (usually Gateways) that a Route wants - * to be attached to. Note that the referenced parent resource needs to - * allow this for the attachment to be complete. For Gateways, that means - * the Gateway needs to allow attachment from Routes of this kind and - * namespace. For Services, that means the Service must either be in the same - * namespace for a "producer" route, or the mesh implementation must support - * and allow "consumer" routes for the referenced Service. ReferenceGrant is - * not applicable for governing ParentRefs to Services - it is not possible to - * create a "producer" route for a Service in a different namespace from the - * Route. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * This API may be extended in the future to support additional kinds of parent - * resources. - * - * ParentRefs must be _distinct_. This means either that: - * - * * They select different objects. If this is the case, then parentRef - * entries are distinct. In terms of fields, this means that the - * multi-part key defined by `group`, `kind`, `namespace`, and `name` must - * be unique across all parentRef entries in the Route. - * * They do not select different objects, but for each optional field used, - * each ParentRef that selects the same object must set the same set of - * optional fields to different values. If one ParentRef sets a - * combination of optional fields, all must set the same combination. - * - * Some examples: - * - * * If one ParentRef sets `sectionName`, all ParentRefs referencing the - * same object must also set `sectionName`. - * * If one ParentRef sets `port`, all ParentRefs referencing the same - * object must also set `port`. - * * If one ParentRef sets `sectionName` and `port`, all ParentRefs - * referencing the same object must also set `sectionName` and `port`. - * - * It is possible to separately reference multiple distinct objects that may - * be collapsed by an implementation. For example, some implementations may - * choose to merge compatible Gateway Listeners together. If that is the - * case, the list of routes attached to those resources should also be - * merged. - * - * Note that for ParentRefs that cross namespace boundaries, there are specific - * rules. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example, - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable other kinds of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - */ - parentRefs: outputs.gateway.v1alpha3.TLSRouteSpecParentRefs[]; - /** - * Rules are a list of actions. - */ - rules: outputs.gateway.v1alpha3.TLSRouteSpecRules[]; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways: string; - } - /** - * ParentReference identifies an API object (usually a Gateway) that can be considered - * a parent of this resource (usually a route). There are two kinds of parent resources - * with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * This API may be extended in the future to support additional kinds of parent - * resources. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - */ - interface TLSRouteSpecParentRefs { - /** - * Group is the group of the referent. - * When unspecified, "gateway.networking.k8s.io" is inferred. - * To set the core API group (such as for a "Service" kind referent), - * Group must be explicitly set to "" (empty string). - * - * Support: Core - */ - group: string; - /** - * Kind is kind of the referent. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * Support for other resources is Implementation-Specific. - */ - kind: string; - /** - * Name is the name of the referent. - * - * Support: Core - */ - name: string; - /** - * Namespace is the namespace of the referent. When unspecified, this refers - * to the local namespace of the Route. - * - * Note that there are specific rules for ParentRefs which cross namespace - * boundaries. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example: - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable any other kind of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - * - * - * Support: Core - */ - namespace: string; - /** - * Port is the network port this Route targets. It can be interpreted - * differently based on the type of parent resource. - * - * When the parent resource is a Gateway, this targets all listeners - * listening on the specified port that also support this kind of Route(and - * select this Route). It's not recommended to set `Port` unless the - * networking behaviors specified in a Route must apply to a specific port - * as opposed to a listener(s) whose port(s) may be changed. When both Port - * and SectionName are specified, the name and port of the selected listener - * must match both specified values. - * - * - * When the parent resource is a Service, this targets a specific port in the - * Service spec. When both Port (experimental) and SectionName are specified, - * the name and port of the selected port must match both specified values. - * - * - * Implementations MAY choose to support other parent resources. - * Implementations supporting other types of parent resources MUST clearly - * document how/if Port is interpreted. - * - * For the purpose of status, an attachment is considered successful as - * long as the parent resource accepts it partially. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - * from the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, - * the Route MUST be considered detached from the Gateway. - * - * Support: Extended - */ - port: number; - /** - * SectionName is the name of a section within the target resource. In the - * following resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * * Service: Port name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * - * Implementations MAY choose to support attaching Routes to other resources. - * If that is the case, they MUST clearly document how SectionName is - * interpreted. - * - * When unspecified (empty string), this will reference the entire resource. - * For the purpose of status, an attachment is considered successful if at - * least one section in the parent resource accepts it. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - * the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, the - * Route MUST be considered detached from the Gateway. - * - * Support: Core - */ - sectionName: string; - } - /** - * ParentReference identifies an API object (usually a Gateway) that can be considered - * a parent of this resource (usually a route). There are two kinds of parent resources - * with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * This API may be extended in the future to support additional kinds of parent - * resources. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - */ - interface TLSRouteSpecParentRefsPatch { - /** - * Group is the group of the referent. - * When unspecified, "gateway.networking.k8s.io" is inferred. - * To set the core API group (such as for a "Service" kind referent), - * Group must be explicitly set to "" (empty string). - * - * Support: Core - */ - group: string; - /** - * Kind is kind of the referent. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * Support for other resources is Implementation-Specific. - */ - kind: string; - /** - * Name is the name of the referent. - * - * Support: Core - */ - name: string; - /** - * Namespace is the namespace of the referent. When unspecified, this refers - * to the local namespace of the Route. - * - * Note that there are specific rules for ParentRefs which cross namespace - * boundaries. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example: - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable any other kind of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - * - * - * Support: Core - */ - namespace: string; - /** - * Port is the network port this Route targets. It can be interpreted - * differently based on the type of parent resource. - * - * When the parent resource is a Gateway, this targets all listeners - * listening on the specified port that also support this kind of Route(and - * select this Route). It's not recommended to set `Port` unless the - * networking behaviors specified in a Route must apply to a specific port - * as opposed to a listener(s) whose port(s) may be changed. When both Port - * and SectionName are specified, the name and port of the selected listener - * must match both specified values. - * - * - * When the parent resource is a Service, this targets a specific port in the - * Service spec. When both Port (experimental) and SectionName are specified, - * the name and port of the selected port must match both specified values. - * - * - * Implementations MAY choose to support other parent resources. - * Implementations supporting other types of parent resources MUST clearly - * document how/if Port is interpreted. - * - * For the purpose of status, an attachment is considered successful as - * long as the parent resource accepts it partially. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - * from the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, - * the Route MUST be considered detached from the Gateway. - * - * Support: Extended - */ - port: number; - /** - * SectionName is the name of a section within the target resource. In the - * following resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * * Service: Port name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * - * Implementations MAY choose to support attaching Routes to other resources. - * If that is the case, they MUST clearly document how SectionName is - * interpreted. - * - * When unspecified (empty string), this will reference the entire resource. - * For the purpose of status, an attachment is considered successful if at - * least one section in the parent resource accepts it. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - * the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, the - * Route MUST be considered detached from the Gateway. - * - * Support: Core - */ - sectionName: string; - } - /** - * Spec defines the desired state of TLSRoute. - */ - interface TLSRouteSpecPatch { - /** - * Hostnames defines a set of SNI hostnames that should match against the - * SNI attribute of TLS ClientHello message in TLS handshake. This matches - * the RFC 1123 definition of a hostname with 2 notable exceptions: - * - * 1. IPs are not allowed in SNI hostnames per RFC 6066. - * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - * label must appear by itself as the first label. - * - * If a hostname is specified by both the Listener and TLSRoute, there - * must be at least one intersecting hostname for the TLSRoute to be - * attached to the Listener. For example: - * - * * A Listener with `test.example.com` as the hostname matches TLSRoutes - * that have specified at least one of `test.example.com` or - * `*.example.com`. - * * A Listener with `*.example.com` as the hostname matches TLSRoutes - * that have specified at least one hostname that matches the Listener - * hostname. For example, `test.example.com` and `*.example.com` would both - * match. On the other hand, `example.com` and `test.example.net` would not - * match. - * - * If both the Listener and TLSRoute have specified hostnames, any - * TLSRoute hostnames that do not match the Listener hostname MUST be - * ignored. For example, if a Listener specified `*.example.com`, and the - * TLSRoute specified `test.example.com` and `test.example.net`, - * `test.example.net` must not be considered for a match. - * - * If both the Listener and TLSRoute have specified hostnames, and none - * match with the criteria above, then the TLSRoute is not accepted. The - * implementation must raise an 'Accepted' Condition with a status of - * `False` in the corresponding RouteParentStatus. - * - * Support: Core - */ - hostnames: string[]; - /** - * ParentRefs references the resources (usually Gateways) that a Route wants - * to be attached to. Note that the referenced parent resource needs to - * allow this for the attachment to be complete. For Gateways, that means - * the Gateway needs to allow attachment from Routes of this kind and - * namespace. For Services, that means the Service must either be in the same - * namespace for a "producer" route, or the mesh implementation must support - * and allow "consumer" routes for the referenced Service. ReferenceGrant is - * not applicable for governing ParentRefs to Services - it is not possible to - * create a "producer" route for a Service in a different namespace from the - * Route. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * This API may be extended in the future to support additional kinds of parent - * resources. - * - * ParentRefs must be _distinct_. This means either that: - * - * * They select different objects. If this is the case, then parentRef - * entries are distinct. In terms of fields, this means that the - * multi-part key defined by `group`, `kind`, `namespace`, and `name` must - * be unique across all parentRef entries in the Route. - * * They do not select different objects, but for each optional field used, - * each ParentRef that selects the same object must set the same set of - * optional fields to different values. If one ParentRef sets a - * combination of optional fields, all must set the same combination. - * - * Some examples: - * - * * If one ParentRef sets `sectionName`, all ParentRefs referencing the - * same object must also set `sectionName`. - * * If one ParentRef sets `port`, all ParentRefs referencing the same - * object must also set `port`. - * * If one ParentRef sets `sectionName` and `port`, all ParentRefs - * referencing the same object must also set `sectionName` and `port`. - * - * It is possible to separately reference multiple distinct objects that may - * be collapsed by an implementation. For example, some implementations may - * choose to merge compatible Gateway Listeners together. If that is the - * case, the list of routes attached to those resources should also be - * merged. - * - * Note that for ParentRefs that cross namespace boundaries, there are specific - * rules. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example, - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable other kinds of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - */ - parentRefs: outputs.gateway.v1alpha3.TLSRouteSpecParentRefsPatch[]; - /** - * Rules are a list of actions. - */ - rules: outputs.gateway.v1alpha3.TLSRouteSpecRulesPatch[]; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways: string; - } - /** - * TLSRouteRule is the configuration for a given rule. - */ - interface TLSRouteSpecRules { - /** - * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or - * a Service with no endpoints), the rule performs no forwarding; if no - * filters are specified that would result in a response being sent, the - * underlying implementation must actively reject request attempts to this - * backend, by rejecting the connection or returning a 500 status code. - * Request rejections must respect weight; if an invalid backend is - * requested to have 80% of requests, then 80% of requests must be rejected - * instead. - * - * Support: Core for Kubernetes Service - * - * Support: Extended for Kubernetes ServiceImport - * - * Support: Implementation-specific for any other resource - * - * Support for weight: Extended - */ - backendRefs: outputs.gateway.v1alpha3.TLSRouteSpecRulesBackendRefs[]; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name: string; - } - /** - * BackendRef defines how a Route should forward a request to a Kubernetes - * resource. - * - * Note that when a namespace different than the local namespace is specified, a - * ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * - * When the BackendRef points to a Kubernetes Service, implementations SHOULD - * honor the appProtocol field if it is set for the target Service Port. - * - * Implementations supporting appProtocol SHOULD recognize the Kubernetes - * Standard Application Protocols defined in KEP-3726. - * - * If a Service appProtocol isn't specified, an implementation MAY infer the - * backend protocol through its own means. Implementations MAY infer the - * protocol from the Route type referring to the backend Service. - * - * If a Route is not able to send traffic to the backend using the specified - * protocol then the backend is considered invalid. Implementations MUST set the - * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - * - * - * Note that when the BackendTLSPolicy object is enabled by the implementation, - * there are some extra rules about validity to consider here. See the fields - * where this struct is used for more information about the exact behavior. - */ - interface TLSRouteSpecRulesBackendRefs { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port: number; - /** - * Weight specifies the proportion of requests forwarded to the referenced - * backend. This is computed as weight/(sum of all weights in this - * BackendRefs list). For non-zero values, there may be some epsilon from - * the exact proportion defined here depending on the precision an - * implementation supports. Weight is not a percentage and the sum of - * weights does not need to equal 100. - * - * If only one backend is specified and it has a weight greater than 0, 100% - * of the traffic is forwarded to that backend. If weight is set to 0, no - * traffic should be forwarded for this entry. If unspecified, weight - * defaults to 1. - * - * Support for this field varies based on the context where used. - */ - weight: number; - } - /** - * BackendRef defines how a Route should forward a request to a Kubernetes - * resource. - * - * Note that when a namespace different than the local namespace is specified, a - * ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * - * When the BackendRef points to a Kubernetes Service, implementations SHOULD - * honor the appProtocol field if it is set for the target Service Port. - * - * Implementations supporting appProtocol SHOULD recognize the Kubernetes - * Standard Application Protocols defined in KEP-3726. - * - * If a Service appProtocol isn't specified, an implementation MAY infer the - * backend protocol through its own means. Implementations MAY infer the - * protocol from the Route type referring to the backend Service. - * - * If a Route is not able to send traffic to the backend using the specified - * protocol then the backend is considered invalid. Implementations MUST set the - * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - * - * - * Note that when the BackendTLSPolicy object is enabled by the implementation, - * there are some extra rules about validity to consider here. See the fields - * where this struct is used for more information about the exact behavior. - */ - interface TLSRouteSpecRulesBackendRefsPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port: number; - /** - * Weight specifies the proportion of requests forwarded to the referenced - * backend. This is computed as weight/(sum of all weights in this - * BackendRefs list). For non-zero values, there may be some epsilon from - * the exact proportion defined here depending on the precision an - * implementation supports. Weight is not a percentage and the sum of - * weights does not need to equal 100. - * - * If only one backend is specified and it has a weight greater than 0, 100% - * of the traffic is forwarded to that backend. If weight is set to 0, no - * traffic should be forwarded for this entry. If unspecified, weight - * defaults to 1. - * - * Support for this field varies based on the context where used. - */ - weight: number; - } - /** - * TLSRouteRule is the configuration for a given rule. - */ - interface TLSRouteSpecRulesPatch { - /** - * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or - * a Service with no endpoints), the rule performs no forwarding; if no - * filters are specified that would result in a response being sent, the - * underlying implementation must actively reject request attempts to this - * backend, by rejecting the connection or returning a 500 status code. - * Request rejections must respect weight; if an invalid backend is - * requested to have 80% of requests, then 80% of requests must be rejected - * instead. - * - * Support: Core for Kubernetes Service - * - * Support: Extended for Kubernetes ServiceImport - * - * Support: Implementation-specific for any other resource - * - * Support for weight: Extended - */ - backendRefs: outputs.gateway.v1alpha3.TLSRouteSpecRulesBackendRefsPatch[]; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name: string; - } - /** - * Status defines the current state of TLSRoute. - */ - interface TLSRouteStatus { - /** - * Parents is a list of parent resources (usually Gateways) that are - * associated with the route, and the status of the route with respect to - * each parent. When this route attaches to a parent, the controller that - * manages the parent must add an entry to this list when the controller - * first sees the route and should update the entry as appropriate when the - * route or gateway is modified. - * - * Note that parent references that cannot be resolved by an implementation - * of this API will not be added to this list. Implementations of this API - * can only populate Route status for the Gateways/parent resources they are - * responsible for. - * - * A maximum of 32 Gateways will be represented in this list. An empty list - * means the route has not been attached to any Gateway. - */ - parents: outputs.gateway.v1alpha3.TLSRouteStatusParents[]; - } - /** - * RouteParentStatus describes the status of a route with respect to an - * associated Parent. - */ - interface TLSRouteStatusParents { - /** - * Conditions describes the status of the route with respect to the Gateway. - * Note that the route's availability is also subject to the Gateway's own - * status conditions and listener status. - * - * If the Route's ParentRef specifies an existing Gateway that supports - * Routes of this kind AND that Gateway's controller has sufficient access, - * then that Gateway's controller MUST set the "Accepted" condition on the - * Route, to indicate whether the route has been accepted or rejected by the - * Gateway, and why. - * - * A Route MUST be considered "Accepted" if at least one of the Route's - * rules is implemented by the Gateway. - * - * There are a number of cases where the "Accepted" condition may not be set - * due to lack of controller visibility, that includes when: - * - * * The Route refers to a nonexistent parent. - * * The Route is of a type that the controller does not support. - * * The Route is in a namespace the controller does not have access to. - */ - conditions: outputs.gateway.v1alpha3.TLSRouteStatusParentsConditions[]; - /** - * ControllerName is a domain/path string that indicates the name of the - * controller that wrote this status. This corresponds with the - * controllerName field on GatewayClass. - * - * Example: "example.net/gateway-controller". - * - * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - * valid Kubernetes names - * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - * - * Controllers MUST populate this field when writing status. Controllers should ensure that - * entries to status populated with their ControllerName are cleaned up when they are no - * longer necessary. - */ - controllerName: string; - parentRef: outputs.gateway.v1alpha3.TLSRouteStatusParentsParentRef; - } - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - interface TLSRouteStatusParentsConditions { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime: string; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message: string; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration: number; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason: string; - /** - * status of the condition, one of True, False, Unknown. - */ - status: string; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type: string; - } - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - interface TLSRouteStatusParentsConditionsPatch { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime: string; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message: string; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration: number; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason: string; - /** - * status of the condition, one of True, False, Unknown. - */ - status: string; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type: string; - } - /** - * ParentRef corresponds with a ParentRef in the spec that this - * RouteParentStatus struct describes the status of. - */ - interface TLSRouteStatusParentsParentRef { - /** - * Group is the group of the referent. - * When unspecified, "gateway.networking.k8s.io" is inferred. - * To set the core API group (such as for a "Service" kind referent), - * Group must be explicitly set to "" (empty string). - * - * Support: Core - */ - group: string; - /** - * Kind is kind of the referent. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * Support for other resources is Implementation-Specific. - */ - kind: string; - /** - * Name is the name of the referent. - * - * Support: Core - */ - name: string; - /** - * Namespace is the namespace of the referent. When unspecified, this refers - * to the local namespace of the Route. - * - * Note that there are specific rules for ParentRefs which cross namespace - * boundaries. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example: - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable any other kind of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - * - * - * Support: Core - */ - namespace: string; - /** - * Port is the network port this Route targets. It can be interpreted - * differently based on the type of parent resource. - * - * When the parent resource is a Gateway, this targets all listeners - * listening on the specified port that also support this kind of Route(and - * select this Route). It's not recommended to set `Port` unless the - * networking behaviors specified in a Route must apply to a specific port - * as opposed to a listener(s) whose port(s) may be changed. When both Port - * and SectionName are specified, the name and port of the selected listener - * must match both specified values. - * - * - * When the parent resource is a Service, this targets a specific port in the - * Service spec. When both Port (experimental) and SectionName are specified, - * the name and port of the selected port must match both specified values. - * - * - * Implementations MAY choose to support other parent resources. - * Implementations supporting other types of parent resources MUST clearly - * document how/if Port is interpreted. - * - * For the purpose of status, an attachment is considered successful as - * long as the parent resource accepts it partially. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - * from the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, - * the Route MUST be considered detached from the Gateway. - * - * Support: Extended - */ - port: number; - /** - * SectionName is the name of a section within the target resource. In the - * following resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * * Service: Port name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * - * Implementations MAY choose to support attaching Routes to other resources. - * If that is the case, they MUST clearly document how SectionName is - * interpreted. - * - * When unspecified (empty string), this will reference the entire resource. - * For the purpose of status, an attachment is considered successful if at - * least one section in the parent resource accepts it. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - * the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, the - * Route MUST be considered detached from the Gateway. - * - * Support: Core - */ - sectionName: string; - } - /** - * ParentRef corresponds with a ParentRef in the spec that this - * RouteParentStatus struct describes the status of. - */ - interface TLSRouteStatusParentsParentRefPatch { - /** - * Group is the group of the referent. - * When unspecified, "gateway.networking.k8s.io" is inferred. - * To set the core API group (such as for a "Service" kind referent), - * Group must be explicitly set to "" (empty string). - * - * Support: Core - */ - group: string; - /** - * Kind is kind of the referent. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * Support for other resources is Implementation-Specific. - */ - kind: string; - /** - * Name is the name of the referent. - * - * Support: Core - */ - name: string; - /** - * Namespace is the namespace of the referent. When unspecified, this refers - * to the local namespace of the Route. - * - * Note that there are specific rules for ParentRefs which cross namespace - * boundaries. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example: - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable any other kind of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - * - * - * Support: Core - */ - namespace: string; - /** - * Port is the network port this Route targets. It can be interpreted - * differently based on the type of parent resource. - * - * When the parent resource is a Gateway, this targets all listeners - * listening on the specified port that also support this kind of Route(and - * select this Route). It's not recommended to set `Port` unless the - * networking behaviors specified in a Route must apply to a specific port - * as opposed to a listener(s) whose port(s) may be changed. When both Port - * and SectionName are specified, the name and port of the selected listener - * must match both specified values. - * - * - * When the parent resource is a Service, this targets a specific port in the - * Service spec. When both Port (experimental) and SectionName are specified, - * the name and port of the selected port must match both specified values. - * - * - * Implementations MAY choose to support other parent resources. - * Implementations supporting other types of parent resources MUST clearly - * document how/if Port is interpreted. - * - * For the purpose of status, an attachment is considered successful as - * long as the parent resource accepts it partially. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - * from the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, - * the Route MUST be considered detached from the Gateway. - * - * Support: Extended - */ - port: number; - /** - * SectionName is the name of a section within the target resource. In the - * following resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * * Service: Port name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * - * Implementations MAY choose to support attaching Routes to other resources. - * If that is the case, they MUST clearly document how SectionName is - * interpreted. - * - * When unspecified (empty string), this will reference the entire resource. - * For the purpose of status, an attachment is considered successful if at - * least one section in the parent resource accepts it. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - * the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, the - * Route MUST be considered detached from the Gateway. - * - * Support: Core - */ - sectionName: string; - } - /** - * RouteParentStatus describes the status of a route with respect to an - * associated Parent. - */ - interface TLSRouteStatusParentsPatch { - /** - * Conditions describes the status of the route with respect to the Gateway. - * Note that the route's availability is also subject to the Gateway's own - * status conditions and listener status. - * - * If the Route's ParentRef specifies an existing Gateway that supports - * Routes of this kind AND that Gateway's controller has sufficient access, - * then that Gateway's controller MUST set the "Accepted" condition on the - * Route, to indicate whether the route has been accepted or rejected by the - * Gateway, and why. - * - * A Route MUST be considered "Accepted" if at least one of the Route's - * rules is implemented by the Gateway. - * - * There are a number of cases where the "Accepted" condition may not be set - * due to lack of controller visibility, that includes when: - * - * * The Route refers to a nonexistent parent. - * * The Route is of a type that the controller does not support. - * * The Route is in a namespace the controller does not have access to. - */ - conditions: outputs.gateway.v1alpha3.TLSRouteStatusParentsConditionsPatch[]; - /** - * ControllerName is a domain/path string that indicates the name of the - * controller that wrote this status. This corresponds with the - * controllerName field on GatewayClass. - * - * Example: "example.net/gateway-controller". - * - * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - * valid Kubernetes names - * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - * - * Controllers MUST populate this field when writing status. Controllers should ensure that - * entries to status populated with their ControllerName are cleaned up when they are no - * longer necessary. - */ - controllerName: string; - parentRef: outputs.gateway.v1alpha3.TLSRouteStatusParentsParentRefPatch; - } - /** - * Status defines the current state of TLSRoute. - */ - interface TLSRouteStatusPatch { - /** - * Parents is a list of parent resources (usually Gateways) that are - * associated with the route, and the status of the route with respect to - * each parent. When this route attaches to a parent, the controller that - * manages the parent must add an entry to this list when the controller - * first sees the route and should update the entry as appropriate when the - * route or gateway is modified. - * - * Note that parent references that cannot be resolved by an implementation - * of this API will not be added to this list. Implementations of this API - * can only populate Route status for the Gateways/parent resources they are - * responsible for. - * - * A maximum of 32 Gateways will be represented in this list. An empty list - * means the route has not been attached to any Gateway. - */ - parents: outputs.gateway.v1alpha3.TLSRouteStatusParentsPatch[]; - } } namespace v1beta1 { /** @@ -42457,6 +34525,7 @@ export declare namespace gateway { * GatewayClass describes a class of Gateways available to the user for creating * Gateway resources. * + * * It is recommended that this resource be used as a template for Gateways. This * means that a Gateway is based on the state of the GatewayClass at the time it * was created and changes to the GatewayClass or associated parameters are not @@ -42465,11 +34534,13 @@ export declare namespace gateway { * If implementations choose to propagate GatewayClass changes to existing * Gateways, that MUST be clearly documented by the implementation. * + * * Whenever one or more Gateways are using a GatewayClass, implementations SHOULD * add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the * associated GatewayClass. This ensures that a GatewayClass associated with a * Gateway is not deleted while in use. * + * * GatewayClass is a Cluster level resource. */ interface GatewayClass { @@ -42496,10 +34567,13 @@ export declare namespace gateway { * ControllerName is the name of the controller that is managing Gateways of * this class. The value of this field MUST be a domain prefixed path. * + * * Example: "example.net/gateway-controller". * + * * This field is not mutable and cannot be empty. * + * * Support: Core */ controllerName: string; @@ -42514,19 +34588,21 @@ export declare namespace gateway { * parameters corresponding to the GatewayClass. This is optional if the * controller does not require any additional configuration. * + * * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, * or an implementation-specific custom resource. The resource can be * cluster-scoped or namespace-scoped. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the GatewayClass SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. + * + * If the referent cannot be found, the GatewayClass's "InvalidParameters" + * status condition will be true. + * * * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * + * * Support: Implementation-specific */ interface GatewayClassSpecParametersRef { @@ -42554,19 +34630,21 @@ export declare namespace gateway { * parameters corresponding to the GatewayClass. This is optional if the * controller does not require any additional configuration. * + * * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, * or an implementation-specific custom resource. The resource can be * cluster-scoped or namespace-scoped. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the GatewayClass SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. + * + * If the referent cannot be found, the GatewayClass's "InvalidParameters" + * status condition will be true. + * * * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * + * * Support: Implementation-specific */ interface GatewayClassSpecParametersRefPatch { @@ -42597,10 +34675,13 @@ export declare namespace gateway { * ControllerName is the name of the controller that is managing Gateways of * this class. The value of this field MUST be a domain prefixed path. * + * * Example: "example.net/gateway-controller". * + * * This field is not mutable and cannot be empty. * + * * Support: Core */ controllerName: string; @@ -42613,6 +34694,7 @@ export declare namespace gateway { /** * Status defines the current state of GatewayClass. * + * * Implementations MUST populate status on all GatewayClass resources which * specify their controller name. */ @@ -42621,18 +34703,35 @@ export declare namespace gateway { * Conditions is the current status from the controller for * this GatewayClass. * + * * Controllers should prefer to publish conditions using values * of GatewayClassConditionType for the type of each Condition. */ conditions: outputs.gateway.v1beta1.GatewayClassStatusConditions[]; /** * SupportedFeatures is the set of features the GatewayClass support. - * It MUST be sorted in ascending alphabetical order by the Name key. + * It MUST be sorted in ascending alphabetical order. */ - supportedFeatures: outputs.gateway.v1beta1.GatewayClassStatusSupportedFeatures[]; + supportedFeatures: string[]; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface GatewayClassStatusConditions { /** @@ -42665,11 +34764,31 @@ export declare namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface GatewayClassStatusConditionsPatch { /** @@ -42702,12 +34821,17 @@ export declare namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } /** * Status defines the current state of GatewayClass. * + * * Implementations MUST populate status on all GatewayClass resources which * specify their controller name. */ @@ -42716,29 +34840,16 @@ export declare namespace gateway { * Conditions is the current status from the controller for * this GatewayClass. * + * * Controllers should prefer to publish conditions using values * of GatewayClassConditionType for the type of each Condition. */ conditions: outputs.gateway.v1beta1.GatewayClassStatusConditionsPatch[]; /** * SupportedFeatures is the set of features the GatewayClass support. - * It MUST be sorted in ascending alphabetical order by the Name key. + * It MUST be sorted in ascending alphabetical order. */ - supportedFeatures: outputs.gateway.v1beta1.GatewayClassStatusSupportedFeaturesPatch[]; - } - interface GatewayClassStatusSupportedFeatures { - /** - * FeatureName is used to describe distinct features that are covered by - * conformance tests. - */ - name: string; - } - interface GatewayClassStatusSupportedFeaturesPatch { - /** - * FeatureName is used to describe distinct features that are covered by - * conformance tests. - */ - name: string; + supportedFeatures: string[]; } /** * Spec defines the desired state of Gateway. @@ -42748,7 +34859,8 @@ export declare namespace gateway { * Addresses requested for this Gateway. This is optional and behavior can * depend on the implementation. If a value is set in the spec and the * requested address is invalid or unavailable, the implementation MUST - * indicate this in an associated entry in GatewayStatus.Conditions. + * indicate this in the associated entry in GatewayStatus.Addresses. + * * * The Addresses field represents a request for the address(es) on the * "outside of the Gateway", that traffic bound for this Gateway will use. @@ -42756,38 +34868,20 @@ export declare namespace gateway { * other networking infrastructure, or some other address that traffic will * be sent to. * + * * If no Addresses are specified, the implementation MAY schedule the * Gateway in an implementation-specific manner, assigning an appropriate * set of Addresses. * + * * The implementation MUST bind all Listeners to every GatewayAddress that * it assigns to the Gateway and add a corresponding entry in * GatewayStatus.Addresses. * + * * Support: Extended */ addresses: outputs.gateway.v1beta1.GatewaySpecAddresses[]; - allowedListeners: outputs.gateway.v1beta1.GatewaySpecAllowedListeners; - /** - * DefaultScope, when set, configures the Gateway as a default Gateway, - * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute) - * attached to it, according to the scope configured here. - * - * If unset (the default) or set to None, the Gateway will not act as a - * default Gateway; if set, the Gateway will claim any Route with a - * matching scope set in its UseDefaultGateway field, subject to the usual - * rules about which routes the Gateway can attach to. - * - * Think carefully before using this functionality! While the normal rules - * about which Route can apply are still enforced, it is simply easier for - * the wrong Route to be accidentally attached to this Gateway in this - * configuration. If the Gateway operator is not also the operator in - * control of the scope (e.g. namespace) with tight controls and checks on - * what kind of workloads and Routes get added in that scope, we strongly - * recommend not using this just because it seems convenient, and instead - * stick to direct Route attachment. - */ - defaultScope: string; /** * GatewayClassName used for this Gateway. This is the name of a * GatewayClass resource. @@ -42799,7 +34893,6 @@ export declare namespace gateway { * logical endpoints that are bound on this Gateway's addresses. * At least one Listener MUST be specified. * - * ## Distinct Listeners * * Each Listener in a set of Listeners (for example, in a single Gateway) * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to @@ -42808,107 +34901,97 @@ export declare namespace gateway { * from multiple Gateways onto a single data plane, and these rules _also_ * apply in that case). * + * * Practically, this means that each listener in a set MUST have a unique * combination of Port, Protocol, and, if supported by the protocol, Hostname. * - * Some combinations of port, protocol, and TLS settings are considered - * Core support and MUST be supported by implementations based on the objects - * they support: * - * HTTPRoute + * Some combinations of port, protocol, and TLS settings are considered + * Core support and MUST be supported by implementations based on their + * targeted conformance profile: + * + * + * HTTP Profile + * * * 1. HTTPRoute, Port: 80, Protocol: HTTP * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided * - * TLSRoute + * + * TLS Profile + * * * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough * + * * "Distinct" Listeners have the following property: * - * **The implementation can match inbound requests to a single distinct - * Listener**. * - * When multiple Listeners share values for fields (for + * The implementation can match inbound requests to a single distinct + * Listener. When multiple Listeners share values for fields (for * example, two Listeners with the same Port value), the implementation * can match requests to only one of the Listeners using other * Listener fields. * - * When multiple listeners have the same value for the Protocol field, then - * each of the Listeners with matching Protocol values MUST have different - * values for other fields. * - * The set of fields that MUST be different for a Listener differs per protocol. - * The following rules define the rules for what fields MUST be considered for - * Listeners to be distinct with each protocol currently defined in the - * Gateway API spec. + * For example, the following Listener scenarios are distinct: * - * The set of listeners that all share a protocol value MUST have _different_ - * values for _at least one_ of these fields to be distinct: * - * * **HTTP, HTTPS, TLS**: Port, Hostname - * * **TCP, UDP**: Port + * 1. Multiple Listeners with the same Port that all use the "HTTP" + * Protocol that all have unique Hostname values. + * 2. Multiple Listeners with the same Port that use either the "HTTPS" or + * "TLS" Protocol that all have unique Hostname values. + * 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener + * with the same Protocol has the same Port value. * - * One **very** important rule to call out involves what happens when an - * implementation: * - * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol - * Listeners, and - * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP - * Protocol. + * Some fields in the Listener struct have possible values that affect + * whether the Listener is distinct. Hostname is particularly relevant + * for HTTP or HTTPS protocols. * - * In this case all the Listeners that share a port with the - * TCP Listener are not distinct and so MUST NOT be accepted. * - * If an implementation does not support TCP Protocol Listeners, then the - * previous rule does not apply, and the TCP Listeners SHOULD NOT be - * accepted. + * When using the Hostname value to select between same-Port, same-Protocol + * Listeners, the Hostname value must be different on each Listener for the + * Listener to be distinct. * - * Note that the `tls` field is not used for determining if a listener is distinct, because - * Listeners that _only_ differ on TLS config will still conflict in all cases. * - * ### Listeners that are distinct only by Hostname - * - * When the Listeners are distinct based only on Hostname, inbound request + * When the Listeners are distinct based on Hostname, inbound request * hostnames MUST match from the most specific to least specific Hostname * values to choose the correct Listener and its associated set of Routes. * - * Exact matches MUST be processed before wildcard matches, and wildcard - * matches MUST be processed before fallback (empty Hostname value) + * + * Exact matches must be processed before wildcard matches, and wildcard + * matches must be processed before fallback (empty Hostname value) * matches. For example, `"foo.example.com"` takes precedence over * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. * + * * Additionally, if there are multiple wildcard entries, more specific * wildcard entries must be processed before less specific wildcard entries. * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. - * * The precise definition here is that the higher the number of dots in the * hostname to the right of the wildcard character, the higher the precedence. * + * * The wildcard character will match any number of characters _and dots_ to * the left, however, so `"*.example.com"` will match both * `"foo.bar.example.com"` _and_ `"bar.example.com"`. * - * ## Handling indistinct Listeners * * If a set of Listeners contains Listeners that are not distinct, then those - * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted" + * Listeners are Conflicted, and the implementation MUST set the "Conflicted" * condition in the Listener Status to "True". * - * The words "indistinct" and "conflicted" are considered equivalent for the - * purpose of this documentation. * * Implementations MAY choose to accept a Gateway with some Conflicted * Listeners only if they only accept the partial Listener set that contains - * no Conflicted Listeners. + * no Conflicted Listeners. To put this another way, implementations may + * accept a partial Listener set only if they throw out *all* the conflicting + * Listeners. No picking one of the conflicting listeners as the winner. + * This also means that the Gateway must have at least one non-conflicting + * Listener in this case, otherwise it violates the requirement that at + * least one Listener must be present. * - * Specifically, an implementation MAY accept a partial Listener set subject to - * the following rules: - * - * * The implementation MUST NOT pick one conflicting Listener as the winner. - * ALL indistinct Listeners must not be accepted for processing. - * * At least one distinct Listener MUST be present, or else the Gateway effectively - * contains _no_ Listeners, and must be rejected from processing as a whole. * * The implementation MUST set a "ListenersNotValid" condition on the * Gateway Status when the Gateway contains Conflicted Listeners whether or @@ -42917,51 +35000,44 @@ export declare namespace gateway { * Accepted. Additionally, the Listener status for those listeners SHOULD * indicate which Listeners are conflicted and not Accepted. * - * ## General Listener behavior * - * Note that, for all distinct Listeners, requests SHOULD match at most one Listener. - * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a - * request to "foo.example.com" SHOULD only be routed using routes attached - * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * A Gateway's Listeners are considered "compatible" if: * - * This concept is known as "Listener Isolation", and it is an Extended feature - * of Gateway API. Implementations that do not support Listener Isolation MUST - * clearly document this, and MUST NOT claim support for the - * `GatewayHTTPListenerIsolation` feature. - * - * Implementations that _do_ support Listener Isolation SHOULD claim support - * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated - * conformance tests. - * - * ## Compatible Listeners - * - * A Gateway's Listeners are considered _compatible_ if: * * 1. They are distinct. * 2. The implementation can serve them in compliance with the Addresses * requirement that all Listeners are available on all assigned * addresses. * + * * Compatible combinations in Extended support are expected to vary across * implementations. A combination that is compatible for one implementation * may not be compatible for another. * + * * For example, an implementation that cannot serve both TCP and UDP listeners * on the same address, or cannot mix HTTPS and generic TLS listens on the same port * would not consider those cases compatible, even though they are distinct. * + * + * Note that requests SHOULD match at most one Listener. For example, if + * Listeners are defined for "foo.example.com" and "*.example.com", a + * request to "foo.example.com" SHOULD only be routed using routes attached + * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * This concept is known as "Listener Isolation". Implementations that do + * not support Listener Isolation MUST clearly document this. + * + * * Implementations MAY merge separate Gateways onto a single set of * Addresses if all Listeners across all Gateways are compatible. * - * In a future release the MinItems=1 requirement MAY be dropped. * * Support: Core */ listeners: outputs.gateway.v1beta1.GatewaySpecListeners[]; - tls: outputs.gateway.v1beta1.GatewaySpecTls; } /** - * GatewaySpecAddress describes an address that can be bound to a Gateway. + * GatewayAddress describes an address that can be bound to a Gateway. */ interface GatewaySpecAddresses { /** @@ -42969,18 +35045,16 @@ export declare namespace gateway { */ type: string; /** - * When a value is unspecified, an implementation SHOULD automatically - * assign an address matching the requested type if possible. + * Value of the address. The validity of the values will depend + * on the type and support by the controller. * - * If an implementation does not support an empty value, they MUST set the - * "Programmed" condition in status to False with a reason of "AddressNotAssigned". * * Examples: `1.2.3.4`, `128::1`, `my-ip-address`. */ value: string; } /** - * GatewaySpecAddress describes an address that can be bound to a Gateway. + * GatewayAddress describes an address that can be bound to a Gateway. */ interface GatewaySpecAddressesPatch { /** @@ -42988,164 +35062,32 @@ export declare namespace gateway { */ type: string; /** - * When a value is unspecified, an implementation SHOULD automatically - * assign an address matching the requested type if possible. + * Value of the address. The validity of the values will depend + * on the type and support by the controller. * - * If an implementation does not support an empty value, they MUST set the - * "Programmed" condition in status to False with a reason of "AddressNotAssigned". * * Examples: `1.2.3.4`, `128::1`, `my-ip-address`. */ value: string; } - /** - * AllowedListeners defines which ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - interface GatewaySpecAllowedListeners { - namespaces: outputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespaces; - } - /** - * Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - interface GatewaySpecAllowedListenersNamespaces { - /** - * From indicates where ListenerSets can attach to this Gateway. Possible - * values are: - * - * * Same: Only ListenerSets in the same namespace may be attached to this Gateway. - * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway. - * * All: ListenerSets in all namespaces may be attached to this Gateway. - * * None: Only listeners defined in the Gateway's spec are allowed - * - * While this feature is experimental, the default value None - */ - from: string; - selector: outputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesSelector; - } - /** - * Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - interface GatewaySpecAllowedListenersNamespacesPatch { - /** - * From indicates where ListenerSets can attach to this Gateway. Possible - * values are: - * - * * Same: Only ListenerSets in the same namespace may be attached to this Gateway. - * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway. - * * All: ListenerSets in all namespaces may be attached to this Gateway. - * * None: Only listeners defined in the Gateway's spec are allowed - * - * While this feature is experimental, the default value None - */ - from: string; - selector: outputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesSelectorPatch; - } - /** - * Selector must be specified when From is set to "Selector". In that case, - * only ListenerSets in Namespaces matching this Selector will be selected by this - * Gateway. This field is ignored for other values of "From". - */ - interface GatewaySpecAllowedListenersNamespacesSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - /** - * Selector must be specified when From is set to "Selector". In that case, - * only ListenerSets in Namespaces matching this Selector will be selected by this - * Gateway. This field is ignored for other values of "From". - */ - interface GatewaySpecAllowedListenersNamespacesSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: { - [key: string]: string; - }; - } - /** - * AllowedListeners defines which ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - interface GatewaySpecAllowedListenersPatch { - namespaces: outputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesPatch; - } /** * Infrastructure defines infrastructure level attributes about this Gateway instance. * - * Support: Extended + * + * Support: Core */ interface GatewaySpecInfrastructure { /** * Annotations that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. * + * * An implementation may chose to add additional implementation-specific annotations as they see fit. * + * * Support: Extended */ annotations: { @@ -43154,13 +35096,13 @@ export declare namespace gateway { /** * Labels that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. * For other implementations, this refers to any relevant (implementation specific) "labels" concepts. * + * * An implementation may chose to add additional implementation-specific labels as they see fit. * - * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels - * change, it SHOULD clearly warn about this behavior in documentation. * * Support: Extended */ @@ -43174,16 +35116,14 @@ export declare namespace gateway { * parameters corresponding to the Gateway. This is optional if the * controller does not require any additional configuration. * + * * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis * + * * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the Gateway SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. * * Support: Implementation-specific */ @@ -43206,16 +35146,14 @@ export declare namespace gateway { * parameters corresponding to the Gateway. This is optional if the * controller does not require any additional configuration. * + * * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis * + * * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the Gateway SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. * * Support: Implementation-specific */ @@ -43236,17 +35174,21 @@ export declare namespace gateway { /** * Infrastructure defines infrastructure level attributes about this Gateway instance. * - * Support: Extended + * + * Support: Core */ interface GatewaySpecInfrastructurePatch { /** * Annotations that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. * + * * An implementation may chose to add additional implementation-specific annotations as they see fit. * + * * Support: Extended */ annotations: { @@ -43255,13 +35197,13 @@ export declare namespace gateway { /** * Labels that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. * For other implementations, this refers to any relevant (implementation specific) "labels" concepts. * + * * An implementation may chose to add additional implementation-specific labels as they see fit. * - * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels - * change, it SHOULD clearly warn about this behavior in documentation. * * Support: Extended */ @@ -43282,36 +35224,18 @@ export declare namespace gateway { * field is ignored for protocols that don't require hostname based * matching. * + * * Implementations MUST apply Hostname matching appropriately for each of * the following protocols: * + * * * TLS: The Listener Hostname MUST match the SNI. * * HTTP: The Listener Hostname MUST match the Host header of the request. - * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header. - * Note that this does not require the SNI and Host header to be the same. - * The semantics of this are described in more detail below. + * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + * protocol layers as described above. If an implementation does not + * ensure that both the SNI and Host header match the Listener hostname, + * it MUST clearly document that. * - * To ensure security, Section 11.1 of RFC-6066 emphasizes that server - * implementations that rely on SNI hostname matching MUST also verify - * hostnames within the application protocol. - * - * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the - * reuse of a connection by responding with the HTTP 421 Misdirected Request - * status code. This indicates that the origin server has rejected the - * request because it appears to have been misdirected. - * - * To detect misdirected requests, Gateways SHOULD match the authority of - * the requests with all the SNI hostname(s) configured across all the - * Gateway Listeners on the same port and protocol: - * - * * If another Listener has an exact match or more specific wildcard entry, - * the Gateway SHOULD return a 421. - * * If the current Listener (selected by SNI matching during ClientHello) - * does not match the Host: - * * If another Listener does match the Host the Gateway SHOULD return a - * 421. - * * If no other Listener matches the Host, the Gateway MUST return a - * 404. * * For HTTPRoute and TLSRoute resources, there is an interaction with the * `spec.hostnames` array. When both listener and route specify hostnames, @@ -43319,10 +35243,12 @@ export declare namespace gateway { * accepted. For more information, refer to the Route specific Hostnames * documentation. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * Support: Core */ hostname: string; @@ -43330,6 +35256,7 @@ export declare namespace gateway { * Name is the name of the Listener. This name MUST be unique within a * Gateway. * + * * Support: Core */ name: string; @@ -43337,12 +35264,14 @@ export declare namespace gateway { * Port is the network port. Multiple listeners may use the * same port, subject to the Listener compatibility rules. * + * * Support: Core */ port: number; /** * Protocol specifies the network protocol this listener expects to receive. * + * * Support: Core */ protocol: string; @@ -43353,10 +35282,12 @@ export declare namespace gateway { * Listener and the trusted namespaces where those Route resources MAY be * present. * + * * Although a client request may match multiple route rules, only one rule * may ultimately receive the request. Matching precedence MUST be * determined in order of the following criteria: * + * * * The most specific match as defined by the Route type. * * The oldest Route based on creation timestamp. For example, a Route with * a creation timestamp of "2020-09-08 01:02:03" is given precedence over @@ -43365,6 +35296,7 @@ export declare namespace gateway { * alphabetical order (namespace/name) should be given precedence. For * example, foo/bar is given precedence over foo/baz. * + * * All valid rules within a Route attached to this Listener should be * implemented. Invalid Route rules can be ignored (sometimes that will mean * the full Route). If a Route rule transitions from valid to invalid, @@ -43372,6 +35304,7 @@ export declare namespace gateway { * example, even if a filter specified by a Route rule is invalid, the rest * of the rules within that Route should still be supported. * + * * Support: Core */ interface GatewaySpecListenersAllowedRoutes { @@ -43380,12 +35313,14 @@ export declare namespace gateway { * to this Gateway Listener. When unspecified or empty, the kinds of Routes * selected are determined using the Listener protocol. * + * * A RouteGroupKind MUST correspond to kinds of Routes that are compatible * with the application protocol specified in the Listener's Protocol field. * If an implementation does not support or recognize this resource type, it * MUST set the "ResolvedRefs" condition to False for this Listener with the * "InvalidRouteKinds" reason. * + * * Support: Core */ kinds: outputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesKinds[]; @@ -43421,6 +35356,7 @@ export declare namespace gateway { * Namespaces indicates namespaces from which Routes may be attached to this * Listener. This is restricted to the namespace of this Gateway by default. * + * * Support: Core */ interface GatewaySpecListenersAllowedRoutesNamespaces { @@ -43428,11 +35364,13 @@ export declare namespace gateway { * From indicates where Routes will be selected for this Gateway. Possible * values are: * + * * * All: Routes in all namespaces may be used by this Gateway. * * Selector: Routes in namespaces selected by the selector may be used by * this Gateway. * * Same: Only Routes in the same namespace may be used by this Gateway. * + * * Support: Core */ from: string; @@ -43442,6 +35380,7 @@ export declare namespace gateway { * Namespaces indicates namespaces from which Routes may be attached to this * Listener. This is restricted to the namespace of this Gateway by default. * + * * Support: Core */ interface GatewaySpecListenersAllowedRoutesNamespacesPatch { @@ -43449,11 +35388,13 @@ export declare namespace gateway { * From indicates where Routes will be selected for this Gateway. Possible * values are: * + * * * All: Routes in all namespaces may be used by this Gateway. * * Selector: Routes in namespaces selected by the selector may be used by * this Gateway. * * Same: Only Routes in the same namespace may be used by this Gateway. * + * * Support: Core */ from: string; @@ -43464,6 +35405,7 @@ export declare namespace gateway { * only Routes in Namespaces matching this Selector will be selected by this * Gateway. This field is ignored for other values of "From". * + * * Support: Core */ interface GatewaySpecListenersAllowedRoutesNamespacesSelector { @@ -43529,6 +35471,7 @@ export declare namespace gateway { * only Routes in Namespaces matching this Selector will be selected by this * Gateway. This field is ignored for other values of "From". * + * * Support: Core */ interface GatewaySpecListenersAllowedRoutesNamespacesSelectorPatch { @@ -43550,10 +35493,12 @@ export declare namespace gateway { * Listener and the trusted namespaces where those Route resources MAY be * present. * + * * Although a client request may match multiple route rules, only one rule * may ultimately receive the request. Matching precedence MUST be * determined in order of the following criteria: * + * * * The most specific match as defined by the Route type. * * The oldest Route based on creation timestamp. For example, a Route with * a creation timestamp of "2020-09-08 01:02:03" is given precedence over @@ -43562,6 +35507,7 @@ export declare namespace gateway { * alphabetical order (namespace/name) should be given precedence. For * example, foo/bar is given precedence over foo/baz. * + * * All valid rules within a Route attached to this Listener should be * implemented. Invalid Route rules can be ignored (sometimes that will mean * the full Route). If a Route rule transitions from valid to invalid, @@ -43569,6 +35515,7 @@ export declare namespace gateway { * example, even if a filter specified by a Route rule is invalid, the rest * of the rules within that Route should still be supported. * + * * Support: Core */ interface GatewaySpecListenersAllowedRoutesPatch { @@ -43577,12 +35524,14 @@ export declare namespace gateway { * to this Gateway Listener. When unspecified or empty, the kinds of Routes * selected are determined using the Listener protocol. * + * * A RouteGroupKind MUST correspond to kinds of Routes that are compatible * with the application protocol specified in the Listener's Protocol field. * If an implementation does not support or recognize this resource type, it * MUST set the "ResolvedRefs" condition to False for this Listener with the * "InvalidRouteKinds" reason. * + * * Support: Core */ kinds: outputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesKindsPatch[]; @@ -43600,36 +35549,18 @@ export declare namespace gateway { * field is ignored for protocols that don't require hostname based * matching. * + * * Implementations MUST apply Hostname matching appropriately for each of * the following protocols: * + * * * TLS: The Listener Hostname MUST match the SNI. * * HTTP: The Listener Hostname MUST match the Host header of the request. - * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header. - * Note that this does not require the SNI and Host header to be the same. - * The semantics of this are described in more detail below. + * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + * protocol layers as described above. If an implementation does not + * ensure that both the SNI and Host header match the Listener hostname, + * it MUST clearly document that. * - * To ensure security, Section 11.1 of RFC-6066 emphasizes that server - * implementations that rely on SNI hostname matching MUST also verify - * hostnames within the application protocol. - * - * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the - * reuse of a connection by responding with the HTTP 421 Misdirected Request - * status code. This indicates that the origin server has rejected the - * request because it appears to have been misdirected. - * - * To detect misdirected requests, Gateways SHOULD match the authority of - * the requests with all the SNI hostname(s) configured across all the - * Gateway Listeners on the same port and protocol: - * - * * If another Listener has an exact match or more specific wildcard entry, - * the Gateway SHOULD return a 421. - * * If the current Listener (selected by SNI matching during ClientHello) - * does not match the Host: - * * If another Listener does match the Host the Gateway SHOULD return a - * 421. - * * If no other Listener matches the Host, the Gateway MUST return a - * 404. * * For HTTPRoute and TLSRoute resources, there is an interaction with the * `spec.hostnames` array. When both listener and route specify hostnames, @@ -43637,10 +35568,12 @@ export declare namespace gateway { * accepted. For more information, refer to the Route specific Hostnames * documentation. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * Support: Core */ hostname: string; @@ -43648,6 +35581,7 @@ export declare namespace gateway { * Name is the name of the Listener. This name MUST be unique within a * Gateway. * + * * Support: Core */ name: string; @@ -43655,12 +35589,14 @@ export declare namespace gateway { * Port is the network port. Multiple listeners may use the * same port, subject to the Listener compatibility rules. * + * * Support: Core */ port: number; /** * Protocol specifies the network protocol this listener expects to receive. * + * * Support: Core */ protocol: string; @@ -43671,12 +35607,15 @@ export declare namespace gateway { * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field * if the Protocol field is "HTTP", "TCP", or "UDP". * - * The association of SNIs to Certificate defined in ListenerTLSConfig is + * + * The association of SNIs to Certificate defined in GatewayTLSConfig is * defined based on the Hostname field for this listener. * + * * The GatewayClass MUST use the longest matching SNI out of all * available certificates for any TLS handshake. * + * * Support: Core */ interface GatewaySpecListenersTls { @@ -43686,31 +35625,39 @@ export declare namespace gateway { * establish a TLS handshake for requests that match the hostname of the * associated listener. * + * * A single CertificateRef to a Kubernetes Secret has "Core" support. * Implementations MAY choose to support attaching multiple certificates to * a Listener, but this behavior is implementation-specific. * + * * References to a resource in different namespace are invalid UNLESS there * is a ReferenceGrant in the target namespace that allows the certificate * to be attached. If a ReferenceGrant does not allow this reference, the * "ResolvedRefs" condition MUST be set to False for this listener with the * "RefNotPermitted" reason. * + * * This field is required to have at least one element when the mode is set * to "Terminate" (default) and is optional otherwise. * + * * CertificateRefs can reference to standard Kubernetes resources, i.e. * Secret, or implementation-specific custom resources. * + * * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls * + * * Support: Implementation-specific (More than one reference or other resource types) */ certificateRefs: outputs.gateway.v1beta1.GatewaySpecListenersTlsCertificateRefs[]; + frontendValidation: outputs.gateway.v1beta1.GatewaySpecListenersTlsFrontendValidation; /** * Mode defines the TLS behavior for the TLS session initiated by the client. * There are two possible modes: * + * * - Terminate: The TLS session between the downstream client and the * Gateway is terminated at the Gateway. This mode requires certificates * to be specified in some way, such as populating the certificateRefs @@ -43720,6 +35667,7 @@ export declare namespace gateway { * the ClientHello message of the TLS protocol. The certificateRefs field * is ignored in this mode. * + * * Support: Core */ mode: string; @@ -43728,11 +35676,13 @@ export declare namespace gateway { * configuration for each implementation. For example, configuring the * minimum TLS version or supported cipher suites. * + * * A set of common keys MAY be defined by the API in the future. To avoid * any ambiguity, implementation-specific definitions MUST use * domain-prefixed names, such as `example.com/my-custom-option`. * Un-prefixed names are reserved for key names defined by Gateway API. * + * * Support: Implementation-specific */ options: { @@ -43743,9 +35693,11 @@ export declare namespace gateway { * SecretObjectReference identifies an API object including its namespace, * defaulting to Secret. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. * + * * References to objects with invalid Group and Kind are not valid, and must * be rejected by the implementation, with appropriate Conditions set * on the containing object. @@ -43768,11 +35720,13 @@ export declare namespace gateway { * Namespace is the namespace of the referenced object. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -43781,9 +35735,11 @@ export declare namespace gateway { * SecretObjectReference identifies an API object including its namespace, * defaulting to Secret. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. * + * * References to objects with invalid Group and Kind are not valid, and must * be rejected by the implementation, with appropriate Conditions set * on the containing object. @@ -43806,26 +35762,193 @@ export declare namespace gateway { * Namespace is the namespace of the referenced object. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; } + /** + * FrontendValidation holds configuration information for validating the frontend (client). + * Setting this field will require clients to send a client certificate + * required for validation during the TLS handshake. In browsers this may result in a dialog appearing + * that requests a user to specify the client certificate. + * The maximum depth of a certificate chain accepted in verification is Implementation specific. + * + * + * Support: Extended + */ + interface GatewaySpecListenersTlsFrontendValidation { + /** + * CACertificateRefs contains one or more references to + * Kubernetes objects that contain TLS certificates of + * the Certificate Authorities that can be used + * as a trust anchor to validate the certificates presented by the client. + * + * + * A single CA certificate reference to a Kubernetes ConfigMap + * has "Core" support. + * Implementations MAY choose to support attaching multiple CA certificates to + * a Listener, but this behavior is implementation-specific. + * + * + * Support: Core - A single reference to a Kubernetes ConfigMap + * with the CA certificate in a key named `ca.crt`. + * + * + * Support: Implementation-specific (More than one reference, or other kinds + * of resources). + * + * + * References to a resource in a different namespace are invalid UNLESS there + * is a ReferenceGrant in the target namespace that allows the certificate + * to be attached. If a ReferenceGrant does not allow this reference, the + * "ResolvedRefs" condition MUST be set to False for this listener with the + * "RefNotPermitted" reason. + */ + caCertificateRefs: outputs.gateway.v1beta1.GatewaySpecListenersTlsFrontendValidationCaCertificateRefs[]; + } + /** + * ObjectReference identifies an API object including its namespace. + * + * + * The API object must be valid in the cluster; the Group and Kind must + * be registered in the cluster for this reference to be valid. + * + * + * References to objects with invalid Group and Kind are not valid, and must + * be rejected by the implementation, with appropriate Conditions set + * on the containing object. + */ + interface GatewaySpecListenersTlsFrontendValidationCaCertificateRefs { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group: string; + /** + * Kind is kind of the referent. For example "ConfigMap" or "Service". + */ + kind: string; + /** + * Name is the name of the referent. + */ + name: string; + /** + * Namespace is the namespace of the referenced object. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace: string; + } + /** + * ObjectReference identifies an API object including its namespace. + * + * + * The API object must be valid in the cluster; the Group and Kind must + * be registered in the cluster for this reference to be valid. + * + * + * References to objects with invalid Group and Kind are not valid, and must + * be rejected by the implementation, with appropriate Conditions set + * on the containing object. + */ + interface GatewaySpecListenersTlsFrontendValidationCaCertificateRefsPatch { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group: string; + /** + * Kind is kind of the referent. For example "ConfigMap" or "Service". + */ + kind: string; + /** + * Name is the name of the referent. + */ + name: string; + /** + * Namespace is the namespace of the referenced object. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace: string; + } + /** + * FrontendValidation holds configuration information for validating the frontend (client). + * Setting this field will require clients to send a client certificate + * required for validation during the TLS handshake. In browsers this may result in a dialog appearing + * that requests a user to specify the client certificate. + * The maximum depth of a certificate chain accepted in verification is Implementation specific. + * + * + * Support: Extended + */ + interface GatewaySpecListenersTlsFrontendValidationPatch { + /** + * CACertificateRefs contains one or more references to + * Kubernetes objects that contain TLS certificates of + * the Certificate Authorities that can be used + * as a trust anchor to validate the certificates presented by the client. + * + * + * A single CA certificate reference to a Kubernetes ConfigMap + * has "Core" support. + * Implementations MAY choose to support attaching multiple CA certificates to + * a Listener, but this behavior is implementation-specific. + * + * + * Support: Core - A single reference to a Kubernetes ConfigMap + * with the CA certificate in a key named `ca.crt`. + * + * + * Support: Implementation-specific (More than one reference, or other kinds + * of resources). + * + * + * References to a resource in a different namespace are invalid UNLESS there + * is a ReferenceGrant in the target namespace that allows the certificate + * to be attached. If a ReferenceGrant does not allow this reference, the + * "ResolvedRefs" condition MUST be set to False for this listener with the + * "RefNotPermitted" reason. + */ + caCertificateRefs: outputs.gateway.v1beta1.GatewaySpecListenersTlsFrontendValidationCaCertificateRefsPatch[]; + } /** * TLS is the TLS configuration for the Listener. This field is required if * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field * if the Protocol field is "HTTP", "TCP", or "UDP". * - * The association of SNIs to Certificate defined in ListenerTLSConfig is + * + * The association of SNIs to Certificate defined in GatewayTLSConfig is * defined based on the Hostname field for this listener. * + * * The GatewayClass MUST use the longest matching SNI out of all * available certificates for any TLS handshake. * + * * Support: Core */ interface GatewaySpecListenersTlsPatch { @@ -43835,31 +35958,39 @@ export declare namespace gateway { * establish a TLS handshake for requests that match the hostname of the * associated listener. * + * * A single CertificateRef to a Kubernetes Secret has "Core" support. * Implementations MAY choose to support attaching multiple certificates to * a Listener, but this behavior is implementation-specific. * + * * References to a resource in different namespace are invalid UNLESS there * is a ReferenceGrant in the target namespace that allows the certificate * to be attached. If a ReferenceGrant does not allow this reference, the * "ResolvedRefs" condition MUST be set to False for this listener with the * "RefNotPermitted" reason. * + * * This field is required to have at least one element when the mode is set * to "Terminate" (default) and is optional otherwise. * + * * CertificateRefs can reference to standard Kubernetes resources, i.e. * Secret, or implementation-specific custom resources. * + * * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls * + * * Support: Implementation-specific (More than one reference or other resource types) */ certificateRefs: outputs.gateway.v1beta1.GatewaySpecListenersTlsCertificateRefsPatch[]; + frontendValidation: outputs.gateway.v1beta1.GatewaySpecListenersTlsFrontendValidationPatch; /** * Mode defines the TLS behavior for the TLS session initiated by the client. * There are two possible modes: * + * * - Terminate: The TLS session between the downstream client and the * Gateway is terminated at the Gateway. This mode requires certificates * to be specified in some way, such as populating the certificateRefs @@ -43869,6 +36000,7 @@ export declare namespace gateway { * the ClientHello message of the TLS protocol. The certificateRefs field * is ignored in this mode. * + * * Support: Core */ mode: string; @@ -43877,11 +36009,13 @@ export declare namespace gateway { * configuration for each implementation. For example, configuring the * minimum TLS version or supported cipher suites. * + * * A set of common keys MAY be defined by the API in the future. To avoid * any ambiguity, implementation-specific definitions MUST use * domain-prefixed names, such as `example.com/my-custom-option`. * Un-prefixed names are reserved for key names defined by Gateway API. * + * * Support: Implementation-specific */ options: { @@ -43896,7 +36030,8 @@ export declare namespace gateway { * Addresses requested for this Gateway. This is optional and behavior can * depend on the implementation. If a value is set in the spec and the * requested address is invalid or unavailable, the implementation MUST - * indicate this in an associated entry in GatewayStatus.Conditions. + * indicate this in the associated entry in GatewayStatus.Addresses. + * * * The Addresses field represents a request for the address(es) on the * "outside of the Gateway", that traffic bound for this Gateway will use. @@ -43904,38 +36039,20 @@ export declare namespace gateway { * other networking infrastructure, or some other address that traffic will * be sent to. * + * * If no Addresses are specified, the implementation MAY schedule the * Gateway in an implementation-specific manner, assigning an appropriate * set of Addresses. * + * * The implementation MUST bind all Listeners to every GatewayAddress that * it assigns to the Gateway and add a corresponding entry in * GatewayStatus.Addresses. * + * * Support: Extended */ addresses: outputs.gateway.v1beta1.GatewaySpecAddressesPatch[]; - allowedListeners: outputs.gateway.v1beta1.GatewaySpecAllowedListenersPatch; - /** - * DefaultScope, when set, configures the Gateway as a default Gateway, - * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute) - * attached to it, according to the scope configured here. - * - * If unset (the default) or set to None, the Gateway will not act as a - * default Gateway; if set, the Gateway will claim any Route with a - * matching scope set in its UseDefaultGateway field, subject to the usual - * rules about which routes the Gateway can attach to. - * - * Think carefully before using this functionality! While the normal rules - * about which Route can apply are still enforced, it is simply easier for - * the wrong Route to be accidentally attached to this Gateway in this - * configuration. If the Gateway operator is not also the operator in - * control of the scope (e.g. namespace) with tight controls and checks on - * what kind of workloads and Routes get added in that scope, we strongly - * recommend not using this just because it seems convenient, and instead - * stick to direct Route attachment. - */ - defaultScope: string; /** * GatewayClassName used for this Gateway. This is the name of a * GatewayClass resource. @@ -43947,7 +36064,6 @@ export declare namespace gateway { * logical endpoints that are bound on this Gateway's addresses. * At least one Listener MUST be specified. * - * ## Distinct Listeners * * Each Listener in a set of Listeners (for example, in a single Gateway) * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to @@ -43956,107 +36072,97 @@ export declare namespace gateway { * from multiple Gateways onto a single data plane, and these rules _also_ * apply in that case). * + * * Practically, this means that each listener in a set MUST have a unique * combination of Port, Protocol, and, if supported by the protocol, Hostname. * - * Some combinations of port, protocol, and TLS settings are considered - * Core support and MUST be supported by implementations based on the objects - * they support: * - * HTTPRoute + * Some combinations of port, protocol, and TLS settings are considered + * Core support and MUST be supported by implementations based on their + * targeted conformance profile: + * + * + * HTTP Profile + * * * 1. HTTPRoute, Port: 80, Protocol: HTTP * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided * - * TLSRoute + * + * TLS Profile + * * * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough * + * * "Distinct" Listeners have the following property: * - * **The implementation can match inbound requests to a single distinct - * Listener**. * - * When multiple Listeners share values for fields (for + * The implementation can match inbound requests to a single distinct + * Listener. When multiple Listeners share values for fields (for * example, two Listeners with the same Port value), the implementation * can match requests to only one of the Listeners using other * Listener fields. * - * When multiple listeners have the same value for the Protocol field, then - * each of the Listeners with matching Protocol values MUST have different - * values for other fields. * - * The set of fields that MUST be different for a Listener differs per protocol. - * The following rules define the rules for what fields MUST be considered for - * Listeners to be distinct with each protocol currently defined in the - * Gateway API spec. + * For example, the following Listener scenarios are distinct: * - * The set of listeners that all share a protocol value MUST have _different_ - * values for _at least one_ of these fields to be distinct: * - * * **HTTP, HTTPS, TLS**: Port, Hostname - * * **TCP, UDP**: Port + * 1. Multiple Listeners with the same Port that all use the "HTTP" + * Protocol that all have unique Hostname values. + * 2. Multiple Listeners with the same Port that use either the "HTTPS" or + * "TLS" Protocol that all have unique Hostname values. + * 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener + * with the same Protocol has the same Port value. * - * One **very** important rule to call out involves what happens when an - * implementation: * - * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol - * Listeners, and - * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP - * Protocol. + * Some fields in the Listener struct have possible values that affect + * whether the Listener is distinct. Hostname is particularly relevant + * for HTTP or HTTPS protocols. * - * In this case all the Listeners that share a port with the - * TCP Listener are not distinct and so MUST NOT be accepted. * - * If an implementation does not support TCP Protocol Listeners, then the - * previous rule does not apply, and the TCP Listeners SHOULD NOT be - * accepted. + * When using the Hostname value to select between same-Port, same-Protocol + * Listeners, the Hostname value must be different on each Listener for the + * Listener to be distinct. * - * Note that the `tls` field is not used for determining if a listener is distinct, because - * Listeners that _only_ differ on TLS config will still conflict in all cases. * - * ### Listeners that are distinct only by Hostname - * - * When the Listeners are distinct based only on Hostname, inbound request + * When the Listeners are distinct based on Hostname, inbound request * hostnames MUST match from the most specific to least specific Hostname * values to choose the correct Listener and its associated set of Routes. * - * Exact matches MUST be processed before wildcard matches, and wildcard - * matches MUST be processed before fallback (empty Hostname value) + * + * Exact matches must be processed before wildcard matches, and wildcard + * matches must be processed before fallback (empty Hostname value) * matches. For example, `"foo.example.com"` takes precedence over * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. * + * * Additionally, if there are multiple wildcard entries, more specific * wildcard entries must be processed before less specific wildcard entries. * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. - * * The precise definition here is that the higher the number of dots in the * hostname to the right of the wildcard character, the higher the precedence. * + * * The wildcard character will match any number of characters _and dots_ to * the left, however, so `"*.example.com"` will match both * `"foo.bar.example.com"` _and_ `"bar.example.com"`. * - * ## Handling indistinct Listeners * * If a set of Listeners contains Listeners that are not distinct, then those - * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted" + * Listeners are Conflicted, and the implementation MUST set the "Conflicted" * condition in the Listener Status to "True". * - * The words "indistinct" and "conflicted" are considered equivalent for the - * purpose of this documentation. * * Implementations MAY choose to accept a Gateway with some Conflicted * Listeners only if they only accept the partial Listener set that contains - * no Conflicted Listeners. + * no Conflicted Listeners. To put this another way, implementations may + * accept a partial Listener set only if they throw out *all* the conflicting + * Listeners. No picking one of the conflicting listeners as the winner. + * This also means that the Gateway must have at least one non-conflicting + * Listener in this case, otherwise it violates the requirement that at + * least one Listener must be present. * - * Specifically, an implementation MAY accept a partial Listener set subject to - * the following rules: - * - * * The implementation MUST NOT pick one conflicting Listener as the winner. - * ALL indistinct Listeners must not be accepted for processing. - * * At least one distinct Listener MUST be present, or else the Gateway effectively - * contains _no_ Listeners, and must be rejected from processing as a whole. * * The implementation MUST set a "ListenersNotValid" condition on the * Gateway Status when the Gateway contains Conflicted Listeners whether or @@ -44065,634 +36171,41 @@ export declare namespace gateway { * Accepted. Additionally, the Listener status for those listeners SHOULD * indicate which Listeners are conflicted and not Accepted. * - * ## General Listener behavior * - * Note that, for all distinct Listeners, requests SHOULD match at most one Listener. - * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a - * request to "foo.example.com" SHOULD only be routed using routes attached - * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * A Gateway's Listeners are considered "compatible" if: * - * This concept is known as "Listener Isolation", and it is an Extended feature - * of Gateway API. Implementations that do not support Listener Isolation MUST - * clearly document this, and MUST NOT claim support for the - * `GatewayHTTPListenerIsolation` feature. - * - * Implementations that _do_ support Listener Isolation SHOULD claim support - * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated - * conformance tests. - * - * ## Compatible Listeners - * - * A Gateway's Listeners are considered _compatible_ if: * * 1. They are distinct. * 2. The implementation can serve them in compliance with the Addresses * requirement that all Listeners are available on all assigned * addresses. * + * * Compatible combinations in Extended support are expected to vary across * implementations. A combination that is compatible for one implementation * may not be compatible for another. * + * * For example, an implementation that cannot serve both TCP and UDP listeners * on the same address, or cannot mix HTTPS and generic TLS listens on the same port * would not consider those cases compatible, even though they are distinct. * + * + * Note that requests SHOULD match at most one Listener. For example, if + * Listeners are defined for "foo.example.com" and "*.example.com", a + * request to "foo.example.com" SHOULD only be routed using routes attached + * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * This concept is known as "Listener Isolation". Implementations that do + * not support Listener Isolation MUST clearly document this. + * + * * Implementations MAY merge separate Gateways onto a single set of * Addresses if all Listeners across all Gateways are compatible. * - * In a future release the MinItems=1 requirement MAY be dropped. * * Support: Core */ listeners: outputs.gateway.v1beta1.GatewaySpecListenersPatch[]; - tls: outputs.gateway.v1beta1.GatewaySpecTlsPatch; - } - /** - * TLS specifies frontend and backend tls configuration for entire gateway. - * - * Support: Extended - */ - interface GatewaySpecTls { - backend: outputs.gateway.v1beta1.GatewaySpecTlsBackend; - frontend: outputs.gateway.v1beta1.GatewaySpecTlsFrontend; - } - /** - * Backend describes TLS configuration for gateway when connecting - * to backends. - * - * Note that this contains only details for the Gateway as a TLS client, - * and does _not_ imply behavior about how to choose which backend should - * get a TLS connection. That is determined by the presence of a BackendTLSPolicy. - * - * Support: Core - */ - interface GatewaySpecTlsBackend { - clientCertificateRef: outputs.gateway.v1beta1.GatewaySpecTlsBackendClientCertificateRef; - } - /** - * ClientCertificateRef is a reference to an object that contains a Client - * Certificate and the associated private key. - * - * References to a resource in different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - * - * ClientCertificateRef can reference to standard Kubernetes resources, i.e. - * Secret, or implementation-specific custom resources. - * - * Support: Core - */ - interface GatewaySpecTlsBackendClientCertificateRef { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "Secret". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - } - /** - * ClientCertificateRef is a reference to an object that contains a Client - * Certificate and the associated private key. - * - * References to a resource in different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - * - * ClientCertificateRef can reference to standard Kubernetes resources, i.e. - * Secret, or implementation-specific custom resources. - * - * Support: Core - */ - interface GatewaySpecTlsBackendClientCertificateRefPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "Secret". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - } - /** - * Backend describes TLS configuration for gateway when connecting - * to backends. - * - * Note that this contains only details for the Gateway as a TLS client, - * and does _not_ imply behavior about how to choose which backend should - * get a TLS connection. That is determined by the presence of a BackendTLSPolicy. - * - * Support: Core - */ - interface GatewaySpecTlsBackendPatch { - clientCertificateRef: outputs.gateway.v1beta1.GatewaySpecTlsBackendClientCertificateRefPatch; - } - /** - * Frontend describes TLS config when client connects to Gateway. - * Support: Core - */ - interface GatewaySpecTlsFrontend { - default: outputs.gateway.v1beta1.GatewaySpecTlsFrontendDefault; - /** - * PerPort specifies tls configuration assigned per port. - * Per port configuration is optional. Once set this configuration overrides - * the default configuration for all Listeners handling HTTPS traffic - * that match this port. - * Each override port requires a unique TLS configuration. - * - * support: Core - */ - perPort: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPort[]; - } - /** - * Default specifies the default client certificate validation configuration - * for all Listeners handling HTTPS traffic, unless a per-port configuration - * is defined. - * - * support: Core - */ - interface GatewaySpecTlsFrontendDefault { - validation: outputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultValidation; - } - /** - * Default specifies the default client certificate validation configuration - * for all Listeners handling HTTPS traffic, unless a per-port configuration - * is defined. - * - * support: Core - */ - interface GatewaySpecTlsFrontendDefaultPatch { - validation: outputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultValidationPatch; - } - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - interface GatewaySpecTlsFrontendDefaultValidation { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs: outputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultValidationCaCertificateRefs[]; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode: string; - } - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefs { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - } - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefsPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - } - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - interface GatewaySpecTlsFrontendDefaultValidationPatch { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs: outputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultValidationCaCertificateRefsPatch[]; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode: string; - } - /** - * Frontend describes TLS config when client connects to Gateway. - * Support: Core - */ - interface GatewaySpecTlsFrontendPatch { - default: outputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultPatch; - /** - * PerPort specifies tls configuration assigned per port. - * Per port configuration is optional. Once set this configuration overrides - * the default configuration for all Listeners handling HTTPS traffic - * that match this port. - * Each override port requires a unique TLS configuration. - * - * support: Core - */ - perPort: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortPatch[]; - } - interface GatewaySpecTlsFrontendPerPort { - /** - * The Port indicates the Port Number to which the TLS configuration will be - * applied. This configuration will be applied to all Listeners handling HTTPS - * traffic that match this port. - * - * Support: Core - */ - port: number; - tls: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTls; - } - interface GatewaySpecTlsFrontendPerPortPatch { - /** - * The Port indicates the Port Number to which the TLS configuration will be - * applied. This configuration will be applied to all Listeners handling HTTPS - * traffic that match this port. - * - * Support: Core - */ - port: number; - tls: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsPatch; - } - /** - * TLS store the configuration that will be applied to all Listeners handling - * HTTPS traffic and matching given port. - * - * Support: Core - */ - interface GatewaySpecTlsFrontendPerPortTls { - validation: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsValidation; - } - /** - * TLS store the configuration that will be applied to all Listeners handling - * HTTPS traffic and matching given port. - * - * Support: Core - */ - interface GatewaySpecTlsFrontendPerPortTlsPatch { - validation: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsValidationPatch; - } - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - interface GatewaySpecTlsFrontendPerPortTlsValidation { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefs[]; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode: string; - } - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefs { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - } - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefsPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - } - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - interface GatewaySpecTlsFrontendPerPortTlsValidationPatch { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefsPatch[]; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode: string; - } - /** - * TLS specifies frontend and backend tls configuration for entire gateway. - * - * Support: Extended - */ - interface GatewaySpecTlsPatch { - backend: outputs.gateway.v1beta1.GatewaySpecTlsBackendPatch; - frontend: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPatch; } /** * Status defines the current state of Gateway. @@ -44702,9 +36215,11 @@ export declare namespace gateway { * Addresses lists the network addresses that have been bound to the * Gateway. * + * * This list may differ from the addresses provided in the spec under some * conditions: * + * * * no addresses are specified, all addresses are dynamically assigned * * a combination of specified and dynamic addresses are assigned * * a specified address was unusable (e.g. already in use) @@ -44713,13 +36228,16 @@ export declare namespace gateway { /** * Conditions describe the current conditions of the Gateway. * + * * Implementations should prefer to express Gateway conditions * using the `GatewayConditionType` and `GatewayConditionReason` * constants so that operators and tools can converge on a common * vocabulary to describe Gateway state. * + * * Known condition types are: * + * * * "Accepted" * * "Programmed" * * "Ready" @@ -44742,6 +36260,7 @@ export declare namespace gateway { * Value of the address. The validity of the values will depend * on the type and support by the controller. * + * * Examples: `1.2.3.4`, `128::1`, `my-ip-address`. */ value: string; @@ -44758,12 +36277,29 @@ export declare namespace gateway { * Value of the address. The validity of the values will depend * on the type and support by the controller. * + * * Examples: `1.2.3.4`, `128::1`, `my-ip-address`. */ value: string; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface GatewayStatusConditions { /** @@ -44796,11 +36332,31 @@ export declare namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface GatewayStatusConditionsPatch { /** @@ -44833,6 +36389,10 @@ export declare namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } @@ -44844,6 +36404,7 @@ export declare namespace gateway { * AttachedRoutes represents the total number of Routes that have been * successfully attached to this Listener. * + * * Successful attachment of a Route to a Listener is based solely on the * combination of the AllowedRoutes field on the corresponding Listener * and the Route's ParentRefs field. A Route is successfully attached to @@ -44856,6 +36417,7 @@ export declare namespace gateway { * for Listeners with condition Accepted: false and MUST count successfully * attached Routes that may themselves have Accepted: false conditions. * + * * Uses for this field include troubleshooting Route attachment and * measuring blast radius/impact of changes to a Listener. */ @@ -44873,6 +36435,7 @@ export declare namespace gateway { * listener. This MUST represent the kinds an implementation supports for * that Listener configuration. * + * * If kinds are specified in Spec that are not supported, they MUST NOT * appear in this list and an implementation MUST set the "ResolvedRefs" * condition to "False" with the "InvalidRouteKinds" reason. If both valid @@ -44883,6 +36446,22 @@ export declare namespace gateway { } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface GatewayStatusListenersConditions { /** @@ -44915,11 +36494,31 @@ export declare namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface GatewayStatusListenersConditionsPatch { /** @@ -44952,6 +36551,10 @@ export declare namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } @@ -44963,6 +36566,7 @@ export declare namespace gateway { * AttachedRoutes represents the total number of Routes that have been * successfully attached to this Listener. * + * * Successful attachment of a Route to a Listener is based solely on the * combination of the AllowedRoutes field on the corresponding Listener * and the Route's ParentRefs field. A Route is successfully attached to @@ -44975,6 +36579,7 @@ export declare namespace gateway { * for Listeners with condition Accepted: false and MUST count successfully * attached Routes that may themselves have Accepted: false conditions. * + * * Uses for this field include troubleshooting Route attachment and * measuring blast radius/impact of changes to a Listener. */ @@ -44992,6 +36597,7 @@ export declare namespace gateway { * listener. This MUST represent the kinds an implementation supports for * that Listener configuration. * + * * If kinds are specified in Spec that are not supported, they MUST NOT * appear in this list and an implementation MUST set the "ResolvedRefs" * condition to "False" with the "InvalidRouteKinds" reason. If both valid @@ -45034,9 +36640,11 @@ export declare namespace gateway { * Addresses lists the network addresses that have been bound to the * Gateway. * + * * This list may differ from the addresses provided in the spec under some * conditions: * + * * * no addresses are specified, all addresses are dynamically assigned * * a combination of specified and dynamic addresses are assigned * * a specified address was unusable (e.g. already in use) @@ -45045,13 +36653,16 @@ export declare namespace gateway { /** * Conditions describe the current conditions of the Gateway. * + * * Implementations should prefer to express Gateway conditions * using the `GatewayConditionType` and `GatewayConditionReason` * constants so that operators and tools can converge on a common * vocabulary to describe Gateway state. * + * * Known condition types are: * + * * * "Accepted" * * "Programmed" * * "Ready" @@ -45095,17 +36706,21 @@ export declare namespace gateway { * performing a match and (absent of any applicable header modification * configuration) MUST forward this header unmodified to the backend. * + * * Valid values for Hostnames are determined by RFC 1123 definition of a * hostname with 2 notable exceptions: * + * * 1. IPs are not allowed. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label must appear by itself as the first label. * + * * If a hostname is specified by both the Listener and HTTPRoute, there * must be at least one intersecting hostname for the HTTPRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches HTTPRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -45116,31 +36731,38 @@ export declare namespace gateway { * all match. On the other hand, `example.com` and `test.example.net` would * not match. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * If both the Listener and HTTPRoute have specified hostnames, any * HTTPRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * HTTPRoute specified `test.example.com` and `test.example.net`, * `test.example.net` must not be considered for a match. * + * * If both the Listener and HTTPRoute have specified hostnames, and none * match with the criteria above, then the HTTPRoute is not accepted. The * implementation must raise an 'Accepted' Condition with a status of * `False` in the corresponding RouteParentStatus. * + * * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. * overlapping wildcard matching and exact matching hostnames), precedence must * be given to rules from the HTTPRoute with the largest number of: * + * * * Characters in a matching non-wildcard hostname. * * Characters in a matching hostname. * + * * If ties exist across multiple Routes, the matching precedence rules for * HTTPRouteMatches takes over. * + * * Support: Core */ hostnames: string[]; @@ -45156,16 +36778,21 @@ export declare namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -45175,8 +36802,10 @@ export declare namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -45184,12 +36813,14 @@ export declare namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -45197,10 +36828,12 @@ export declare namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -45212,33 +36845,21 @@ export declare namespace gateway { * Rules are a list of HTTP matchers, filters and actions. */ rules: outputs.gateway.v1beta1.HTTPRouteSpecRules[]; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways: string; } /** * ParentReference identifies an API object (usually a Gateway) that can be considered * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -45249,23 +36870,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -45273,6 +36899,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -45280,10 +36907,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -45291,6 +36920,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -45298,6 +36928,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -45307,15 +36938,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -45324,6 +36958,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -45331,6 +36966,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -45338,10 +36974,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -45351,6 +36989,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -45360,12 +36999,15 @@ export declare namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -45376,23 +37018,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -45400,6 +37047,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -45407,10 +37055,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -45418,6 +37068,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -45425,6 +37076,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -45434,15 +37086,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -45451,6 +37106,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -45458,6 +37114,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -45465,10 +37122,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -45478,6 +37137,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -45493,17 +37153,21 @@ export declare namespace gateway { * performing a match and (absent of any applicable header modification * configuration) MUST forward this header unmodified to the backend. * + * * Valid values for Hostnames are determined by RFC 1123 definition of a * hostname with 2 notable exceptions: * + * * 1. IPs are not allowed. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label must appear by itself as the first label. * + * * If a hostname is specified by both the Listener and HTTPRoute, there * must be at least one intersecting hostname for the HTTPRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches HTTPRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -45514,31 +37178,38 @@ export declare namespace gateway { * all match. On the other hand, `example.com` and `test.example.net` would * not match. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * If both the Listener and HTTPRoute have specified hostnames, any * HTTPRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * HTTPRoute specified `test.example.com` and `test.example.net`, * `test.example.net` must not be considered for a match. * + * * If both the Listener and HTTPRoute have specified hostnames, and none * match with the criteria above, then the HTTPRoute is not accepted. The * implementation must raise an 'Accepted' Condition with a status of * `False` in the corresponding RouteParentStatus. * + * * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. * overlapping wildcard matching and exact matching hostnames), precedence must * be given to rules from the HTTPRoute with the largest number of: * + * * * Characters in a matching non-wildcard hostname. * * Characters in a matching hostname. * + * * If ties exist across multiple Routes, the matching precedence rules for * HTTPRouteMatches takes over. * + * * Support: Core */ hostnames: string[]; @@ -45554,16 +37225,21 @@ export declare namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -45573,8 +37249,10 @@ export declare namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -45582,12 +37260,14 @@ export declare namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -45595,10 +37275,12 @@ export declare namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -45610,21 +37292,6 @@ export declare namespace gateway { * Rules are a list of HTTP matchers, filters and actions. */ rules: outputs.gateway.v1beta1.HTTPRouteSpecRulesPatch[]; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways: string; } /** * HTTPRouteRule defines semantics for matching an HTTP request based on @@ -45636,37 +37303,41 @@ export declare namespace gateway { * BackendRefs defines the backend(s) where matching requests should be * sent. * + * * Failure behavior here depends on how many BackendRefs are specified and * how many are invalid. * + * * If *all* entries in BackendRefs are invalid, and there are also no filters * specified in this route rule, *all* traffic which matches this rule MUST * receive a 500 status code. * + * * See the HTTPBackendRef definition for the rules about what makes a single * HTTPBackendRef invalid. * + * * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for * requests that would have otherwise been routed to an invalid backend. If * multiple backends are specified, and some are invalid, the proportion of * requests that would otherwise have been routed to an invalid backend * MUST receive a 500 status code. * + * * For example, if two backends are specified with equal weights, and one is * invalid, 50 percent of traffic must receive a 500. Implementations may * choose how that 50 percent is determined. * - * When a HTTPBackendRef refers to a Service that has no ready endpoints, - * implementations SHOULD return a 503 for requests to that backend instead. - * If an implementation chooses to do this, all of the above rules for 500 responses - * MUST also apply for responses that return a 503. * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Core */ backendRefs: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefs[]; @@ -45674,38 +37345,46 @@ export declare namespace gateway { * Filters define the filters that are applied to requests that match * this rule. * + * * Wherever possible, implementations SHOULD implement filters in the order * they are specified. * + * * Implementations MAY choose to implement this ordering strictly, rejecting - * any combination or order of filters that cannot be supported. If implementations + * any combination or order of filters that can not be supported. If implementations * choose a strict interpretation of filter ordering, they MUST clearly document * that behavior. * + * * To reject an invalid combination or order of filters, implementations SHOULD * consider the Route Rules with this configuration invalid. If all Route Rules * in a Route are invalid, the entire Route would be considered invalid. If only * a portion of Route Rules are invalid, implementations MUST set the * "PartiallyInvalid" condition for the Route. * + * * Conformance-levels at this level are defined based on the type of filter: * + * * - ALL core filters MUST be supported by all implementations. * - Implementers are encouraged to support extended filters. * - Implementation-specific custom filters have no API guarantees across * implementations. * + * * Specifying the same filter multiple times is not supported unless explicitly * indicated in the filter. * + * * All filters are expected to be compatible with each other except for the * URLRewrite and RequestRedirect filters, which may not be combined. If an - * implementation cannot support other combinations of filters, they must clearly + * implementation can not support other combinations of filters, they must clearly * document that limitation. In cases where incompatible or unsupported * filters are specified and cause the `Accepted` condition to be set to status * `False`, implementations may use the `IncompatibleFilters` reason to specify * this configuration error. * + * * Support: Core */ filters: outputs.gateway.v1beta1.HTTPRouteSpecRulesFilters[]; @@ -45714,8 +37393,10 @@ export declare namespace gateway { * HTTP requests. Each match is independent, i.e. this rule will be matched * if **any** one of the matches is satisfied. * + * * For example, take the following matches configuration: * + * * ``` * matches: * - path: @@ -45727,85 +37408,100 @@ export declare namespace gateway { * value: "/v2/foo" * ``` * + * * For a request to match against this rule, a request must satisfy * EITHER of the two conditions: * + * * - path prefixed with `/foo` AND contains the header `version: v2` * - path prefix of `/v2/foo` * + * * See the documentation for HTTPRouteMatch on how to specify multiple * match conditions that should be ANDed together. * + * * If no matches are specified, the default is a prefix * path match on "/", which has the effect of matching every * HTTP request. * + * * Proxy or Load Balancer routing configuration generated from HTTPRoutes * MUST prioritize matches based on the following criteria, continuing on * ties. Across all rules specified on applicable Routes, precedence must be * given to the match having: * + * * * "Exact" path match. * * "Prefix" path match with largest number of characters. * * Method match. * * Largest number of header matches. * * Largest number of query param matches. * + * * Note: The precedence of RegularExpression path matches are implementation-specific. * + * * If ties still exist across multiple Routes, matching precedence MUST be * determined in order of the following criteria, continuing on ties: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * If ties still exist within an HTTPRoute, matching precedence MUST be granted * to the FIRST matching rule (in list order) with a match meeting the above * criteria. * + * * When no rules matching a request have been successfully attached to the * parent a request is coming from, a HTTP 404 status code MUST be returned. */ matches: outputs.gateway.v1beta1.HTTPRouteSpecRulesMatches[]; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name: string; - retry: outputs.gateway.v1beta1.HTTPRouteSpecRulesRetry; sessionPersistence: outputs.gateway.v1beta1.HTTPRouteSpecRulesSessionPersistence; timeouts: outputs.gateway.v1beta1.HTTPRouteSpecRulesTimeouts; } /** * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * */ interface HTTPRouteSpecRulesBackendRefs { /** * Filters defined at this level should be executed if and only if the * request is being forwarded to the backend defined here. * + * * Support: Implementation-specific (For broader support of filters, use the * Filters field in HTTPRouteRule.) */ @@ -45819,16 +37515,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -45840,11 +37540,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -45864,11 +37566,13 @@ export declare namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight: number; @@ -45882,9 +37586,7 @@ export declare namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ interface HTTPRouteSpecRulesBackendRefsFilters { - cors: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersCors; extensionRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExtensionRef; - externalAuth: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuth; requestHeaderModifier: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifier; requestMirror: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirror; requestRedirect: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirect; @@ -45893,14 +37595,17 @@ export declare namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -45909,16 +37614,20 @@ export declare namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -45926,424 +37635,16 @@ export declare namespace gateway { type: string; urlRewrite: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewrite; } - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesBackendRefsFiltersCors { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials: boolean; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders: string[]; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods: string[]; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins: string[]; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders: string[]; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge: number; - } - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesBackendRefsFiltersCorsPatch { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials: boolean; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders: string[]; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods: string[]; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins: string[]; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders: string[]; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge: number; - } /** * ExtensionRef is an optional, implementation-specific extension to the * "filter" behavior. For example, resource "myroutefilter" in group * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRef { @@ -46367,8 +37668,10 @@ export declare namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRefPatch { @@ -46386,400 +37689,6 @@ export declare namespace gateway { */ name: string; } - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuth { - backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRef; - forwardBody: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBody; - grpc: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpc; - http: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttp; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol: string; - } - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRef { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port: number; - } - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRefPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port: number; - } - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBody { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize: number; - } - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBodyPatch { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize: number; - } - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpc { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders: string[]; - } - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpcPatch { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders: string[]; - } - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttp { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders: string[]; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders: string[]; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path: string; - } - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttpPatch { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders: string[]; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders: string[]; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path: string; - } - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthPatch { - backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRefPatch; - forwardBody: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBodyPatch; - grpc: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpcPatch; - http: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttpPatch; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol: string; - } /** * HTTPRouteFilter defines processing steps that must be completed during the * request or response lifecycle. HTTPRouteFilters are meant as an extension @@ -46789,9 +37698,7 @@ export declare namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ interface HTTPRouteSpecRulesBackendRefsFiltersPatch { - cors: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersCorsPatch; extensionRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExtensionRefPatch; - externalAuth: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthPatch; requestHeaderModifier: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch; requestMirror: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorPatch; requestRedirect: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPatch; @@ -46800,14 +37707,17 @@ export declare namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -46816,16 +37726,20 @@ export declare namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -46837,6 +37751,7 @@ export declare namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifier { @@ -46845,15 +37760,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -46865,15 +37783,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -46883,15 +37804,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -46904,7 +37828,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -46924,7 +37849,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -46942,6 +37868,7 @@ export declare namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch { @@ -46950,15 +37877,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -46970,15 +37900,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -46988,15 +37921,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -47009,7 +37945,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -47029,7 +37966,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -47048,48 +37986,46 @@ export declare namespace gateway { * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirror { backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef; - fraction: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFraction; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent: number; } /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef { @@ -47102,16 +38038,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -47123,11 +38063,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -47143,26 +38085,32 @@ export declare namespace gateway { /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch { @@ -47175,16 +38123,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -47196,11 +38148,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -47213,56 +38167,27 @@ export declare namespace gateway { */ port: number; } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFraction { - denominator: number; - numerator: number; - } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch { - denominator: number; - numerator: number; - } /** * RequestMirror defines a schema for a filter that mirrors requests. * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorPatch { backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch; - fraction: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent: number; } /** * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirect { @@ -47271,6 +38196,7 @@ export declare namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname: string; @@ -47279,9 +38205,11 @@ export declare namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -47289,14 +38217,17 @@ export declare namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port: number; @@ -47304,29 +38235,36 @@ export declare namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme: string; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode: number; @@ -47335,6 +38273,7 @@ export declare namespace gateway { * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPatch { @@ -47343,6 +38282,7 @@ export declare namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname: string; @@ -47351,9 +38291,11 @@ export declare namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -47361,14 +38303,17 @@ export declare namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port: number; @@ -47376,29 +38321,36 @@ export declare namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme: string; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode: number; @@ -47408,6 +38360,7 @@ export declare namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPath { @@ -47422,26 +38375,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -47453,6 +38423,7 @@ export declare namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPathPatch { @@ -47467,26 +38438,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -47497,6 +38485,7 @@ export declare namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifier { @@ -47505,15 +38494,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -47525,15 +38517,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -47543,15 +38538,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -47564,7 +38562,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -47584,7 +38583,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -47602,6 +38602,7 @@ export declare namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch { @@ -47610,15 +38611,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -47630,15 +38634,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -47648,15 +38655,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -47669,7 +38679,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -47689,7 +38700,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -47706,6 +38718,7 @@ export declare namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewrite { @@ -47713,6 +38726,7 @@ export declare namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname: string; @@ -47721,6 +38735,7 @@ export declare namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePatch { @@ -47728,6 +38743,7 @@ export declare namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname: string; @@ -47736,6 +38752,7 @@ export declare namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePath { @@ -47750,26 +38767,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -47779,6 +38813,7 @@ export declare namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePathPatch { @@ -47793,26 +38828,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -47822,31 +38874,42 @@ export declare namespace gateway { /** * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * */ interface HTTPRouteSpecRulesBackendRefsPatch { /** * Filters defined at this level should be executed if and only if the * request is being forwarded to the backend defined here. * + * * Support: Implementation-specific (For broader support of filters, use the * Filters field in HTTPRouteRule.) */ @@ -47860,16 +38923,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -47881,11 +38948,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -47905,11 +38974,13 @@ export declare namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight: number; @@ -47923,9 +38994,7 @@ export declare namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ interface HTTPRouteSpecRulesFilters { - cors: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersCors; extensionRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExtensionRef; - externalAuth: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuth; requestHeaderModifier: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestHeaderModifier; requestMirror: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirror; requestRedirect: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestRedirect; @@ -47934,14 +39003,17 @@ export declare namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -47950,16 +39022,20 @@ export declare namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -47967,424 +39043,16 @@ export declare namespace gateway { type: string; urlRewrite: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersUrlRewrite; } - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesFiltersCors { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials: boolean; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders: string[]; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods: string[]; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins: string[]; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders: string[]; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge: number; - } - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesFiltersCorsPatch { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials: boolean; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders: string[]; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods: string[]; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins: string[]; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders: string[]; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge: number; - } /** * ExtensionRef is an optional, implementation-specific extension to the * "filter" behavior. For example, resource "myroutefilter" in group * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ interface HTTPRouteSpecRulesFiltersExtensionRef { @@ -48408,8 +39076,10 @@ export declare namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ interface HTTPRouteSpecRulesFiltersExtensionRefPatch { @@ -48427,400 +39097,6 @@ export declare namespace gateway { */ name: string; } - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesFiltersExternalAuth { - backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthBackendRef; - forwardBody: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthForwardBody; - grpc: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthGrpc; - http: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthHttp; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol: string; - } - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - interface HTTPRouteSpecRulesFiltersExternalAuthBackendRef { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port: number; - } - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - interface HTTPRouteSpecRulesFiltersExternalAuthBackendRefPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port: number; - } - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - interface HTTPRouteSpecRulesFiltersExternalAuthForwardBody { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize: number; - } - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - interface HTTPRouteSpecRulesFiltersExternalAuthForwardBodyPatch { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize: number; - } - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesFiltersExternalAuthGrpc { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders: string[]; - } - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesFiltersExternalAuthGrpcPatch { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders: string[]; - } - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesFiltersExternalAuthHttp { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders: string[]; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders: string[]; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path: string; - } - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - interface HTTPRouteSpecRulesFiltersExternalAuthHttpPatch { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders: string[]; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders: string[]; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path: string; - } - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesFiltersExternalAuthPatch { - backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthBackendRefPatch; - forwardBody: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthForwardBodyPatch; - grpc: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthGrpcPatch; - http: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthHttpPatch; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol: string; - } /** * HTTPRouteFilter defines processing steps that must be completed during the * request or response lifecycle. HTTPRouteFilters are meant as an extension @@ -48830,9 +39106,7 @@ export declare namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ interface HTTPRouteSpecRulesFiltersPatch { - cors: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersCorsPatch; extensionRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExtensionRefPatch; - externalAuth: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthPatch; requestHeaderModifier: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestHeaderModifierPatch; requestMirror: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorPatch; requestRedirect: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestRedirectPatch; @@ -48841,14 +39115,17 @@ export declare namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -48857,16 +39134,20 @@ export declare namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -48878,6 +39159,7 @@ export declare namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ interface HTTPRouteSpecRulesFiltersRequestHeaderModifier { @@ -48886,15 +39168,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -48906,15 +39191,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -48924,15 +39212,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -48945,7 +39236,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -48965,7 +39257,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -48983,6 +39276,7 @@ export declare namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ interface HTTPRouteSpecRulesFiltersRequestHeaderModifierPatch { @@ -48991,15 +39285,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -49011,15 +39308,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -49029,15 +39329,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -49050,7 +39353,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -49070,7 +39374,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -49089,48 +39394,46 @@ export declare namespace gateway { * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersRequestMirror { backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorBackendRef; - fraction: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorFraction; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent: number; } /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRef { @@ -49143,16 +39446,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -49164,11 +39471,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -49184,26 +39493,32 @@ export declare namespace gateway { /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRefPatch { @@ -49216,16 +39531,20 @@ export declare namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -49237,11 +39556,13 @@ export declare namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -49254,56 +39575,27 @@ export declare namespace gateway { */ port: number; } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - interface HTTPRouteSpecRulesFiltersRequestMirrorFraction { - denominator: number; - numerator: number; - } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - interface HTTPRouteSpecRulesFiltersRequestMirrorFractionPatch { - denominator: number; - numerator: number; - } /** * RequestMirror defines a schema for a filter that mirrors requests. * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersRequestMirrorPatch { backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorBackendRefPatch; - fraction: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorFractionPatch; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent: number; } /** * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ interface HTTPRouteSpecRulesFiltersRequestRedirect { @@ -49312,6 +39604,7 @@ export declare namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname: string; @@ -49320,9 +39613,11 @@ export declare namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -49330,14 +39625,17 @@ export declare namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port: number; @@ -49345,29 +39643,36 @@ export declare namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme: string; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode: number; @@ -49376,6 +39681,7 @@ export declare namespace gateway { * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ interface HTTPRouteSpecRulesFiltersRequestRedirectPatch { @@ -49384,6 +39690,7 @@ export declare namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname: string; @@ -49392,9 +39699,11 @@ export declare namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -49402,14 +39711,17 @@ export declare namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port: number; @@ -49417,29 +39729,36 @@ export declare namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme: string; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode: number; @@ -49449,6 +39768,7 @@ export declare namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersRequestRedirectPath { @@ -49463,26 +39783,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -49494,6 +39831,7 @@ export declare namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersRequestRedirectPathPatch { @@ -49508,26 +39846,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -49538,6 +39893,7 @@ export declare namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersResponseHeaderModifier { @@ -49546,15 +39902,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -49566,15 +39925,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -49584,15 +39946,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -49605,7 +39970,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -49625,7 +39991,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -49643,6 +40010,7 @@ export declare namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersResponseHeaderModifierPatch { @@ -49651,15 +40019,18 @@ export declare namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -49671,15 +40042,18 @@ export declare namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -49689,15 +40063,18 @@ export declare namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -49710,7 +40087,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -49730,7 +40108,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -49747,6 +40126,7 @@ export declare namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersUrlRewrite { @@ -49754,6 +40134,7 @@ export declare namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname: string; @@ -49762,6 +40143,7 @@ export declare namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersUrlRewritePatch { @@ -49769,6 +40151,7 @@ export declare namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname: string; @@ -49777,6 +40160,7 @@ export declare namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersUrlRewritePath { @@ -49791,26 +40175,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -49820,6 +40221,7 @@ export declare namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ interface HTTPRouteSpecRulesFiltersUrlRewritePathPatch { @@ -49834,26 +40236,43 @@ export declare namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -49865,18 +40284,22 @@ export declare namespace gateway { * action. Multiple match types are ANDed together, i.e. the match will * evaluate to true only if all conditions are satisfied. * + * * For example, the match below will match a HTTP request only if its path * starts with `/foo` AND it contains the `version: v1` header: * + * * ``` * match: * + * * path: * value: "/foo" * headers: * - name: "version" * value "v1" * + * * ``` */ interface HTTPRouteSpecRulesMatches { @@ -49891,6 +40314,7 @@ export declare namespace gateway { * When specified, this route will be matched only if the request has the * specified method. * + * * Support: Extended */ method: string; @@ -49900,6 +40324,7 @@ export declare namespace gateway { * values are ANDed together, meaning, a request must match all the * specified query parameters to select the route. * + * * Support: Extended */ queryParams: outputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesQueryParams[]; @@ -49911,7 +40336,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesMatchesHeaders { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent @@ -49919,6 +40345,7 @@ export declare namespace gateway { * case-insensitivity of header names, "foo" and "Foo" are considered * equivalent. * + * * When a header is repeated in an HTTP request, it is * implementation-specific behavior as to how this is represented. * Generally, proxies should follow the guidance from the RFC: @@ -49929,10 +40356,13 @@ export declare namespace gateway { /** * Type specifies how to match against the value of the header. * + * * Support: Core (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression HeaderMatchType has implementation-specific * conformance, implementations can support POSIX, PCRE or any other dialects * of regular expressions. Please read the implementation's documentation to @@ -49951,7 +40381,8 @@ export declare namespace gateway { interface HTTPRouteSpecRulesMatchesHeadersPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent @@ -49959,6 +40390,7 @@ export declare namespace gateway { * case-insensitivity of header names, "foo" and "Foo" are considered * equivalent. * + * * When a header is repeated in an HTTP request, it is * implementation-specific behavior as to how this is represented. * Generally, proxies should follow the guidance from the RFC: @@ -49969,10 +40401,13 @@ export declare namespace gateway { /** * Type specifies how to match against the value of the header. * + * * Support: Core (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression HeaderMatchType has implementation-specific * conformance, implementations can support POSIX, PCRE or any other dialects * of regular expressions. Please read the implementation's documentation to @@ -49989,18 +40424,22 @@ export declare namespace gateway { * action. Multiple match types are ANDed together, i.e. the match will * evaluate to true only if all conditions are satisfied. * + * * For example, the match below will match a HTTP request only if its path * starts with `/foo` AND it contains the `version: v1` header: * + * * ``` * match: * + * * path: * value: "/foo" * headers: * - name: "version" * value "v1" * + * * ``` */ interface HTTPRouteSpecRulesMatchesPatch { @@ -50015,6 +40454,7 @@ export declare namespace gateway { * When specified, this route will be matched only if the request has the * specified method. * + * * Support: Extended */ method: string; @@ -50024,6 +40464,7 @@ export declare namespace gateway { * values are ANDed together, meaning, a request must match all the * specified query parameters to select the route. * + * * Support: Extended */ queryParams: outputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesQueryParamsPatch[]; @@ -50036,8 +40477,10 @@ export declare namespace gateway { /** * Type specifies how to match against the path Value. * + * * Support: Core (Exact, PathPrefix) * + * * Support: Implementation-specific (RegularExpression) */ type: string; @@ -50054,8 +40497,10 @@ export declare namespace gateway { /** * Type specifies how to match against the path Value. * + * * Support: Core (Exact, PathPrefix) * + * * Support: Implementation-specific (RegularExpression) */ type: string; @@ -50074,10 +40519,12 @@ export declare namespace gateway { * exact string match. (See * https://tools.ietf.org/html/rfc7230#section-2.7.3). * + * * If multiple entries specify equivalent query param names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent * entries with an equivalent query param name MUST be ignored. * + * * If a query param is repeated in an HTTP request, the behavior is * purposely left undefined, since different data planes have different * capabilities. However, it is *recommended* that implementations should @@ -50085,6 +40532,7 @@ export declare namespace gateway { * as this behavior is expected in other load balancing contexts outside of * the Gateway API. * + * * Users SHOULD NOT route traffic based on repeated query params to guard * themselves against potential differences in the implementations. */ @@ -50092,10 +40540,13 @@ export declare namespace gateway { /** * Type specifies how to match against the value of the query parameter. * + * * Support: Extended (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression QueryParamMatchType has Implementation-specific * conformance, implementations can support POSIX, PCRE or any other * dialects of regular expressions. Please read the implementation's @@ -50117,10 +40568,12 @@ export declare namespace gateway { * exact string match. (See * https://tools.ietf.org/html/rfc7230#section-2.7.3). * + * * If multiple entries specify equivalent query param names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent * entries with an equivalent query param name MUST be ignored. * + * * If a query param is repeated in an HTTP request, the behavior is * purposely left undefined, since different data planes have different * capabilities. However, it is *recommended* that implementations should @@ -50128,6 +40581,7 @@ export declare namespace gateway { * as this behavior is expected in other load balancing contexts outside of * the Gateway API. * + * * Users SHOULD NOT route traffic based on repeated query params to guard * themselves against potential differences in the implementations. */ @@ -50135,10 +40589,13 @@ export declare namespace gateway { /** * Type specifies how to match against the value of the query parameter. * + * * Support: Extended (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression QueryParamMatchType has Implementation-specific * conformance, implementations can support POSIX, PCRE or any other * dialects of regular expressions. Please read the implementation's @@ -50160,37 +40617,41 @@ export declare namespace gateway { * BackendRefs defines the backend(s) where matching requests should be * sent. * + * * Failure behavior here depends on how many BackendRefs are specified and * how many are invalid. * + * * If *all* entries in BackendRefs are invalid, and there are also no filters * specified in this route rule, *all* traffic which matches this rule MUST * receive a 500 status code. * + * * See the HTTPBackendRef definition for the rules about what makes a single * HTTPBackendRef invalid. * + * * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for * requests that would have otherwise been routed to an invalid backend. If * multiple backends are specified, and some are invalid, the proportion of * requests that would otherwise have been routed to an invalid backend * MUST receive a 500 status code. * + * * For example, if two backends are specified with equal weights, and one is * invalid, 50 percent of traffic must receive a 500. Implementations may * choose how that 50 percent is determined. * - * When a HTTPBackendRef refers to a Service that has no ready endpoints, - * implementations SHOULD return a 503 for requests to that backend instead. - * If an implementation chooses to do this, all of the above rules for 500 responses - * MUST also apply for responses that return a 503. * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Core */ backendRefs: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsPatch[]; @@ -50198,38 +40659,46 @@ export declare namespace gateway { * Filters define the filters that are applied to requests that match * this rule. * + * * Wherever possible, implementations SHOULD implement filters in the order * they are specified. * + * * Implementations MAY choose to implement this ordering strictly, rejecting - * any combination or order of filters that cannot be supported. If implementations + * any combination or order of filters that can not be supported. If implementations * choose a strict interpretation of filter ordering, they MUST clearly document * that behavior. * + * * To reject an invalid combination or order of filters, implementations SHOULD * consider the Route Rules with this configuration invalid. If all Route Rules * in a Route are invalid, the entire Route would be considered invalid. If only * a portion of Route Rules are invalid, implementations MUST set the * "PartiallyInvalid" condition for the Route. * + * * Conformance-levels at this level are defined based on the type of filter: * + * * - ALL core filters MUST be supported by all implementations. * - Implementers are encouraged to support extended filters. * - Implementation-specific custom filters have no API guarantees across * implementations. * + * * Specifying the same filter multiple times is not supported unless explicitly * indicated in the filter. * + * * All filters are expected to be compatible with each other except for the * URLRewrite and RequestRedirect filters, which may not be combined. If an - * implementation cannot support other combinations of filters, they must clearly + * implementation can not support other combinations of filters, they must clearly * document that limitation. In cases where incompatible or unsupported * filters are specified and cause the `Accepted` condition to be set to status * `False`, implementations may use the `IncompatibleFilters` reason to specify * this configuration error. * + * * Support: Core */ filters: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersPatch[]; @@ -50238,8 +40707,10 @@ export declare namespace gateway { * HTTP requests. Each match is independent, i.e. this rule will be matched * if **any** one of the matches is satisfied. * + * * For example, take the following matches configuration: * + * * ``` * matches: * - path: @@ -50251,193 +40722,66 @@ export declare namespace gateway { * value: "/v2/foo" * ``` * + * * For a request to match against this rule, a request must satisfy * EITHER of the two conditions: * + * * - path prefixed with `/foo` AND contains the header `version: v2` * - path prefix of `/v2/foo` * + * * See the documentation for HTTPRouteMatch on how to specify multiple * match conditions that should be ANDed together. * + * * If no matches are specified, the default is a prefix * path match on "/", which has the effect of matching every * HTTP request. * + * * Proxy or Load Balancer routing configuration generated from HTTPRoutes * MUST prioritize matches based on the following criteria, continuing on * ties. Across all rules specified on applicable Routes, precedence must be * given to the match having: * + * * * "Exact" path match. * * "Prefix" path match with largest number of characters. * * Method match. * * Largest number of header matches. * * Largest number of query param matches. * + * * Note: The precedence of RegularExpression path matches are implementation-specific. * + * * If ties still exist across multiple Routes, matching precedence MUST be * determined in order of the following criteria, continuing on ties: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * If ties still exist within an HTTPRoute, matching precedence MUST be granted * to the FIRST matching rule (in list order) with a match meeting the above * criteria. * + * * When no rules matching a request have been successfully attached to the * parent a request is coming from, a HTTP 404 status code MUST be returned. */ matches: outputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesPatch[]; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name: string; - retry: outputs.gateway.v1beta1.HTTPRouteSpecRulesRetryPatch; sessionPersistence: outputs.gateway.v1beta1.HTTPRouteSpecRulesSessionPersistencePatch; timeouts: outputs.gateway.v1beta1.HTTPRouteSpecRulesTimeoutsPatch; } - /** - * Retry defines the configuration for when to retry an HTTP request. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesRetry { - /** - * Attempts specifies the maximum number of times an individual request - * from the gateway to a backend should be retried. - * - * If the maximum number of retries has been attempted without a successful - * response from the backend, the Gateway MUST return an error. - * - * When this field is unspecified, the number of times to attempt to retry - * a backend request is implementation-specific. - * - * Support: Extended - */ - attempts: number; - /** - * Backoff specifies the minimum duration a Gateway should wait between - * retry attempts and is represented in Gateway API Duration formatting. - * - * For example, setting the `rules[].retry.backoff` field to the value - * `100ms` will cause a backend request to first be retried approximately - * 100 milliseconds after timing out or receiving a response code configured - * to be retryable. - * - * An implementation MAY use an exponential or alternative backoff strategy - * for subsequent retry attempts, MAY cap the maximum backoff duration to - * some amount greater than the specified minimum, and MAY add arbitrary - * jitter to stagger requests, as long as unsuccessful backend requests are - * not retried before the configured minimum duration. - * - * If a Request timeout (`rules[].timeouts.request`) is configured on the - * route, the entire duration of the initial request and any retry attempts - * MUST not exceed the Request timeout duration. If any retry attempts are - * still in progress when the Request timeout duration has been reached, - * these SHOULD be canceled if possible and the Gateway MUST immediately - * return a timeout error. - * - * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is - * configured on the route, any retry attempts which reach the configured - * BackendRequest timeout duration without a response SHOULD be canceled if - * possible and the Gateway should wait for at least the specified backoff - * duration before attempting to retry the backend request again. - * - * If a BackendRequest timeout is _not_ configured on the route, retry - * attempts MAY time out after an implementation default duration, or MAY - * remain pending until a configured Request timeout or implementation - * default duration for total request time is reached. - * - * When this field is unspecified, the time to wait between retry attempts - * is implementation-specific. - * - * Support: Extended - */ - backoff: string; - /** - * Codes defines the HTTP response status codes for which a backend request - * should be retried. - * - * Support: Extended - */ - codes: number[]; - } - /** - * Retry defines the configuration for when to retry an HTTP request. - * - * Support: Extended - */ - interface HTTPRouteSpecRulesRetryPatch { - /** - * Attempts specifies the maximum number of times an individual request - * from the gateway to a backend should be retried. - * - * If the maximum number of retries has been attempted without a successful - * response from the backend, the Gateway MUST return an error. - * - * When this field is unspecified, the number of times to attempt to retry - * a backend request is implementation-specific. - * - * Support: Extended - */ - attempts: number; - /** - * Backoff specifies the minimum duration a Gateway should wait between - * retry attempts and is represented in Gateway API Duration formatting. - * - * For example, setting the `rules[].retry.backoff` field to the value - * `100ms` will cause a backend request to first be retried approximately - * 100 milliseconds after timing out or receiving a response code configured - * to be retryable. - * - * An implementation MAY use an exponential or alternative backoff strategy - * for subsequent retry attempts, MAY cap the maximum backoff duration to - * some amount greater than the specified minimum, and MAY add arbitrary - * jitter to stagger requests, as long as unsuccessful backend requests are - * not retried before the configured minimum duration. - * - * If a Request timeout (`rules[].timeouts.request`) is configured on the - * route, the entire duration of the initial request and any retry attempts - * MUST not exceed the Request timeout duration. If any retry attempts are - * still in progress when the Request timeout duration has been reached, - * these SHOULD be canceled if possible and the Gateway MUST immediately - * return a timeout error. - * - * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is - * configured on the route, any retry attempts which reach the configured - * BackendRequest timeout duration without a response SHOULD be canceled if - * possible and the Gateway should wait for at least the specified backoff - * duration before attempting to retry the backend request again. - * - * If a BackendRequest timeout is _not_ configured on the route, retry - * attempts MAY time out after an implementation default duration, or MAY - * remain pending until a configured Request timeout or implementation - * default duration for total request time is reached. - * - * When this field is unspecified, the time to wait between retry attempts - * is implementation-specific. - * - * Support: Extended - */ - backoff: string; - /** - * Codes defines the HTTP response status codes for which a backend request - * should be retried. - * - * Support: Extended - */ - codes: number[]; - } /** * SessionPersistence defines and configures session persistence * for the route rule. * + * * Support: Extended */ interface HTTPRouteSpecRulesSessionPersistence { @@ -50446,6 +40790,7 @@ export declare namespace gateway { * session. Once the AbsoluteTimeout duration has elapsed, the * session becomes invalid. * + * * Support: Extended */ absoluteTimeout: string; @@ -50455,6 +40800,7 @@ export declare namespace gateway { * Once the session has been idle for more than the specified * IdleTimeout duration, the session becomes invalid. * + * * Support: Extended */ idleTimeout: string; @@ -50464,6 +40810,7 @@ export declare namespace gateway { * should avoid reusing session names to prevent unintended * consequences, such as rejection or unpredictable behavior. * + * * Support: Implementation-specific */ sessionName: string; @@ -50472,8 +40819,10 @@ export declare namespace gateway { * the use a header or cookie. Defaults to cookie based session * persistence. * + * * Support: Core for "Cookie" type * + * * Support: Extended for "Header" type */ type: string; @@ -50482,6 +40831,7 @@ export declare namespace gateway { * CookieConfig provides configuration settings that are specific * to cookie-based session persistence. * + * * Support: Core */ interface HTTPRouteSpecRulesSessionPersistenceCookieConfig { @@ -50492,18 +40842,20 @@ export declare namespace gateway { * attributes, while a session cookie is deleted when the current * session ends. * + * * When set to "Permanent", AbsoluteTimeout indicates the * cookie's lifetime via the Expires or Max-Age cookie attributes * and is required. * + * * When set to "Session", AbsoluteTimeout indicates the * absolute lifetime of the cookie tracked by the gateway and * is optional. * - * Defaults to "Session". * * Support: Core for "Session" type * + * * Support: Extended for "Permanent" type */ lifetimeType: string; @@ -50512,6 +40864,7 @@ export declare namespace gateway { * CookieConfig provides configuration settings that are specific * to cookie-based session persistence. * + * * Support: Core */ interface HTTPRouteSpecRulesSessionPersistenceCookieConfigPatch { @@ -50522,18 +40875,20 @@ export declare namespace gateway { * attributes, while a session cookie is deleted when the current * session ends. * + * * When set to "Permanent", AbsoluteTimeout indicates the * cookie's lifetime via the Expires or Max-Age cookie attributes * and is required. * + * * When set to "Session", AbsoluteTimeout indicates the * absolute lifetime of the cookie tracked by the gateway and * is optional. * - * Defaults to "Session". * * Support: Core for "Session" type * + * * Support: Extended for "Permanent" type */ lifetimeType: string; @@ -50542,6 +40897,7 @@ export declare namespace gateway { * SessionPersistence defines and configures session persistence * for the route rule. * + * * Support: Extended */ interface HTTPRouteSpecRulesSessionPersistencePatch { @@ -50550,6 +40906,7 @@ export declare namespace gateway { * session. Once the AbsoluteTimeout duration has elapsed, the * session becomes invalid. * + * * Support: Extended */ absoluteTimeout: string; @@ -50559,6 +40916,7 @@ export declare namespace gateway { * Once the session has been idle for more than the specified * IdleTimeout duration, the session becomes invalid. * + * * Support: Extended */ idleTimeout: string; @@ -50568,6 +40926,7 @@ export declare namespace gateway { * should avoid reusing session names to prevent unintended * consequences, such as rejection or unpredictable behavior. * + * * Support: Implementation-specific */ sessionName: string; @@ -50576,8 +40935,10 @@ export declare namespace gateway { * the use a header or cookie. Defaults to cookie based session * persistence. * + * * Support: Core for "Cookie" type * + * * Support: Extended for "Header" type */ type: string; @@ -50585,6 +40946,7 @@ export declare namespace gateway { /** * Timeouts defines the timeouts that can be configured for an HTTP request. * + * * Support: Extended */ interface HTTPRouteSpecRulesTimeouts { @@ -50593,19 +40955,21 @@ export declare namespace gateway { * to a backend. This covers the time from when the request first starts being * sent from the gateway to when the full response has been received from the backend. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * An entire client HTTP transaction with a gateway, covered by the Request timeout, * may result in more than one call from the gateway to the destination backend, * for example, if automatic retries are supported. * - * The value of BackendRequest must be a Gateway API Duration string as defined by - * GEP-2257. When this field is unspecified, its behavior is implementation-specific; - * when specified, the value of BackendRequest must be no more than the value of the - * Request timeout (since the Request timeout encompasses the BackendRequest timeout). + * + * Because the Request timeout encompasses the BackendRequest timeout, the value of + * BackendRequest must be <= the value of Request timeout. + * * * Support: Extended */ @@ -50615,22 +40979,26 @@ export declare namespace gateway { * If the gateway has not been able to respond before this deadline is met, the gateway * MUST return a timeout error. * + * * For example, setting the `rules.timeouts.request` field to the value `10s` in an * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds * to complete. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * This timeout is intended to cover as close to the whole request-response transaction * as possible although an implementation MAY choose to start the timeout after the entire * request stream has been received instead of immediately after the transaction is * initiated by the client. * - * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this - * field is unspecified, request timeout behavior is implementation-specific. + * + * When this field is unspecified, request timeout behavior is implementation-specific. + * * * Support: Extended */ @@ -50639,6 +41007,7 @@ export declare namespace gateway { /** * Timeouts defines the timeouts that can be configured for an HTTP request. * + * * Support: Extended */ interface HTTPRouteSpecRulesTimeoutsPatch { @@ -50647,19 +41016,21 @@ export declare namespace gateway { * to a backend. This covers the time from when the request first starts being * sent from the gateway to when the full response has been received from the backend. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * An entire client HTTP transaction with a gateway, covered by the Request timeout, * may result in more than one call from the gateway to the destination backend, * for example, if automatic retries are supported. * - * The value of BackendRequest must be a Gateway API Duration string as defined by - * GEP-2257. When this field is unspecified, its behavior is implementation-specific; - * when specified, the value of BackendRequest must be no more than the value of the - * Request timeout (since the Request timeout encompasses the BackendRequest timeout). + * + * Because the Request timeout encompasses the BackendRequest timeout, the value of + * BackendRequest must be <= the value of Request timeout. + * * * Support: Extended */ @@ -50669,22 +41040,26 @@ export declare namespace gateway { * If the gateway has not been able to respond before this deadline is met, the gateway * MUST return a timeout error. * + * * For example, setting the `rules.timeouts.request` field to the value `10s` in an * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds * to complete. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * This timeout is intended to cover as close to the whole request-response transaction * as possible although an implementation MAY choose to start the timeout after the entire * request stream has been received instead of immediately after the transaction is * initiated by the client. * - * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this - * field is unspecified, request timeout behavior is implementation-specific. + * + * When this field is unspecified, request timeout behavior is implementation-specific. + * * * Support: Extended */ @@ -50702,11 +41077,13 @@ export declare namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -50722,19 +41099,23 @@ export declare namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -50744,12 +41125,15 @@ export declare namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -50759,6 +41143,22 @@ export declare namespace gateway { } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface HTTPRouteStatusParentsConditions { /** @@ -50791,11 +41191,31 @@ export declare namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ interface HTTPRouteStatusParentsConditionsPatch { /** @@ -50828,6 +41248,10 @@ export declare namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } @@ -50842,23 +41266,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -50866,6 +41295,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -50873,10 +41303,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -50884,6 +41316,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -50891,6 +41324,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -50900,15 +41334,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -50917,6 +41354,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -50924,6 +41362,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -50931,10 +41370,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -50944,6 +41385,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -50959,23 +41401,28 @@ export declare namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -50983,6 +41430,7 @@ export declare namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -50990,10 +41438,12 @@ export declare namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -51001,6 +41451,7 @@ export declare namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -51008,6 +41459,7 @@ export declare namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -51017,15 +41469,18 @@ export declare namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -51034,6 +41489,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -51041,6 +41497,7 @@ export declare namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -51048,10 +41505,12 @@ export declare namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -51061,6 +41520,7 @@ export declare namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -51075,19 +41535,23 @@ export declare namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -51097,12 +41561,15 @@ export declare namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -51122,11 +41589,13 @@ export declare namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -51137,13 +41606,16 @@ export declare namespace gateway { * trusted to reference the specified kinds of resources in the same namespace * as the policy. * + * * Each ReferenceGrant can be used to represent a unique trust relationship. * Additional Reference Grants can be used to add to the set of trusted * sources of inbound references for the namespace they are defined within. * + * * All cross-namespace references in Gateway API (with the exception of cross-namespace * Gateway-route attachment) require a ReferenceGrant. * + * * ReferenceGrant is a form of runtime verification allowing users to assert * which cross-namespace object references are permitted. Implementations that * support ReferenceGrant MUST NOT permit cross-namespace references which have @@ -51175,6 +41647,7 @@ export declare namespace gateway { * to be an additional place that references can be valid from, or to put * this another way, entries MUST be combined using OR. * + * * Support: Core */ from: outputs.gateway.v1beta1.ReferenceGrantSpecFrom[]; @@ -51184,6 +41657,7 @@ export declare namespace gateway { * additional place that references can be valid to, or to put this another * way, entries MUST be combined using OR. * + * * Support: Core */ to: outputs.gateway.v1beta1.ReferenceGrantSpecTo[]; @@ -51196,6 +41670,7 @@ export declare namespace gateway { * Group is the group of the referent. * When empty, the Kubernetes core API group is inferred. * + * * Support: Core */ group: string; @@ -51204,12 +41679,16 @@ export declare namespace gateway { * additional resources, the following types are part of the "Core" * support level for this field. * + * * When used to permit a SecretObjectReference: * + * * * Gateway * + * * When used to permit a BackendObjectReference: * + * * * GRPCRoute * * HTTPRoute * * TCPRoute @@ -51220,6 +41699,7 @@ export declare namespace gateway { /** * Namespace is the namespace of the referent. * + * * Support: Core */ namespace: string; @@ -51232,6 +41712,7 @@ export declare namespace gateway { * Group is the group of the referent. * When empty, the Kubernetes core API group is inferred. * + * * Support: Core */ group: string; @@ -51240,12 +41721,16 @@ export declare namespace gateway { * additional resources, the following types are part of the "Core" * support level for this field. * + * * When used to permit a SecretObjectReference: * + * * * Gateway * + * * When used to permit a BackendObjectReference: * + * * * GRPCRoute * * HTTPRoute * * TCPRoute @@ -51256,6 +41741,7 @@ export declare namespace gateway { /** * Namespace is the namespace of the referent. * + * * Support: Core */ namespace: string; @@ -51270,6 +41756,7 @@ export declare namespace gateway { * to be an additional place that references can be valid from, or to put * this another way, entries MUST be combined using OR. * + * * Support: Core */ from: outputs.gateway.v1beta1.ReferenceGrantSpecFromPatch[]; @@ -51279,6 +41766,7 @@ export declare namespace gateway { * additional place that references can be valid to, or to put this another * way, entries MUST be combined using OR. * + * * Support: Core */ to: outputs.gateway.v1beta1.ReferenceGrantSpecToPatch[]; @@ -51292,6 +41780,7 @@ export declare namespace gateway { * Group is the group of the referent. * When empty, the Kubernetes core API group is inferred. * + * * Support: Core */ group: string; @@ -51300,6 +41789,7 @@ export declare namespace gateway { * additional resources, the following types are part of the "Core" * support level for this field: * + * * * Secret when used to permit a SecretObjectReference * * Service when used to permit a BackendObjectReference */ @@ -51320,6 +41810,7 @@ export declare namespace gateway { * Group is the group of the referent. * When empty, the Kubernetes core API group is inferred. * + * * Support: Core */ group: string; @@ -51328,6 +41819,7 @@ export declare namespace gateway { * additional resources, the following types are part of the "Core" * support level for this field: * + * * * Secret when used to permit a SecretObjectReference * * Service when used to permit a BackendObjectReference */ diff --git a/generated/crds/types/output.ts b/generated/crds/types/output.ts index ef9c829..3d8af6d 100644 --- a/generated/crds/types/output.ts +++ b/generated/crds/types/output.ts @@ -34,9 +34,9 @@ export namespace acme { */ authorizationURL: string; /** - * dnsName is the identifier that this challenge is for, e.g., example.com. + * dnsName is the identifier that this challenge is for, e.g. example.com. * If the requested DNSName is a 'wildcard', this field MUST be set to the - * non-wildcard domain, e.g., for `*.example.com`, it must be `example.com`. + * non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`. */ dnsName: string; issuerRef: outputs.acme.v1.ChallengeSpecIssuerRef; @@ -82,17 +82,15 @@ export namespace acme { */ export interface ChallengeSpecIssuerRef { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group: string; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind: string; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name: string; } @@ -106,17 +104,15 @@ export namespace acme { */ export interface ChallengeSpecIssuerRefPatch { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group: string; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind: string; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name: string; } @@ -128,9 +124,9 @@ export namespace acme { */ authorizationURL: string; /** - * dnsName is the identifier that this challenge is for, e.g., example.com. + * dnsName is the identifier that this challenge is for, e.g. example.com. * If the requested DNSName is a 'wildcard', this field MUST be set to the - * non-wildcard domain, e.g., for `*.example.com`, it must be `example.com`. + * non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`. */ dnsName: string; issuerRef: outputs.acme.v1.ChallengeSpecIssuerRefPatch; @@ -461,18 +457,14 @@ export namespace acme { */ export interface ChallengeSpecSolverDns01AzureDNSManagedIdentity { /** - * client ID of the managed identity, cannot be used at the same time as resourceID + * client ID of the managed identity, can not be used at the same time as resourceID */ clientID: string; /** - * resource ID of the managed identity, cannot be used at the same time as clientID + * resource ID of the managed identity, can not be used at the same time as clientID * Cannot be used for Azure Managed Service Identity */ resourceID: string; - /** - * tenant ID of the managed identity, cannot be used at the same time as resourceID - */ - tenantID: string; } /** @@ -482,18 +474,14 @@ export namespace acme { */ export interface ChallengeSpecSolverDns01AzureDNSManagedIdentityPatch { /** - * client ID of the managed identity, cannot be used at the same time as resourceID + * client ID of the managed identity, can not be used at the same time as resourceID */ clientID: string; /** - * resource ID of the managed identity, cannot be used at the same time as clientID + * resource ID of the managed identity, can not be used at the same time as clientID * Cannot be used for Azure Managed Service Identity */ resourceID: string; - /** - * tenant ID of the managed identity, cannot be used at the same time as resourceID - */ - tenantID: string; } /** @@ -775,10 +763,6 @@ export namespace acme { * This field is required. */ nameserver: string; - /** - * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default). - */ - protocol: string; /** * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. @@ -806,10 +790,6 @@ export namespace acme { * This field is required. */ nameserver: string; - /** - * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default). - */ - protocol: string; /** * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. @@ -876,32 +856,11 @@ export namespace acme { accessKeyIDSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01Route53AccessKeyIDSecretRef; auth: outputs.acme.v1.ChallengeSpecSolverDns01Route53Auth; /** - * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. + * If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. */ hostedZoneID: string; /** - * Override the AWS region. - * - * Route53 is a global service and does not have regional endpoints but the - * region specified here (or via environment variables) is used as a hint to - * help compute the correct AWS credential scope and partition when it - * connects to Route53. See: - * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) - * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) - * - * If you omit this region field, cert-manager will use the region from - * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set - * in the cert-manager controller Pod. - * - * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). - * In this case this `region` field value is ignored. - * - * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), - * In this case this `region` field value is ignored. + * Always set the region when using AccessKeyID and SecretAccessKey */ region: string; /** @@ -1039,32 +998,11 @@ export namespace acme { accessKeyIDSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01Route53AccessKeyIDSecretRefPatch; auth: outputs.acme.v1.ChallengeSpecSolverDns01Route53AuthPatch; /** - * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. + * If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. */ hostedZoneID: string; /** - * Override the AWS region. - * - * Route53 is a global service and does not have regional endpoints but the - * region specified here (or via environment variables) is used as a hint to - * help compute the correct AWS credential scope and partition when it - * connects to Route53. See: - * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) - * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) - * - * If you omit this region field, cert-manager will use the region from - * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set - * in the cert-manager controller Pod. - * - * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). - * In this case this `region` field value is ignored. - * - * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), - * In this case this `region` field value is ignored. + * Always set the region when using AccessKeyID and SecretAccessKey */ region: string; /** @@ -1125,7 +1063,7 @@ export namespace acme { * when challenges are processed. * This can contain arbitrary JSON data. * Secret values should not be specified in this stanza. - * If secret values are needed (e.g., credentials for a DNS service), you + * If secret values are needed (e.g. credentials for a DNS service), you * should use a SecretKeySelector to reference a Secret resource. * For details on the schema of this field, consult the webhook provider * implementation's documentation. @@ -1141,7 +1079,7 @@ export namespace acme { /** * The name of the solver to use, as defined in the webhook provider * implementation. - * This will typically be the name of the provider, e.g., 'cloudflare'. + * This will typically be the name of the provider, e.g. 'cloudflare'. */ solverName: string; } @@ -1156,7 +1094,7 @@ export namespace acme { * when challenges are processed. * This can contain arbitrary JSON data. * Secret values should not be specified in this stanza. - * If secret values are needed (e.g., credentials for a DNS service), you + * If secret values are needed (e.g. credentials for a DNS service), you * should use a SecretKeySelector to reference a Secret resource. * For details on the schema of this field, consult the webhook provider * implementation's documentation. @@ -1172,7 +1110,7 @@ export namespace acme { /** * The name of the solver to use, as defined in the webhook provider * implementation. - * This will typically be the name of the provider, e.g., 'cloudflare'. + * This will typically be the name of the provider, e.g. 'cloudflare'. */ solverName: string; } @@ -1181,7 +1119,7 @@ export namespace acme { * Configures cert-manager to attempt to complete authorizations by * performing the HTTP01 challenge flow. * It is not possible to obtain certificates for wildcard domain names - * (e.g., `*.example.com`) using the HTTP01 challenge mechanism. + * (e.g. `*.example.com`) using the HTTP01 challenge mechanism. */ export interface ChallengeSpecSolverHttp01 { gatewayHTTPRoute: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoute; @@ -1207,7 +1145,6 @@ export namespace acme { * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways */ parentRefs: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRouteParentRefs[]; - podTemplate: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplate; /** * Optional service type for Kubernetes solver service. Supported values * are NodePort or ClusterIP. If unset, defaults to NodePort. @@ -1220,12 +1157,15 @@ export namespace acme { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -1236,23 +1176,28 @@ export namespace acme { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -1260,17 +1205,20 @@ export namespace acme { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: * Gateway has the AllowedRoutes field, and ReferenceGrant provides a * generic way to enable any other kind of cross-namespace reference. * + * * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -1278,6 +1226,7 @@ export namespace acme { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -1285,6 +1234,7 @@ export namespace acme { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -1293,16 +1243,19 @@ export namespace acme { * and SectionName are specified, the name and port of the selected listener * must match both specified values. * + * * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -1311,6 +1264,7 @@ export namespace acme { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -1318,6 +1272,7 @@ export namespace acme { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -1325,10 +1280,12 @@ export namespace acme { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -1338,6 +1295,7 @@ export namespace acme { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -1348,12 +1306,15 @@ export namespace acme { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -1364,23 +1325,28 @@ export namespace acme { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -1388,17 +1354,20 @@ export namespace acme { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: * Gateway has the AllowedRoutes field, and ReferenceGrant provides a * generic way to enable any other kind of cross-namespace reference. * + * * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -1406,6 +1375,7 @@ export namespace acme { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -1413,6 +1383,7 @@ export namespace acme { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -1421,16 +1392,19 @@ export namespace acme { * and SectionName are specified, the name and port of the selected listener * must match both specified values. * + * * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -1439,6 +1413,7 @@ export namespace acme { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -1446,6 +1421,7 @@ export namespace acme { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -1453,10 +1429,12 @@ export namespace acme { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -1466,6 +1444,7 @@ export namespace acme { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -1490,7 +1469,6 @@ export namespace acme { * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways */ parentRefs: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRouteParentRefsPatch[]; - podTemplate: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplatePatch; /** * Optional service type for Kubernetes solver service. Supported values * are NodePort or ClusterIP. If unset, defaults to NodePort. @@ -1498,2112 +1476,6 @@ export namespace acme { serviceType: string; } - /** - * Optional pod template used to configure the ACME challenge solver pods - * used for HTTP01 challenges. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplate { - metadata: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateMetadata; - spec: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpec; - } - - /** - * ObjectMeta overrides for the pod used to solve HTTP01 challenges. - * Only the 'labels' and 'annotations' fields may be set. - * If labels or annotations overlap with in-built values, the values here - * will override the in-built values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateMetadata { - /** - * Annotations that should be added to the created ACME HTTP01 solver pods. - */ - annotations: {[key: string]: string}; - /** - * Labels that should be added to the created ACME HTTP01 solver pods. - */ - labels: {[key: string]: string}; - } - - /** - * ObjectMeta overrides for the pod used to solve HTTP01 challenges. - * Only the 'labels' and 'annotations' fields may be set. - * If labels or annotations overlap with in-built values, the values here - * will override the in-built values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateMetadataPatch { - /** - * Annotations that should be added to the created ACME HTTP01 solver pods. - */ - annotations: {[key: string]: string}; - /** - * Labels that should be added to the created ACME HTTP01 solver pods. - */ - labels: {[key: string]: string}; - } - - /** - * Optional pod template used to configure the ACME challenge solver pods - * used for HTTP01 challenges. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplatePatch { - metadata: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateMetadataPatch; - spec: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecPatch; - } - - /** - * PodSpec defines overrides for the HTTP01 challenge solver pod. - * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - * All other fields will be ignored. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpec { - affinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinity; - /** - * If specified, the pod's imagePullSecrets - */ - imagePullSecrets: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets[]; - /** - * NodeSelector is a selector which must be true for the pod to fit on a node. - * Selector which must match a node's labels for the pod to be scheduled on that node. - * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - */ - nodeSelector: {[key: string]: string}; - /** - * If specified, the pod's priorityClassName. - */ - priorityClassName: string; - resources: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecResources; - securityContext: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext; - /** - * If specified, the pod's service account - */ - serviceAccountName: string; - /** - * If specified, the pod's tolerations. - */ - tolerations: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecTolerations[]; - } - - /** - * If specified, the pod's scheduling constraints - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinity { - nodeAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity; - podAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity; - podAntiAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity; - } - - /** - * Describes node affinity scheduling rules for the pod. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node matches the corresponding matchExpressions; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution[]; - requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution; - } - - /** - * Describes node affinity scheduling rules for the pod. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node matches the corresponding matchExpressions; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[]; - requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch; - } - - /** - * An empty preferred scheduling term matches all objects with implicit weight 0 - * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution { - preference: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference; - /** - * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - */ - weight: number; - } - - /** - * An empty preferred scheduling term matches all objects with implicit weight 0 - * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - preference: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch; - /** - * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - */ - weight: number; - } - - /** - * A node selector term, associated with the corresponding weight. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions[]; - /** - * A list of node selector requirements by node's fields. - */ - matchFields: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields[]; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - - /** - * A node selector term, associated with the corresponding weight. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch[]; - /** - * A list of node selector requirements by node's fields. - */ - matchFields: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch[]; - } - - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to an update), the system - * may or may not try to eventually evict the pod from its node. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution { - /** - * Required. A list of node selector terms. The terms are ORed. - */ - nodeSelectorTerms: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms[]; - } - - /** - * A null or empty node selector term matches no objects. The requirements of - * them are ANDed. - * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions[]; - /** - * A list of node selector requirements by node's fields. - */ - matchFields: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields[]; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - - /** - * A null or empty node selector term matches no objects. The requirements of - * them are ANDed. - * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch[]; - /** - * A list of node selector requirements by node's fields. - */ - matchFields: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch[]; - } - - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to an update), the system - * may or may not try to eventually evict the pod from its node. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - /** - * Required. A list of node selector terms. The terms are ORed. - */ - nodeSelectorTerms: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch[]; - } - - /** - * If specified, the pod's scheduling constraints - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch { - nodeAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch; - podAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch; - podAntiAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch; - } - - /** - * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution[]; - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution[]; - } - - /** - * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[]; - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[]; - } - - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution { - podAffinityTerm: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight: number; - } - - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - podAffinityTerm: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight: number; - } - - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm { - labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch { - labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution { - labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - - /** - * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the anti-affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution[]; - /** - * If the anti-affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the anti-affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution[]; - } - - /** - * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the anti-affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[]; - /** - * If the anti-affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the anti-affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[]; - } - - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution { - podAffinityTerm: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight: number; - } - - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - podAffinityTerm: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight: number; - } - - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm { - labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch { - labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution { - labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - - /** - * LocalObjectReference contains enough information to let you locate the - * referenced object inside the same namespace. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets { - /** - * Name of the referent. - * This field is effectively required, but due to backwards compatibility is - * allowed to be empty. Instances of this type with an empty value here are - * almost certainly wrong. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name: string; - } - - /** - * LocalObjectReference contains enough information to let you locate the - * referenced object inside the same namespace. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch { - /** - * Name of the referent. - * This field is effectively required, but due to backwards compatibility is - * allowed to be empty. Instances of this type with an empty value here are - * almost certainly wrong. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name: string; - } - - /** - * PodSpec defines overrides for the HTTP01 challenge solver pod. - * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - * All other fields will be ignored. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecPatch { - affinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch; - /** - * If specified, the pod's imagePullSecrets - */ - imagePullSecrets: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch[]; - /** - * NodeSelector is a selector which must be true for the pod to fit on a node. - * Selector which must match a node's labels for the pod to be scheduled on that node. - * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - */ - nodeSelector: {[key: string]: string}; - /** - * If specified, the pod's priorityClassName. - */ - priorityClassName: string; - resources: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch; - securityContext: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch; - /** - * If specified, the pod's service account - */ - serviceAccountName: string; - /** - * If specified, the pod's tolerations. - */ - tolerations: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch[]; - } - - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecResources { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits: {[key: string]: number | string}; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests: {[key: string]: number | string}; - } - - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits: {[key: string]: number | string}; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests: {[key: string]: number | string}; - } - - /** - * If specified, the pod's security context - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup: number; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy: string; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup: number; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot: boolean; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser: number; - seLinuxOptions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions; - seccompProfile: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups: number[]; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls[]; - } - - /** - * If specified, the pod's security context - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup: number; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy: string; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup: number; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot: boolean; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser: number; - seLinuxOptions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch; - seccompProfile: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups: number[]; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch[]; - } - - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions { - /** - * Level is SELinux level label that applies to the container. - */ - level: string; - /** - * Role is a SELinux role label that applies to the container. - */ - role: string; - /** - * Type is a SELinux type label that applies to the container. - */ - type: string; - /** - * User is a SELinux user label that applies to the container. - */ - user: string; - } - - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch { - /** - * Level is SELinux level label that applies to the container. - */ - level: string; - /** - * Role is a SELinux role label that applies to the container. - */ - role: string; - /** - * Type is a SELinux type label that applies to the container. - */ - type: string; - /** - * User is a SELinux user label that applies to the container. - */ - user: string; - } - - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile: string; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type: string; - } - - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile: string; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type: string; - } - - /** - * Sysctl defines a kernel parameter to be set - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls { - /** - * Name of a property to set - */ - name: string; - /** - * Value of a property to set - */ - value: string; - } - - /** - * Sysctl defines a kernel parameter to be set - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch { - /** - * Name of a property to set - */ - name: string; - /** - * Value of a property to set - */ - value: string; - } - - /** - * The pod this Toleration is attached to tolerates any taint that matches - * the triple using the matching operator . - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecTolerations { - /** - * Effect indicates the taint effect to match. Empty means match all taint effects. - * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - */ - effect: string; - /** - * Key is the taint key that the toleration applies to. Empty means match all taint keys. - * If the key is empty, operator must be Exists; this combination means to match all values and all keys. - */ - key: string; - /** - * Operator represents a key's relationship to the value. - * Valid operators are Exists and Equal. Defaults to Equal. - * Exists is equivalent to wildcard for value, so that a pod can - * tolerate all taints of a particular category. - */ - operator: string; - /** - * TolerationSeconds represents the period of time the toleration (which must be - * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - * it is not set, which means tolerate the taint forever (do not evict). Zero and - * negative values will be treated as 0 (evict immediately) by the system. - */ - tolerationSeconds: number; - /** - * Value is the taint value the toleration matches to. - * If the operator is Exists, the value should be empty, otherwise just a regular string. - */ - value: string; - } - - /** - * The pod this Toleration is attached to tolerates any taint that matches - * the triple using the matching operator . - */ - export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch { - /** - * Effect indicates the taint effect to match. Empty means match all taint effects. - * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - */ - effect: string; - /** - * Key is the taint key that the toleration applies to. Empty means match all taint keys. - * If the key is empty, operator must be Exists; this combination means to match all values and all keys. - */ - key: string; - /** - * Operator represents a key's relationship to the value. - * Valid operators are Exists and Equal. Defaults to Equal. - * Exists is equivalent to wildcard for value, so that a pod can - * tolerate all taints of a particular category. - */ - operator: string; - /** - * TolerationSeconds represents the period of time the toleration (which must be - * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - * it is not set, which means tolerate the taint forever (do not evict). Zero and - * negative values will be treated as 0 (evict immediately) by the system. - */ - tolerationSeconds: number; - /** - * Value is the taint value the toleration matches to. - * If the operator is Exists, the value should be empty, otherwise just a regular string. - */ - value: string; - } - /** * The ingress based HTTP01 challenge solver will solve challenges by * creating or modifying Ingress resources in order to route requests for @@ -3749,7 +1621,7 @@ export namespace acme { */ export interface ChallengeSpecSolverHttp01IngressPodTemplateMetadata { /** - * Annotations that should be added to the created ACME HTTP01 solver pods. + * Annotations that should be added to the create ACME HTTP01 solver pods. */ annotations: {[key: string]: string}; /** @@ -3766,7 +1638,7 @@ export namespace acme { */ export interface ChallengeSpecSolverHttp01IngressPodTemplateMetadataPatch { /** - * Annotations that should be added to the created ACME HTTP01 solver pods. + * Annotations that should be added to the create ACME HTTP01 solver pods. */ annotations: {[key: string]: string}; /** @@ -3805,8 +1677,6 @@ export namespace acme { * If specified, the pod's priorityClassName. */ priorityClassName: string; - resources: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecResources; - securityContext: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContext; /** * If specified, the pod's service account */ @@ -4271,6 +2141,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -4282,6 +2153,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector; @@ -4482,6 +2354,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -4493,6 +2366,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch; @@ -4532,6 +2406,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -4543,6 +2418,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector; @@ -4748,6 +2624,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -4759,6 +2636,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch; @@ -4790,8 +2668,8 @@ export namespace acme { * most preferred is the one with the greatest sum of weights, i.e. * for each node that meets all of the scheduling requirements (resource * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + * compute a sum by iterating through the elements of this field and adding + * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the * node(s) with the highest sum are the most preferred. */ preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution[]; @@ -4818,8 +2696,8 @@ export namespace acme { * most preferred is the one with the greatest sum of weights, i.e. * for each node that meets all of the scheduling requirements (resource * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + * compute a sum by iterating through the elements of this field and adding + * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the * node(s) with the highest sum are the most preferred. */ preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[]; @@ -4873,6 +2751,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -4884,6 +2763,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector; @@ -5084,6 +2964,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -5095,6 +2976,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch; @@ -5134,6 +3016,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -5145,6 +3028,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector; @@ -5350,6 +3234,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -5361,6 +3246,7 @@ export namespace acme { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch; @@ -5391,7 +3277,9 @@ export namespace acme { * This field is effectively required, but due to backwards compatibility is * allowed to be empty. Instances of this type with an empty value here are * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name: string; } @@ -5406,7 +3294,9 @@ export namespace acme { * This field is effectively required, but due to backwards compatibility is * allowed to be empty. Instances of this type with an empty value here are * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name: string; } @@ -5432,8 +3322,6 @@ export namespace acme { * If specified, the pod's priorityClassName. */ priorityClassName: string; - resources: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecResourcesPatch; - securityContext: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextPatch; /** * If specified, the pod's service account */ @@ -5444,328 +3332,6 @@ export namespace acme { tolerations: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecTolerationsPatch[]; } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecResources { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits: {[key: string]: number | string}; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests: {[key: string]: number | string}; - } - - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecResourcesPatch { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits: {[key: string]: number | string}; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests: {[key: string]: number | string}; - } - - /** - * If specified, the pod's security context - */ - export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContext { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup: number; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy: string; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup: number; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot: boolean; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser: number; - seLinuxOptions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions; - seccompProfile: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeccompProfile; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups: number[]; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSysctls[]; - } - - /** - * If specified, the pod's security context - */ - export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextPatch { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup: number; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy: string; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup: number; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot: boolean; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser: number; - seLinuxOptions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch; - seccompProfile: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups: number[]; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch[]; - } - - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions { - /** - * Level is SELinux level label that applies to the container. - */ - level: string; - /** - * Role is a SELinux role label that applies to the container. - */ - role: string; - /** - * Type is a SELinux type label that applies to the container. - */ - type: string; - /** - * User is a SELinux user label that applies to the container. - */ - user: string; - } - - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch { - /** - * Level is SELinux level label that applies to the container. - */ - level: string; - /** - * Role is a SELinux role label that applies to the container. - */ - role: string; - /** - * Type is a SELinux type label that applies to the container. - */ - type: string; - /** - * User is a SELinux user label that applies to the container. - */ - user: string; - } - - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeccompProfile { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile: string; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type: string; - } - - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile: string; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type: string; - } - - /** - * Sysctl defines a kernel parameter to be set - */ - export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSysctls { - /** - * Name of a property to set - */ - name: string; - /** - * Value of a property to set - */ - value: string; - } - - /** - * Sysctl defines a kernel parameter to be set - */ - export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch { - /** - * Name of a property to set - */ - name: string; - /** - * Value of a property to set - */ - value: string; - } - /** * The pod this Toleration is attached to tolerates any taint that matches * the triple using the matching operator . @@ -5842,7 +3408,7 @@ export namespace acme { * Configures cert-manager to attempt to complete authorizations by * performing the HTTP01 challenge flow. * It is not possible to obtain certificates for wildcard domain names - * (e.g., `*.example.com`) using the HTTP01 challenge mechanism. + * (e.g. `*.example.com`) using the HTTP01 challenge mechanism. */ export interface ChallengeSpecSolverHttp01Patch { gatewayHTTPRoute: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePatch; @@ -6040,11 +3606,6 @@ export namespace acme { */ ipAddresses: string[]; issuerRef: outputs.acme.v1.OrderSpecIssuerRef; - /** - * Profile allows requesting a certificate profile from the ACME server. - * Supported profiles are listed by the server's ACME directory URL. - */ - profile: string; /** * Certificate signing request bytes in DER encoding. * This will be used when finalizing the order. @@ -6062,17 +3623,15 @@ export namespace acme { */ export interface OrderSpecIssuerRef { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group: string; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind: string; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name: string; } @@ -6086,17 +3645,15 @@ export namespace acme { */ export interface OrderSpecIssuerRefPatch { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group: string; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind: string; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name: string; } @@ -6126,11 +3683,6 @@ export namespace acme { */ ipAddresses: string[]; issuerRef: outputs.acme.v1.OrderSpecIssuerRefPatch; - /** - * Profile allows requesting a certificate profile from the ACME server. - * Supported profiles are listed by the server's ACME directory URL. - */ - profile: string; /** * Certificate signing request bytes in DER encoding. * This will be used when finalizing the order. @@ -6236,7 +3788,7 @@ export namespace acme { */ token: string; /** - * Type is the type of challenge being offered, e.g., 'http-01', 'dns-01', + * Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', * 'tls-sni-01', etc. * This is the raw value retrieved from the ACME server. * Only 'http-01' and 'dns-01' are supported by cert-manager, other values @@ -6262,7 +3814,7 @@ export namespace acme { */ token: string; /** - * Type is the type of challenge being offered, e.g., 'http-01', 'dns-01', + * Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', * 'tls-sni-01', etc. * This is the raw value retrieved from the ACME server. * Only 'http-01' and 'dns-01' are supported by cert-manager, other values @@ -6370,6 +3922,7 @@ export namespace cert_manager { * A Certificate resource should be created to ensure an up to date and signed * X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. * + * * The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`). */ export interface Certificate { @@ -6393,10 +3946,12 @@ export namespace cert_manager { * A CertificateRequest is used to request a signed certificate from one of the * configured issuers. * + * * All fields within the CertificateRequest's `spec` are immutable after creation. * A CertificateRequest will either succeed or fail, as denoted by its `Ready` status * condition and its `status.failureTime` field. * + * * A CertificateRequest is a one-shot resource, meaning it represents a single * point in time request for a certificate and cannot be re-used. */ @@ -6442,9 +3997,11 @@ export namespace cert_manager { * Requested basic constraints isCA value. Note that the issuer may choose * to ignore the requested isCA value, just like any other requested attribute. * + * * NOTE: If the CSR in the `Request` field has a BasicConstraints extension, * it must have the same isCA value as specified here. * + * * If true, this will automatically add the `cert sign` usage to the list * of requested `usages`. */ @@ -6454,6 +4011,7 @@ export namespace cert_manager { * The PEM-encoded X.509 certificate signing request to be submitted to the * issuer for signing. * + * * If the CSR has a BasicConstraints extension, its isCA attribute must * match the `isCA` value of this CertificateRequest. * If the CSR has a KeyUsage extension, its key usages must match the @@ -6471,10 +4029,12 @@ export namespace cert_manager { /** * Requested key usages and extended key usages. * + * * NOTE: If the CSR in the `Request` field has uses the KeyUsage or * ExtKeyUsage extension, these extensions must have the same values * as specified here without any additional values. * + * * If unset, defaults to `digital signature` and `key encipherment`. */ usages: string[]; @@ -6491,21 +4051,20 @@ export namespace cert_manager { * as the Certificate. If the issuer is cluster-scoped, it can be used * from any namespace. * + * * The `name` field of the reference must always be specified. */ export interface CertificateRequestSpecIssuerRef { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group: string; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind: string; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name: string; } @@ -6516,21 +4075,20 @@ export namespace cert_manager { * as the Certificate. If the issuer is cluster-scoped, it can be used * from any namespace. * + * * The `name` field of the reference must always be specified. */ export interface CertificateRequestSpecIssuerRefPatch { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group: string; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind: string; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name: string; } @@ -6560,9 +4118,11 @@ export namespace cert_manager { * Requested basic constraints isCA value. Note that the issuer may choose * to ignore the requested isCA value, just like any other requested attribute. * + * * NOTE: If the CSR in the `Request` field has a BasicConstraints extension, * it must have the same isCA value as specified here. * + * * If true, this will automatically add the `cert sign` usage to the list * of requested `usages`. */ @@ -6572,6 +4132,7 @@ export namespace cert_manager { * The PEM-encoded X.509 certificate signing request to be submitted to the * issuer for signing. * + * * If the CSR has a BasicConstraints extension, its isCA attribute must * match the `isCA` value of this CertificateRequest. * If the CSR has a KeyUsage extension, its key usages must match the @@ -6589,10 +4150,12 @@ export namespace cert_manager { /** * Requested key usages and extended key usages. * + * * NOTE: If the CSR in the `Request` field has uses the KeyUsage or * ExtKeyUsage extension, these extensions must have the same values * as specified here without any additional values. * + * * If unset, defaults to `digital signature` and `key encipherment`. */ usages: string[]; @@ -6739,6 +4302,11 @@ export namespace cert_manager { /** * Defines extra output formats of the private key and signed certificate chain * to be written to this Certificate's target Secret. + * + * + * This is a Beta Feature enabled by default. It can be disabled with the + * `--feature-gates=AdditionalCertificateOutputFormats=false` option set on both + * the controller and webhook components. */ additionalOutputFormats: outputs.cert_manager.v1.CertificateSpecAdditionalOutputFormats[]; /** @@ -6747,6 +4315,7 @@ export namespace cert_manager { * NOTE: TLS clients will ignore this value when any subject alternative name is * set (see https://tools.ietf.org/html/rfc6125#section-6.4.4). * + * * Should have a length of 64 characters or fewer to avoid generating invalid CSRs. * Cannot be set if the `literalSubject` field is set. */ @@ -6760,6 +4329,7 @@ export namespace cert_manager { * issuer may choose to ignore the requested duration, just like any other * requested attribute. * + * * If unset, this defaults to 90 days. * Minimum accepted duration is 1 hour. * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration. @@ -6772,6 +4342,7 @@ export namespace cert_manager { /** * Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR. * + * * This option defaults to true, and should only be disabled if the target * issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions. */ @@ -6786,6 +4357,7 @@ export namespace cert_manager { * resources. Note that the issuer may choose to ignore the requested isCA value, just * like any other requested attribute. * + * * If true, this will automatically add the `cert sign` usage to the list * of requested `usages`. */ @@ -6802,6 +4374,7 @@ export namespace cert_manager { * More info: https://github.com/cert-manager/cert-manager/issues/3203 * More info: https://github.com/cert-manager/cert-manager/issues/4424 * + * * Cannot be set if the `subject` or `commonName` field is set. */ literalSubject: string; @@ -6821,33 +4394,17 @@ export namespace cert_manager { * 50 minutes after it was issued (i.e. when there are 10 minutes remaining until * the certificate is no longer valid). * + * * NOTE: The actual lifetime of the issued certificate is used to determine the * renewal time. If an issuer returns a certificate with a different lifetime than * the one requested, cert-manager will use the lifetime of the issued certificate. * + * * If unset, this defaults to 1/3 of the issued certificate's lifetime. * Minimum accepted value is 5 minutes. * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration. - * Cannot be set if the `renewBeforePercentage` field is set. */ renewBefore: string; - /** - * `renewBeforePercentage` is like `renewBefore`, except it is a relative percentage - * rather than an absolute duration. For example, if a certificate is valid for 60 - * minutes, and `renewBeforePercentage=25`, cert-manager will begin to attempt to - * renew the certificate 45 minutes after it was issued (i.e. when there are 15 - * minutes (25%) remaining until the certificate is no longer valid). - * - * NOTE: The actual lifetime of the issued certificate is used to determine the - * renewal time. If an issuer returns a certificate with a different lifetime than - * the one requested, cert-manager will use the lifetime of the issued certificate. - * - * Value must be an integer in the range (0,100). The minimum effective - * `renewBefore` derived from the `renewBeforePercentage` and `duration` fields is 5 - * minutes. - * Cannot be set if the `renewBefore` field is set. - */ - renewBeforePercentage: number; /** * The maximum number of CertificateRequest revisions that are maintained in * the Certificate's history. Each revision represents a single `CertificateRequest` @@ -6855,8 +4412,10 @@ export namespace cert_manager { * was changed. Revisions will be removed by oldest first if the number of * revisions exceeds this number. * + * * If set, revisionHistoryLimit must be a value of `1` or greater. - * Default value is `1`. + * If unset (`nil`), revisions will not be garbage collected. + * Default value is `nil`. */ revisionHistoryLimit: number; /** @@ -6867,13 +4426,6 @@ export namespace cert_manager { */ secretName: string; secretTemplate: outputs.cert_manager.v1.CertificateSpecSecretTemplate; - /** - * Signature algorithm to use. - * Allowed values for RSA keys: SHA256WithRSA, SHA384WithRSA, SHA512WithRSA. - * Allowed values for ECDSA keys: ECDSAWithSHA256, ECDSAWithSHA384, ECDSAWithSHA512. - * Allowed values for Ed25519 keys: PureEd25519. - */ - signatureAlgorithm: string; subject: outputs.cert_manager.v1.CertificateSpecSubject; /** * Requested URI subject alternative names. @@ -6885,6 +4437,7 @@ export namespace cert_manager { * resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages * will additionally be encoded in the `request` field which contains the CSR blob. * + * * If unset, defaults to `digital signature` and `key encipherment`. */ usages: string[]; @@ -6922,21 +4475,20 @@ export namespace cert_manager { * as the Certificate. If the issuer is cluster-scoped, it can be used * from any namespace. * + * * The `name` field of the reference must always be specified. */ export interface CertificateSpecIssuerRef { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group: string; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind: string; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name: string; } @@ -6947,21 +4499,20 @@ export namespace cert_manager { * as the Certificate. If the issuer is cluster-scoped, it can be used * from any namespace. * + * * The `name` field of the reference must always be specified. */ export interface CertificateSpecIssuerRefPatch { /** - * Group of the issuer being referred to. - * Defaults to 'cert-manager.io'. + * Group of the resource being referred to. */ group: string; /** - * Kind of the issuer being referred to. - * Defaults to 'Issuer'. + * Kind of the resource being referred to. */ kind: string; /** - * Name of the issuer being referred to. + * Name of the resource being referred to. */ name: string; } @@ -6988,7 +4539,7 @@ export namespace cert_manager { * Create enables JKS keystore creation for the Certificate. * If true, a file named `keystore.jks` will be created in the target * Secret resource, encrypted using the password stored in - * `passwordSecretRef` or `password`. + * `passwordSecretRef`. * The keystore file will be updated immediately. * If the issuer provided a CA certificate, a file named `truststore.jks` * will also be created in the target Secret resource, encrypted using the @@ -6996,20 +4547,12 @@ export namespace cert_manager { * containing the issuing Certificate Authority */ create: boolean; - /** - * Password provides a literal password used to encrypt the JKS keystore. - * Mutually exclusive with passwordSecretRef. - * One of password or passwordSecretRef must provide a password with a non-zero length. - */ - password: string; passwordSecretRef: outputs.cert_manager.v1.CertificateSpecKeystoresJksPasswordSecretRef; } /** - * PasswordSecretRef is a reference to a non-empty key in a Secret resource + * PasswordSecretRef is a reference to a key in a Secret resource * containing the password used to encrypt the JKS keystore. - * Mutually exclusive with password. - * One of password or passwordSecretRef must provide a password with a non-zero length. */ export interface CertificateSpecKeystoresJksPasswordSecretRef { /** @@ -7026,10 +4569,8 @@ export namespace cert_manager { } /** - * PasswordSecretRef is a reference to a non-empty key in a Secret resource + * PasswordSecretRef is a reference to a key in a Secret resource * containing the password used to encrypt the JKS keystore. - * Mutually exclusive with password. - * One of password or passwordSecretRef must provide a password with a non-zero length. */ export interface CertificateSpecKeystoresJksPasswordSecretRefPatch { /** @@ -7059,7 +4600,7 @@ export namespace cert_manager { * Create enables JKS keystore creation for the Certificate. * If true, a file named `keystore.jks` will be created in the target * Secret resource, encrypted using the password stored in - * `passwordSecretRef` or `password`. + * `passwordSecretRef`. * The keystore file will be updated immediately. * If the issuer provided a CA certificate, a file named `truststore.jks` * will also be created in the target Secret resource, encrypted using the @@ -7067,12 +4608,6 @@ export namespace cert_manager { * containing the issuing Certificate Authority */ create: boolean; - /** - * Password provides a literal password used to encrypt the JKS keystore. - * Mutually exclusive with passwordSecretRef. - * One of password or passwordSecretRef must provide a password with a non-zero length. - */ - password: string; passwordSecretRef: outputs.cert_manager.v1.CertificateSpecKeystoresJksPasswordSecretRefPatch; } @@ -7093,7 +4628,7 @@ export namespace cert_manager { * Create enables PKCS12 keystore creation for the Certificate. * If true, a file named `keystore.p12` will be created in the target * Secret resource, encrypted using the password stored in - * `passwordSecretRef` or in `password`. + * `passwordSecretRef`. * The keystore file will be updated immediately. * If the issuer provided a CA certificate, a file named `truststore.p12` will * also be created in the target Secret resource, encrypted using the @@ -7101,32 +4636,25 @@ export namespace cert_manager { * Authority */ create: boolean; - /** - * Password provides a literal password used to encrypt the PKCS#12 keystore. - * Mutually exclusive with passwordSecretRef. - * One of password or passwordSecretRef must provide a password with a non-zero length. - */ - password: string; passwordSecretRef: outputs.cert_manager.v1.CertificateSpecKeystoresPkcs12PasswordSecretRef; /** * Profile specifies the key and certificate encryption algorithms and the HMAC algorithm * used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. * + * * If provided, allowed values are: * `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. * `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility. * `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms - * (e.g., because of company policy). Please note that the security of the algorithm is not that important + * (eg. because of company policy). Please note that the security of the algorithm is not that important * in reality, because the unencrypted certificate and private key are also stored in the Secret. */ profile: string; } /** - * PasswordSecretRef is a reference to a non-empty key in a Secret resource - * containing the password used to encrypt the PKCS#12 keystore. - * Mutually exclusive with password. - * One of password or passwordSecretRef must provide a password with a non-zero length. + * PasswordSecretRef is a reference to a key in a Secret resource + * containing the password used to encrypt the PKCS12 keystore. */ export interface CertificateSpecKeystoresPkcs12PasswordSecretRef { /** @@ -7143,10 +4671,8 @@ export namespace cert_manager { } /** - * PasswordSecretRef is a reference to a non-empty key in a Secret resource - * containing the password used to encrypt the PKCS#12 keystore. - * Mutually exclusive with password. - * One of password or passwordSecretRef must provide a password with a non-zero length. + * PasswordSecretRef is a reference to a key in a Secret resource + * containing the password used to encrypt the PKCS12 keystore. */ export interface CertificateSpecKeystoresPkcs12PasswordSecretRefPatch { /** @@ -7171,7 +4697,7 @@ export namespace cert_manager { * Create enables PKCS12 keystore creation for the Certificate. * If true, a file named `keystore.p12` will be created in the target * Secret resource, encrypted using the password stored in - * `passwordSecretRef` or in `password`. + * `passwordSecretRef`. * The keystore file will be updated immediately. * If the issuer provided a CA certificate, a file named `truststore.p12` will * also be created in the target Secret resource, encrypted using the @@ -7179,22 +4705,17 @@ export namespace cert_manager { * Authority */ create: boolean; - /** - * Password provides a literal password used to encrypt the PKCS#12 keystore. - * Mutually exclusive with passwordSecretRef. - * One of password or passwordSecretRef must provide a password with a non-zero length. - */ - password: string; passwordSecretRef: outputs.cert_manager.v1.CertificateSpecKeystoresPkcs12PasswordSecretRefPatch; /** * Profile specifies the key and certificate encryption algorithms and the HMAC algorithm * used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. * + * * If provided, allowed values are: * `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. * `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility. * `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms - * (e.g., because of company policy). Please note that the security of the algorithm is not that important + * (eg. because of company policy). Please note that the security of the algorithm is not that important * in reality, because the unencrypted certificate and private key are also stored in the Secret. */ profile: string; @@ -7204,6 +4725,7 @@ export namespace cert_manager { * x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. * More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 * + * * This is an Alpha Feature and is only enabled with the * `--feature-gates=NameConstraints=true` option set on both * the controller and webhook components. @@ -7271,6 +4793,7 @@ export namespace cert_manager { * x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. * More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 * + * * This is an Alpha Feature and is only enabled with the * `--feature-gates=NameConstraints=true` option set on both * the controller and webhook components. @@ -7366,6 +4889,11 @@ export namespace cert_manager { /** * Defines extra output formats of the private key and signed certificate chain * to be written to this Certificate's target Secret. + * + * + * This is a Beta Feature enabled by default. It can be disabled with the + * `--feature-gates=AdditionalCertificateOutputFormats=false` option set on both + * the controller and webhook components. */ additionalOutputFormats: outputs.cert_manager.v1.CertificateSpecAdditionalOutputFormatsPatch[]; /** @@ -7374,6 +4902,7 @@ export namespace cert_manager { * NOTE: TLS clients will ignore this value when any subject alternative name is * set (see https://tools.ietf.org/html/rfc6125#section-6.4.4). * + * * Should have a length of 64 characters or fewer to avoid generating invalid CSRs. * Cannot be set if the `literalSubject` field is set. */ @@ -7387,6 +4916,7 @@ export namespace cert_manager { * issuer may choose to ignore the requested duration, just like any other * requested attribute. * + * * If unset, this defaults to 90 days. * Minimum accepted duration is 1 hour. * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration. @@ -7399,6 +4929,7 @@ export namespace cert_manager { /** * Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR. * + * * This option defaults to true, and should only be disabled if the target * issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions. */ @@ -7413,6 +4944,7 @@ export namespace cert_manager { * resources. Note that the issuer may choose to ignore the requested isCA value, just * like any other requested attribute. * + * * If true, this will automatically add the `cert sign` usage to the list * of requested `usages`. */ @@ -7429,6 +4961,7 @@ export namespace cert_manager { * More info: https://github.com/cert-manager/cert-manager/issues/3203 * More info: https://github.com/cert-manager/cert-manager/issues/4424 * + * * Cannot be set if the `subject` or `commonName` field is set. */ literalSubject: string; @@ -7448,33 +4981,17 @@ export namespace cert_manager { * 50 minutes after it was issued (i.e. when there are 10 minutes remaining until * the certificate is no longer valid). * + * * NOTE: The actual lifetime of the issued certificate is used to determine the * renewal time. If an issuer returns a certificate with a different lifetime than * the one requested, cert-manager will use the lifetime of the issued certificate. * + * * If unset, this defaults to 1/3 of the issued certificate's lifetime. * Minimum accepted value is 5 minutes. * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration. - * Cannot be set if the `renewBeforePercentage` field is set. */ renewBefore: string; - /** - * `renewBeforePercentage` is like `renewBefore`, except it is a relative percentage - * rather than an absolute duration. For example, if a certificate is valid for 60 - * minutes, and `renewBeforePercentage=25`, cert-manager will begin to attempt to - * renew the certificate 45 minutes after it was issued (i.e. when there are 15 - * minutes (25%) remaining until the certificate is no longer valid). - * - * NOTE: The actual lifetime of the issued certificate is used to determine the - * renewal time. If an issuer returns a certificate with a different lifetime than - * the one requested, cert-manager will use the lifetime of the issued certificate. - * - * Value must be an integer in the range (0,100). The minimum effective - * `renewBefore` derived from the `renewBeforePercentage` and `duration` fields is 5 - * minutes. - * Cannot be set if the `renewBefore` field is set. - */ - renewBeforePercentage: number; /** * The maximum number of CertificateRequest revisions that are maintained in * the Certificate's history. Each revision represents a single `CertificateRequest` @@ -7482,8 +4999,10 @@ export namespace cert_manager { * was changed. Revisions will be removed by oldest first if the number of * revisions exceeds this number. * + * * If set, revisionHistoryLimit must be a value of `1` or greater. - * Default value is `1`. + * If unset (`nil`), revisions will not be garbage collected. + * Default value is `nil`. */ revisionHistoryLimit: number; /** @@ -7494,13 +5013,6 @@ export namespace cert_manager { */ secretName: string; secretTemplate: outputs.cert_manager.v1.CertificateSpecSecretTemplatePatch; - /** - * Signature algorithm to use. - * Allowed values for RSA keys: SHA256WithRSA, SHA384WithRSA, SHA512WithRSA. - * Allowed values for ECDSA keys: ECDSAWithSHA256, ECDSAWithSHA384, ECDSAWithSHA512. - * Allowed values for Ed25519 keys: PureEd25519. - */ - signatureAlgorithm: string; subject: outputs.cert_manager.v1.CertificateSpecSubjectPatch; /** * Requested URI subject alternative names. @@ -7512,6 +5024,7 @@ export namespace cert_manager { * resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages * will additionally be encoded in the `request` field which contains the CSR blob. * + * * If unset, defaults to `digital signature` and `key encipherment`. */ usages: string[]; @@ -7526,6 +5039,7 @@ export namespace cert_manager { * Algorithm is the private key algorithm of the corresponding private key * for this certificate. * + * * If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`. * If `algorithm` is specified and `size` is not provided, * key size of 2048 will be used for `RSA` key algorithm and @@ -7537,6 +5051,7 @@ export namespace cert_manager { * The private key cryptography standards (PKCS) encoding for this * certificate's private key to be encoded in. * + * * If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 * and PKCS#8, respectively. * Defaults to `PKCS1` if not specified. @@ -7546,22 +5061,20 @@ export namespace cert_manager { * RotationPolicy controls how private keys should be regenerated when a * re-issuance is being processed. * + * * If set to `Never`, a private key will only be generated if one does not - * already exist in the target `spec.secretName`. If one does exist but it + * already exist in the target `spec.secretName`. If one does exists but it * does not have the correct algorithm or size, a warning will be raised * to await user intervention. * If set to `Always`, a private key matching the specified requirements * will be generated whenever a re-issuance occurs. - * Default is `Always`. - * The default was changed from `Never` to `Always` in cert-manager >=v1.18.0. - * The new default can be disabled by setting the - * `--feature-gates=DefaultPrivateKeyRotationPolicyAlways=false` option on - * the controller component. + * Default is `Never` for backward compatibility. */ rotationPolicy: string; /** * Size is the key bit size of the corresponding private key for this certificate. * + * * If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, * and will default to `2048` if not specified. * If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, @@ -7581,6 +5094,7 @@ export namespace cert_manager { * Algorithm is the private key algorithm of the corresponding private key * for this certificate. * + * * If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`. * If `algorithm` is specified and `size` is not provided, * key size of 2048 will be used for `RSA` key algorithm and @@ -7592,6 +5106,7 @@ export namespace cert_manager { * The private key cryptography standards (PKCS) encoding for this * certificate's private key to be encoded in. * + * * If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 * and PKCS#8, respectively. * Defaults to `PKCS1` if not specified. @@ -7601,22 +5116,20 @@ export namespace cert_manager { * RotationPolicy controls how private keys should be regenerated when a * re-issuance is being processed. * + * * If set to `Never`, a private key will only be generated if one does not - * already exist in the target `spec.secretName`. If one does exist but it + * already exist in the target `spec.secretName`. If one does exists but it * does not have the correct algorithm or size, a warning will be raised * to await user intervention. * If set to `Always`, a private key matching the specified requirements * will be generated whenever a re-issuance occurs. - * Default is `Always`. - * The default was changed from `Never` to `Always` in cert-manager >=v1.18.0. - * The new default can be disabled by setting the - * `--feature-gates=DefaultPrivateKeyRotationPolicyAlways=false` option on - * the controller component. + * Default is `Never` for backward compatibility. */ rotationPolicy: string; /** * Size is the key bit size of the corresponding private key for this certificate. * + * * If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, * and will default to `2048` if not specified. * If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, @@ -7667,6 +5180,7 @@ export namespace cert_manager { * Requested set of X509 certificate subject attributes. * More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 * + * * The common name attribute is specified separately in the `commonName` field. * Cannot be set if the `literalSubject` field is set. */ @@ -7709,6 +5223,7 @@ export namespace cert_manager { * Requested set of X509 certificate subject attributes. * More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 * + * * The common name attribute is specified separately in the `commonName` field. * Cannot be set if the `literalSubject` field is set. */ @@ -7768,7 +5283,7 @@ export namespace cert_manager { */ failedIssuanceAttempts: number; /** - * LastFailureTime is set only if the latest issuance for this + * LastFailureTime is set only if the lastest issuance for this * Certificate failed and contains the time of the failure. If an * issuance has failed, the delay till the next issuance will be * calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - @@ -7803,13 +5318,16 @@ export namespace cert_manager { /** * The current 'revision' of the certificate as issued. * + * * When a CertificateRequest resource is created, it will have the * `cert-manager.io/certificate-revision` set to one greater than the * current value of this field. * + * * Upon issuance, this field will be set to the value of the annotation * on the CertificateRequest resource used to issue the certificate. * + * * Persisting the value on the CertificateRequest resource allows the * certificates controller to know whether a request is part of an old * issuance or if it is part of the ongoing revision's issuance by @@ -7820,7 +5338,7 @@ export namespace cert_manager { } /** - * CertificateCondition contains condition information for a Certificate. + * CertificateCondition contains condition information for an Certificate. */ export interface CertificateStatusConditions { /** @@ -7857,7 +5375,7 @@ export namespace cert_manager { } /** - * CertificateCondition contains condition information for a Certificate. + * CertificateCondition contains condition information for an Certificate. */ export interface CertificateStatusConditionsPatch { /** @@ -7914,7 +5432,7 @@ export namespace cert_manager { */ failedIssuanceAttempts: number; /** - * LastFailureTime is set only if the latest issuance for this + * LastFailureTime is set only if the lastest issuance for this * Certificate failed and contains the time of the failure. If an * issuance has failed, the delay till the next issuance will be * calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - @@ -7949,13 +5467,16 @@ export namespace cert_manager { /** * The current 'revision' of the certificate as issued. * + * * When a CertificateRequest resource is created, it will have the * `cert-manager.io/certificate-revision` set to one greater than the * current value of this field. * + * * Upon issuance, this field will be set to the value of the annotation * on the CertificateRequest resource used to issue the certificate. * + * * Persisting the value on the CertificateRequest resource allows the * certificates controller to know whether a request is part of an old * issuance or if it is part of the ongoing revision's issuance by @@ -8044,7 +5565,7 @@ export namespace cert_manager { * PreferredChain is the chain to use if the ACME server outputs multiple. * PreferredChain is no guarantee that this one gets delivered by the ACME * endpoint. - * For example, for Let's Encrypt's DST cross-sign you would use: + * For example, for Let's Encrypt's DST crosssign you would use: * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA. * This value picks the first certificate bundle in the combined set of * ACME default and alternative chains that has a root-most certificate with @@ -8052,11 +5573,6 @@ export namespace cert_manager { */ preferredChain: string; privateKeySecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmePrivateKeySecretRef; - /** - * Profile allows requesting a certificate profile from the ACME server. - * Supported profiles are listed by the server's ACME directory URL. - */ - profile: string; /** * Server is the URL used to access the ACME server's 'directory' endpoint. * For example, for Let's Encrypt's staging endpoint, you would use: @@ -8216,7 +5732,7 @@ export namespace cert_manager { * PreferredChain is the chain to use if the ACME server outputs multiple. * PreferredChain is no guarantee that this one gets delivered by the ACME * endpoint. - * For example, for Let's Encrypt's DST cross-sign you would use: + * For example, for Let's Encrypt's DST crosssign you would use: * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA. * This value picks the first certificate bundle in the combined set of * ACME default and alternative chains that has a root-most certificate with @@ -8224,11 +5740,6 @@ export namespace cert_manager { */ preferredChain: string; privateKeySecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmePrivateKeySecretRefPatch; - /** - * Profile allows requesting a certificate profile from the ACME server. - * Supported profiles are listed by the server's ACME directory URL. - */ - profile: string; /** * Server is the URL used to access the ACME server's 'directory' endpoint. * For example, for Let's Encrypt's staging endpoint, you would use: @@ -8595,18 +6106,14 @@ export namespace cert_manager { */ export interface ClusterIssuerSpecAcmeSolversDns01AzureDNSManagedIdentity { /** - * client ID of the managed identity, cannot be used at the same time as resourceID + * client ID of the managed identity, can not be used at the same time as resourceID */ clientID: string; /** - * resource ID of the managed identity, cannot be used at the same time as clientID + * resource ID of the managed identity, can not be used at the same time as clientID * Cannot be used for Azure Managed Service Identity */ resourceID: string; - /** - * tenant ID of the managed identity, cannot be used at the same time as resourceID - */ - tenantID: string; } /** @@ -8616,18 +6123,14 @@ export namespace cert_manager { */ export interface ClusterIssuerSpecAcmeSolversDns01AzureDNSManagedIdentityPatch { /** - * client ID of the managed identity, cannot be used at the same time as resourceID + * client ID of the managed identity, can not be used at the same time as resourceID */ clientID: string; /** - * resource ID of the managed identity, cannot be used at the same time as clientID + * resource ID of the managed identity, can not be used at the same time as clientID * Cannot be used for Azure Managed Service Identity */ resourceID: string; - /** - * tenant ID of the managed identity, cannot be used at the same time as resourceID - */ - tenantID: string; } /** @@ -8909,10 +6412,6 @@ export namespace cert_manager { * This field is required. */ nameserver: string; - /** - * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default). - */ - protocol: string; /** * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. @@ -8940,10 +6439,6 @@ export namespace cert_manager { * This field is required. */ nameserver: string; - /** - * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default). - */ - protocol: string; /** * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. @@ -9010,32 +6505,11 @@ export namespace cert_manager { accessKeyIDSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRef; auth: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53Auth; /** - * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. + * If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. */ hostedZoneID: string; /** - * Override the AWS region. - * - * Route53 is a global service and does not have regional endpoints but the - * region specified here (or via environment variables) is used as a hint to - * help compute the correct AWS credential scope and partition when it - * connects to Route53. See: - * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) - * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) - * - * If you omit this region field, cert-manager will use the region from - * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set - * in the cert-manager controller Pod. - * - * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). - * In this case this `region` field value is ignored. - * - * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), - * In this case this `region` field value is ignored. + * Always set the region when using AccessKeyID and SecretAccessKey */ region: string; /** @@ -9173,32 +6647,11 @@ export namespace cert_manager { accessKeyIDSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRefPatch; auth: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AuthPatch; /** - * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. + * If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. */ hostedZoneID: string; /** - * Override the AWS region. - * - * Route53 is a global service and does not have regional endpoints but the - * region specified here (or via environment variables) is used as a hint to - * help compute the correct AWS credential scope and partition when it - * connects to Route53. See: - * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) - * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) - * - * If you omit this region field, cert-manager will use the region from - * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set - * in the cert-manager controller Pod. - * - * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). - * In this case this `region` field value is ignored. - * - * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), - * In this case this `region` field value is ignored. + * Always set the region when using AccessKeyID and SecretAccessKey */ region: string; /** @@ -9259,7 +6712,7 @@ export namespace cert_manager { * when challenges are processed. * This can contain arbitrary JSON data. * Secret values should not be specified in this stanza. - * If secret values are needed (e.g., credentials for a DNS service), you + * If secret values are needed (e.g. credentials for a DNS service), you * should use a SecretKeySelector to reference a Secret resource. * For details on the schema of this field, consult the webhook provider * implementation's documentation. @@ -9275,7 +6728,7 @@ export namespace cert_manager { /** * The name of the solver to use, as defined in the webhook provider * implementation. - * This will typically be the name of the provider, e.g., 'cloudflare'. + * This will typically be the name of the provider, e.g. 'cloudflare'. */ solverName: string; } @@ -9290,7 +6743,7 @@ export namespace cert_manager { * when challenges are processed. * This can contain arbitrary JSON data. * Secret values should not be specified in this stanza. - * If secret values are needed (e.g., credentials for a DNS service), you + * If secret values are needed (e.g. credentials for a DNS service), you * should use a SecretKeySelector to reference a Secret resource. * For details on the schema of this field, consult the webhook provider * implementation's documentation. @@ -9306,7 +6759,7 @@ export namespace cert_manager { /** * The name of the solver to use, as defined in the webhook provider * implementation. - * This will typically be the name of the provider, e.g., 'cloudflare'. + * This will typically be the name of the provider, e.g. 'cloudflare'. */ solverName: string; } @@ -9315,7 +6768,7 @@ export namespace cert_manager { * Configures cert-manager to attempt to complete authorizations by * performing the HTTP01 challenge flow. * It is not possible to obtain certificates for wildcard domain names - * (e.g., `*.example.com`) using the HTTP01 challenge mechanism. + * (e.g. `*.example.com`) using the HTTP01 challenge mechanism. */ export interface ClusterIssuerSpecAcmeSolversHttp01 { gatewayHTTPRoute: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoute; @@ -9341,7 +6794,6 @@ export namespace cert_manager { * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways */ parentRefs: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefs[]; - podTemplate: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplate; /** * Optional service type for Kubernetes solver service. Supported values * are NodePort or ClusterIP. If unset, defaults to NodePort. @@ -9354,12 +6806,15 @@ export namespace cert_manager { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -9370,23 +6825,28 @@ export namespace cert_manager { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -9394,17 +6854,20 @@ export namespace cert_manager { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: * Gateway has the AllowedRoutes field, and ReferenceGrant provides a * generic way to enable any other kind of cross-namespace reference. * + * * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -9412,6 +6875,7 @@ export namespace cert_manager { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -9419,6 +6883,7 @@ export namespace cert_manager { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -9427,16 +6892,19 @@ export namespace cert_manager { * and SectionName are specified, the name and port of the selected listener * must match both specified values. * + * * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -9445,6 +6913,7 @@ export namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -9452,6 +6921,7 @@ export namespace cert_manager { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -9459,10 +6929,12 @@ export namespace cert_manager { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -9472,6 +6944,7 @@ export namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -9482,12 +6955,15 @@ export namespace cert_manager { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -9498,23 +6974,28 @@ export namespace cert_manager { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -9522,17 +7003,20 @@ export namespace cert_manager { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: * Gateway has the AllowedRoutes field, and ReferenceGrant provides a * generic way to enable any other kind of cross-namespace reference. * + * * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -9540,6 +7024,7 @@ export namespace cert_manager { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -9547,6 +7032,7 @@ export namespace cert_manager { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -9555,16 +7041,19 @@ export namespace cert_manager { * and SectionName are specified, the name and port of the selected listener * must match both specified values. * + * * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -9573,6 +7062,7 @@ export namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -9580,6 +7070,7 @@ export namespace cert_manager { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -9587,10 +7078,12 @@ export namespace cert_manager { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -9600,6 +7093,7 @@ export namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -9624,7 +7118,6 @@ export namespace cert_manager { * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways */ parentRefs: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefsPatch[]; - podTemplate: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplatePatch; /** * Optional service type for Kubernetes solver service. Supported values * are NodePort or ClusterIP. If unset, defaults to NodePort. @@ -9632,2112 +7125,6 @@ export namespace cert_manager { serviceType: string; } - /** - * Optional pod template used to configure the ACME challenge solver pods - * used for HTTP01 challenges. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplate { - metadata: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadata; - spec: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpec; - } - - /** - * ObjectMeta overrides for the pod used to solve HTTP01 challenges. - * Only the 'labels' and 'annotations' fields may be set. - * If labels or annotations overlap with in-built values, the values here - * will override the in-built values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadata { - /** - * Annotations that should be added to the created ACME HTTP01 solver pods. - */ - annotations: {[key: string]: string}; - /** - * Labels that should be added to the created ACME HTTP01 solver pods. - */ - labels: {[key: string]: string}; - } - - /** - * ObjectMeta overrides for the pod used to solve HTTP01 challenges. - * Only the 'labels' and 'annotations' fields may be set. - * If labels or annotations overlap with in-built values, the values here - * will override the in-built values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadataPatch { - /** - * Annotations that should be added to the created ACME HTTP01 solver pods. - */ - annotations: {[key: string]: string}; - /** - * Labels that should be added to the created ACME HTTP01 solver pods. - */ - labels: {[key: string]: string}; - } - - /** - * Optional pod template used to configure the ACME challenge solver pods - * used for HTTP01 challenges. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplatePatch { - metadata: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadataPatch; - spec: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecPatch; - } - - /** - * PodSpec defines overrides for the HTTP01 challenge solver pod. - * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - * All other fields will be ignored. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpec { - affinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinity; - /** - * If specified, the pod's imagePullSecrets - */ - imagePullSecrets: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets[]; - /** - * NodeSelector is a selector which must be true for the pod to fit on a node. - * Selector which must match a node's labels for the pod to be scheduled on that node. - * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - */ - nodeSelector: {[key: string]: string}; - /** - * If specified, the pod's priorityClassName. - */ - priorityClassName: string; - resources: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResources; - securityContext: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext; - /** - * If specified, the pod's service account - */ - serviceAccountName: string; - /** - * If specified, the pod's tolerations. - */ - tolerations: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerations[]; - } - - /** - * If specified, the pod's scheduling constraints - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinity { - nodeAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity; - podAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity; - podAntiAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity; - } - - /** - * Describes node affinity scheduling rules for the pod. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node matches the corresponding matchExpressions; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution[]; - requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution; - } - - /** - * Describes node affinity scheduling rules for the pod. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node matches the corresponding matchExpressions; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[]; - requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch; - } - - /** - * An empty preferred scheduling term matches all objects with implicit weight 0 - * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution { - preference: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference; - /** - * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - */ - weight: number; - } - - /** - * An empty preferred scheduling term matches all objects with implicit weight 0 - * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - preference: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch; - /** - * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - */ - weight: number; - } - - /** - * A node selector term, associated with the corresponding weight. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions[]; - /** - * A list of node selector requirements by node's fields. - */ - matchFields: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields[]; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - - /** - * A node selector term, associated with the corresponding weight. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch[]; - /** - * A list of node selector requirements by node's fields. - */ - matchFields: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch[]; - } - - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to an update), the system - * may or may not try to eventually evict the pod from its node. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution { - /** - * Required. A list of node selector terms. The terms are ORed. - */ - nodeSelectorTerms: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms[]; - } - - /** - * A null or empty node selector term matches no objects. The requirements of - * them are ANDed. - * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions[]; - /** - * A list of node selector requirements by node's fields. - */ - matchFields: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields[]; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - - /** - * A null or empty node selector term matches no objects. The requirements of - * them are ANDed. - * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch[]; - /** - * A list of node selector requirements by node's fields. - */ - matchFields: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch[]; - } - - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to an update), the system - * may or may not try to eventually evict the pod from its node. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - /** - * Required. A list of node selector terms. The terms are ORed. - */ - nodeSelectorTerms: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch[]; - } - - /** - * If specified, the pod's scheduling constraints - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch { - nodeAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch; - podAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch; - podAntiAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch; - } - - /** - * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution[]; - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution[]; - } - - /** - * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[]; - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[]; - } - - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution { - podAffinityTerm: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight: number; - } - - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - podAffinityTerm: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight: number; - } - - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm { - labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch { - labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution { - labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - - /** - * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the anti-affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution[]; - /** - * If the anti-affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the anti-affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution[]; - } - - /** - * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the anti-affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[]; - /** - * If the anti-affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the anti-affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[]; - } - - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution { - podAffinityTerm: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight: number; - } - - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - podAffinityTerm: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight: number; - } - - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm { - labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch { - labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution { - labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - - /** - * LocalObjectReference contains enough information to let you locate the - * referenced object inside the same namespace. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets { - /** - * Name of the referent. - * This field is effectively required, but due to backwards compatibility is - * allowed to be empty. Instances of this type with an empty value here are - * almost certainly wrong. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name: string; - } - - /** - * LocalObjectReference contains enough information to let you locate the - * referenced object inside the same namespace. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch { - /** - * Name of the referent. - * This field is effectively required, but due to backwards compatibility is - * allowed to be empty. Instances of this type with an empty value here are - * almost certainly wrong. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name: string; - } - - /** - * PodSpec defines overrides for the HTTP01 challenge solver pod. - * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - * All other fields will be ignored. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecPatch { - affinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch; - /** - * If specified, the pod's imagePullSecrets - */ - imagePullSecrets: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch[]; - /** - * NodeSelector is a selector which must be true for the pod to fit on a node. - * Selector which must match a node's labels for the pod to be scheduled on that node. - * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - */ - nodeSelector: {[key: string]: string}; - /** - * If specified, the pod's priorityClassName. - */ - priorityClassName: string; - resources: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch; - securityContext: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch; - /** - * If specified, the pod's service account - */ - serviceAccountName: string; - /** - * If specified, the pod's tolerations. - */ - tolerations: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch[]; - } - - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResources { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits: {[key: string]: number | string}; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests: {[key: string]: number | string}; - } - - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits: {[key: string]: number | string}; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests: {[key: string]: number | string}; - } - - /** - * If specified, the pod's security context - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup: number; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy: string; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup: number; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot: boolean; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser: number; - seLinuxOptions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions; - seccompProfile: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups: number[]; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls[]; - } - - /** - * If specified, the pod's security context - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup: number; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy: string; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup: number; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot: boolean; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser: number; - seLinuxOptions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch; - seccompProfile: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups: number[]; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch[]; - } - - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions { - /** - * Level is SELinux level label that applies to the container. - */ - level: string; - /** - * Role is a SELinux role label that applies to the container. - */ - role: string; - /** - * Type is a SELinux type label that applies to the container. - */ - type: string; - /** - * User is a SELinux user label that applies to the container. - */ - user: string; - } - - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch { - /** - * Level is SELinux level label that applies to the container. - */ - level: string; - /** - * Role is a SELinux role label that applies to the container. - */ - role: string; - /** - * Type is a SELinux type label that applies to the container. - */ - type: string; - /** - * User is a SELinux user label that applies to the container. - */ - user: string; - } - - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile: string; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type: string; - } - - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile: string; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type: string; - } - - /** - * Sysctl defines a kernel parameter to be set - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls { - /** - * Name of a property to set - */ - name: string; - /** - * Value of a property to set - */ - value: string; - } - - /** - * Sysctl defines a kernel parameter to be set - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch { - /** - * Name of a property to set - */ - name: string; - /** - * Value of a property to set - */ - value: string; - } - - /** - * The pod this Toleration is attached to tolerates any taint that matches - * the triple using the matching operator . - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerations { - /** - * Effect indicates the taint effect to match. Empty means match all taint effects. - * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - */ - effect: string; - /** - * Key is the taint key that the toleration applies to. Empty means match all taint keys. - * If the key is empty, operator must be Exists; this combination means to match all values and all keys. - */ - key: string; - /** - * Operator represents a key's relationship to the value. - * Valid operators are Exists and Equal. Defaults to Equal. - * Exists is equivalent to wildcard for value, so that a pod can - * tolerate all taints of a particular category. - */ - operator: string; - /** - * TolerationSeconds represents the period of time the toleration (which must be - * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - * it is not set, which means tolerate the taint forever (do not evict). Zero and - * negative values will be treated as 0 (evict immediately) by the system. - */ - tolerationSeconds: number; - /** - * Value is the taint value the toleration matches to. - * If the operator is Exists, the value should be empty, otherwise just a regular string. - */ - value: string; - } - - /** - * The pod this Toleration is attached to tolerates any taint that matches - * the triple using the matching operator . - */ - export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch { - /** - * Effect indicates the taint effect to match. Empty means match all taint effects. - * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - */ - effect: string; - /** - * Key is the taint key that the toleration applies to. Empty means match all taint keys. - * If the key is empty, operator must be Exists; this combination means to match all values and all keys. - */ - key: string; - /** - * Operator represents a key's relationship to the value. - * Valid operators are Exists and Equal. Defaults to Equal. - * Exists is equivalent to wildcard for value, so that a pod can - * tolerate all taints of a particular category. - */ - operator: string; - /** - * TolerationSeconds represents the period of time the toleration (which must be - * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - * it is not set, which means tolerate the taint forever (do not evict). Zero and - * negative values will be treated as 0 (evict immediately) by the system. - */ - tolerationSeconds: number; - /** - * Value is the taint value the toleration matches to. - * If the operator is Exists, the value should be empty, otherwise just a regular string. - */ - value: string; - } - /** * The ingress based HTTP01 challenge solver will solve challenges by * creating or modifying Ingress resources in order to route requests for @@ -11883,7 +7270,7 @@ export namespace cert_manager { */ export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateMetadata { /** - * Annotations that should be added to the created ACME HTTP01 solver pods. + * Annotations that should be added to the create ACME HTTP01 solver pods. */ annotations: {[key: string]: string}; /** @@ -11900,7 +7287,7 @@ export namespace cert_manager { */ export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateMetadataPatch { /** - * Annotations that should be added to the created ACME HTTP01 solver pods. + * Annotations that should be added to the create ACME HTTP01 solver pods. */ annotations: {[key: string]: string}; /** @@ -11939,8 +7326,6 @@ export namespace cert_manager { * If specified, the pod's priorityClassName. */ priorityClassName: string; - resources: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResources; - securityContext: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContext; /** * If specified, the pod's service account */ @@ -12405,6 +7790,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -12416,6 +7802,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector; @@ -12616,6 +8003,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -12627,6 +8015,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch; @@ -12666,6 +8055,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -12677,6 +8067,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector; @@ -12882,6 +8273,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -12893,6 +8285,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch; @@ -12924,8 +8317,8 @@ export namespace cert_manager { * most preferred is the one with the greatest sum of weights, i.e. * for each node that meets all of the scheduling requirements (resource * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + * compute a sum by iterating through the elements of this field and adding + * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the * node(s) with the highest sum are the most preferred. */ preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution[]; @@ -12952,8 +8345,8 @@ export namespace cert_manager { * most preferred is the one with the greatest sum of weights, i.e. * for each node that meets all of the scheduling requirements (resource * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + * compute a sum by iterating through the elements of this field and adding + * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the * node(s) with the highest sum are the most preferred. */ preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[]; @@ -13007,6 +8400,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -13018,6 +8412,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector; @@ -13218,6 +8613,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -13229,6 +8625,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch; @@ -13268,6 +8665,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -13279,6 +8677,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector; @@ -13484,6 +8883,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -13495,6 +8895,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch; @@ -13525,7 +8926,9 @@ export namespace cert_manager { * This field is effectively required, but due to backwards compatibility is * allowed to be empty. Instances of this type with an empty value here are * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name: string; } @@ -13540,7 +8943,9 @@ export namespace cert_manager { * This field is effectively required, but due to backwards compatibility is * allowed to be empty. Instances of this type with an empty value here are * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name: string; } @@ -13566,8 +8971,6 @@ export namespace cert_manager { * If specified, the pod's priorityClassName. */ priorityClassName: string; - resources: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResourcesPatch; - securityContext: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextPatch; /** * If specified, the pod's service account */ @@ -13578,328 +8981,6 @@ export namespace cert_manager { tolerations: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerationsPatch[]; } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResources { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits: {[key: string]: number | string}; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests: {[key: string]: number | string}; - } - - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResourcesPatch { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits: {[key: string]: number | string}; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests: {[key: string]: number | string}; - } - - /** - * If specified, the pod's security context - */ - export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContext { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup: number; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy: string; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup: number; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot: boolean; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser: number; - seLinuxOptions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions; - seccompProfile: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups: number[]; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls[]; - } - - /** - * If specified, the pod's security context - */ - export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextPatch { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup: number; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy: string; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup: number; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot: boolean; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser: number; - seLinuxOptions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch; - seccompProfile: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups: number[]; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch[]; - } - - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions { - /** - * Level is SELinux level label that applies to the container. - */ - level: string; - /** - * Role is a SELinux role label that applies to the container. - */ - role: string; - /** - * Type is a SELinux type label that applies to the container. - */ - type: string; - /** - * User is a SELinux user label that applies to the container. - */ - user: string; - } - - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch { - /** - * Level is SELinux level label that applies to the container. - */ - level: string; - /** - * Role is a SELinux role label that applies to the container. - */ - role: string; - /** - * Type is a SELinux type label that applies to the container. - */ - type: string; - /** - * User is a SELinux user label that applies to the container. - */ - user: string; - } - - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile: string; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type: string; - } - - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile: string; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type: string; - } - - /** - * Sysctl defines a kernel parameter to be set - */ - export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls { - /** - * Name of a property to set - */ - name: string; - /** - * Value of a property to set - */ - value: string; - } - - /** - * Sysctl defines a kernel parameter to be set - */ - export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch { - /** - * Name of a property to set - */ - name: string; - /** - * Value of a property to set - */ - value: string; - } - /** * The pod this Toleration is attached to tolerates any taint that matches * the triple using the matching operator . @@ -13976,7 +9057,7 @@ export namespace cert_manager { * Configures cert-manager to attempt to complete authorizations by * performing the HTTP01 challenge flow. * It is not possible to obtain certificates for wildcard domain names - * (e.g., `*.example.com`) using the HTTP01 challenge mechanism. + * (e.g. `*.example.com`) using the HTTP01 challenge mechanism. */ export interface ClusterIssuerSpecAcmeSolversHttp01Patch { gatewayHTTPRoute: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePatch; @@ -14203,11 +9284,6 @@ export namespace cert_manager { * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200". */ server: string; - /** - * ServerName is used to verify the hostname on the returned certificates - * by the Vault server. - */ - serverName: string; } /** @@ -14215,7 +9291,6 @@ export namespace cert_manager { */ export interface ClusterIssuerSpecVaultAuth { appRole: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthAppRole; - clientCertificate: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthClientCertificate; kubernetes: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthKubernetes; tokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthTokenSecretRef; } @@ -14296,58 +9371,6 @@ export namespace cert_manager { name: string; } - /** - * ClientCertificate authenticates with Vault by presenting a client - * certificate during the request's TLS handshake. - * Works only when using HTTPS protocol. - */ - export interface ClusterIssuerSpecVaultAuthClientCertificate { - /** - * The Vault mountPath here is the mount path to use when authenticating with - * Vault. For example, setting a value to `/v1/auth/foo`, will use the path - * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the - * default value "/v1/auth/cert" will be used. - */ - mountPath: string; - /** - * Name of the certificate role to authenticate against. - * If not set, matching any certificate role, if available. - */ - name: string; - /** - * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing - * tls.crt and tls.key) used to authenticate to Vault using TLS client - * authentication. - */ - secretName: string; - } - - /** - * ClientCertificate authenticates with Vault by presenting a client - * certificate during the request's TLS handshake. - * Works only when using HTTPS protocol. - */ - export interface ClusterIssuerSpecVaultAuthClientCertificatePatch { - /** - * The Vault mountPath here is the mount path to use when authenticating with - * Vault. For example, setting a value to `/v1/auth/foo`, will use the path - * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the - * default value "/v1/auth/cert" will be used. - */ - mountPath: string; - /** - * Name of the certificate role to authenticate against. - * If not set, matching any certificate role, if available. - */ - name: string; - /** - * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing - * tls.crt and tls.key) used to authenticate to Vault using TLS client - * authentication. - */ - secretName: string; - } - /** * Kubernetes authenticates with Vault by passing the ServiceAccount * token stored in the named Secret resource to the Vault server. @@ -14471,7 +9494,6 @@ export namespace cert_manager { */ export interface ClusterIssuerSpecVaultAuthPatch { appRole: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthAppRolePatch; - clientCertificate: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthClientCertificatePatch; kubernetes: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthKubernetesPatch; tokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthTokenSecretRefPatch; } @@ -14658,11 +9680,6 @@ export namespace cert_manager { * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200". */ server: string; - /** - * ServerName is used to verify the hostname on the returned certificates - * by the Vault server. - */ - serverName: string; } /** @@ -14689,7 +9706,7 @@ export namespace cert_manager { apiTokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVenafiCloudApiTokenSecretRef; /** * URL is the base URL for Venafi Cloud. - * Defaults to "https://api.venafi.cloud/". + * Defaults to "https://api.venafi.cloud/v1". */ url: string; } @@ -14736,7 +9753,7 @@ export namespace cert_manager { apiTokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVenafiCloudApiTokenSecretRefPatch; /** * URL is the base URL for Venafi Cloud. - * Defaults to "https://api.venafi.cloud/". + * Defaults to "https://api.venafi.cloud/v1". */ url: string; } @@ -14769,7 +9786,6 @@ export namespace cert_manager { * is used to validate the chain. */ caBundle: string; - caBundleSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVenafiTppCaBundleSecretRef; credentialsRef: outputs.cert_manager.v1.ClusterIssuerSpecVenafiTppCredentialsRef; /** * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, @@ -14779,51 +9795,9 @@ export namespace cert_manager { } /** - * Reference to a Secret containing a base64-encoded bundle of PEM CAs - * which will be used to validate the certificate chain presented by the TPP server. - * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle. - * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in - * the cert-manager controller container is used to validate the TLS connection. - */ - export interface ClusterIssuerSpecVenafiTppCaBundleSecretRef { - /** - * The key of the entry in the Secret resource's `data` field to be used. - * Some instances of this field may be defaulted, in others it may be - * required. - */ - key: string; - /** - * Name of the resource being referred to. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name: string; - } - - /** - * Reference to a Secret containing a base64-encoded bundle of PEM CAs - * which will be used to validate the certificate chain presented by the TPP server. - * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle. - * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in - * the cert-manager controller container is used to validate the TLS connection. - */ - export interface ClusterIssuerSpecVenafiTppCaBundleSecretRefPatch { - /** - * The key of the entry in the Secret resource's `data` field to be used. - * Some instances of this field may be defaulted, in others it may be - * required. - */ - key: string; - /** - * Name of the resource being referred to. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name: string; - } - - /** - * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials. - * The secret must contain the key 'access-token' for the Access Token Authentication, - * or two keys, 'username' and 'password' for the API Keys Authentication. + * CredentialsRef is a reference to a Secret containing the username and + * password for the TPP server. + * The secret must contain two keys, 'username' and 'password'. */ export interface ClusterIssuerSpecVenafiTppCredentialsRef { /** @@ -14834,9 +9808,9 @@ export namespace cert_manager { } /** - * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials. - * The secret must contain the key 'access-token' for the Access Token Authentication, - * or two keys, 'username' and 'password' for the API Keys Authentication. + * CredentialsRef is a reference to a Secret containing the username and + * password for the TPP server. + * The secret must contain two keys, 'username' and 'password'. */ export interface ClusterIssuerSpecVenafiTppCredentialsRefPatch { /** @@ -14858,7 +9832,6 @@ export namespace cert_manager { * is used to validate the chain. */ caBundle: string; - caBundleSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVenafiTppCaBundleSecretRefPatch; credentialsRef: outputs.cert_manager.v1.ClusterIssuerSpecVenafiTppCredentialsRefPatch; /** * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, @@ -15093,7 +10066,7 @@ export namespace cert_manager { * PreferredChain is the chain to use if the ACME server outputs multiple. * PreferredChain is no guarantee that this one gets delivered by the ACME * endpoint. - * For example, for Let's Encrypt's DST cross-sign you would use: + * For example, for Let's Encrypt's DST crosssign you would use: * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA. * This value picks the first certificate bundle in the combined set of * ACME default and alternative chains that has a root-most certificate with @@ -15101,11 +10074,6 @@ export namespace cert_manager { */ preferredChain: string; privateKeySecretRef: outputs.cert_manager.v1.IssuerSpecAcmePrivateKeySecretRef; - /** - * Profile allows requesting a certificate profile from the ACME server. - * Supported profiles are listed by the server's ACME directory URL. - */ - profile: string; /** * Server is the URL used to access the ACME server's 'directory' endpoint. * For example, for Let's Encrypt's staging endpoint, you would use: @@ -15265,7 +10233,7 @@ export namespace cert_manager { * PreferredChain is the chain to use if the ACME server outputs multiple. * PreferredChain is no guarantee that this one gets delivered by the ACME * endpoint. - * For example, for Let's Encrypt's DST cross-sign you would use: + * For example, for Let's Encrypt's DST crosssign you would use: * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA. * This value picks the first certificate bundle in the combined set of * ACME default and alternative chains that has a root-most certificate with @@ -15273,11 +10241,6 @@ export namespace cert_manager { */ preferredChain: string; privateKeySecretRef: outputs.cert_manager.v1.IssuerSpecAcmePrivateKeySecretRefPatch; - /** - * Profile allows requesting a certificate profile from the ACME server. - * Supported profiles are listed by the server's ACME directory URL. - */ - profile: string; /** * Server is the URL used to access the ACME server's 'directory' endpoint. * For example, for Let's Encrypt's staging endpoint, you would use: @@ -15644,18 +10607,14 @@ export namespace cert_manager { */ export interface IssuerSpecAcmeSolversDns01AzureDNSManagedIdentity { /** - * client ID of the managed identity, cannot be used at the same time as resourceID + * client ID of the managed identity, can not be used at the same time as resourceID */ clientID: string; /** - * resource ID of the managed identity, cannot be used at the same time as clientID + * resource ID of the managed identity, can not be used at the same time as clientID * Cannot be used for Azure Managed Service Identity */ resourceID: string; - /** - * tenant ID of the managed identity, cannot be used at the same time as resourceID - */ - tenantID: string; } /** @@ -15665,18 +10624,14 @@ export namespace cert_manager { */ export interface IssuerSpecAcmeSolversDns01AzureDNSManagedIdentityPatch { /** - * client ID of the managed identity, cannot be used at the same time as resourceID + * client ID of the managed identity, can not be used at the same time as resourceID */ clientID: string; /** - * resource ID of the managed identity, cannot be used at the same time as clientID + * resource ID of the managed identity, can not be used at the same time as clientID * Cannot be used for Azure Managed Service Identity */ resourceID: string; - /** - * tenant ID of the managed identity, cannot be used at the same time as resourceID - */ - tenantID: string; } /** @@ -15958,10 +10913,6 @@ export namespace cert_manager { * This field is required. */ nameserver: string; - /** - * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default). - */ - protocol: string; /** * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. @@ -15989,10 +10940,6 @@ export namespace cert_manager { * This field is required. */ nameserver: string; - /** - * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default). - */ - protocol: string; /** * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. @@ -16059,32 +11006,11 @@ export namespace cert_manager { accessKeyIDSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRef; auth: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53Auth; /** - * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. + * If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. */ hostedZoneID: string; /** - * Override the AWS region. - * - * Route53 is a global service and does not have regional endpoints but the - * region specified here (or via environment variables) is used as a hint to - * help compute the correct AWS credential scope and partition when it - * connects to Route53. See: - * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) - * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) - * - * If you omit this region field, cert-manager will use the region from - * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set - * in the cert-manager controller Pod. - * - * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). - * In this case this `region` field value is ignored. - * - * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), - * In this case this `region` field value is ignored. + * Always set the region when using AccessKeyID and SecretAccessKey */ region: string; /** @@ -16222,32 +11148,11 @@ export namespace cert_manager { accessKeyIDSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRefPatch; auth: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AuthPatch; /** - * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. + * If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. */ hostedZoneID: string; /** - * Override the AWS region. - * - * Route53 is a global service and does not have regional endpoints but the - * region specified here (or via environment variables) is used as a hint to - * help compute the correct AWS credential scope and partition when it - * connects to Route53. See: - * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) - * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) - * - * If you omit this region field, cert-manager will use the region from - * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set - * in the cert-manager controller Pod. - * - * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). - * In this case this `region` field value is ignored. - * - * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). - * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: - * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), - * In this case this `region` field value is ignored. + * Always set the region when using AccessKeyID and SecretAccessKey */ region: string; /** @@ -16308,7 +11213,7 @@ export namespace cert_manager { * when challenges are processed. * This can contain arbitrary JSON data. * Secret values should not be specified in this stanza. - * If secret values are needed (e.g., credentials for a DNS service), you + * If secret values are needed (e.g. credentials for a DNS service), you * should use a SecretKeySelector to reference a Secret resource. * For details on the schema of this field, consult the webhook provider * implementation's documentation. @@ -16324,7 +11229,7 @@ export namespace cert_manager { /** * The name of the solver to use, as defined in the webhook provider * implementation. - * This will typically be the name of the provider, e.g., 'cloudflare'. + * This will typically be the name of the provider, e.g. 'cloudflare'. */ solverName: string; } @@ -16339,7 +11244,7 @@ export namespace cert_manager { * when challenges are processed. * This can contain arbitrary JSON data. * Secret values should not be specified in this stanza. - * If secret values are needed (e.g., credentials for a DNS service), you + * If secret values are needed (e.g. credentials for a DNS service), you * should use a SecretKeySelector to reference a Secret resource. * For details on the schema of this field, consult the webhook provider * implementation's documentation. @@ -16355,7 +11260,7 @@ export namespace cert_manager { /** * The name of the solver to use, as defined in the webhook provider * implementation. - * This will typically be the name of the provider, e.g., 'cloudflare'. + * This will typically be the name of the provider, e.g. 'cloudflare'. */ solverName: string; } @@ -16364,7 +11269,7 @@ export namespace cert_manager { * Configures cert-manager to attempt to complete authorizations by * performing the HTTP01 challenge flow. * It is not possible to obtain certificates for wildcard domain names - * (e.g., `*.example.com`) using the HTTP01 challenge mechanism. + * (e.g. `*.example.com`) using the HTTP01 challenge mechanism. */ export interface IssuerSpecAcmeSolversHttp01 { gatewayHTTPRoute: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoute; @@ -16390,7 +11295,6 @@ export namespace cert_manager { * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways */ parentRefs: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefs[]; - podTemplate: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplate; /** * Optional service type for Kubernetes solver service. Supported values * are NodePort or ClusterIP. If unset, defaults to NodePort. @@ -16403,12 +11307,15 @@ export namespace cert_manager { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -16419,23 +11326,28 @@ export namespace cert_manager { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -16443,17 +11355,20 @@ export namespace cert_manager { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: * Gateway has the AllowedRoutes field, and ReferenceGrant provides a * generic way to enable any other kind of cross-namespace reference. * + * * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -16461,6 +11376,7 @@ export namespace cert_manager { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -16468,6 +11384,7 @@ export namespace cert_manager { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -16476,16 +11393,19 @@ export namespace cert_manager { * and SectionName are specified, the name and port of the selected listener * must match both specified values. * + * * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -16494,6 +11414,7 @@ export namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -16501,6 +11422,7 @@ export namespace cert_manager { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -16508,10 +11430,12 @@ export namespace cert_manager { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -16521,6 +11445,7 @@ export namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -16531,12 +11456,15 @@ export namespace cert_manager { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -16547,23 +11475,28 @@ export namespace cert_manager { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -16571,17 +11504,20 @@ export namespace cert_manager { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: * Gateway has the AllowedRoutes field, and ReferenceGrant provides a * generic way to enable any other kind of cross-namespace reference. * + * * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -16589,6 +11525,7 @@ export namespace cert_manager { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -16596,6 +11533,7 @@ export namespace cert_manager { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -16604,16 +11542,19 @@ export namespace cert_manager { * and SectionName are specified, the name and port of the selected listener * must match both specified values. * + * * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -16622,6 +11563,7 @@ export namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -16629,6 +11571,7 @@ export namespace cert_manager { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -16636,10 +11579,12 @@ export namespace cert_manager { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -16649,6 +11594,7 @@ export namespace cert_manager { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -16673,7 +11619,6 @@ export namespace cert_manager { * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways */ parentRefs: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefsPatch[]; - podTemplate: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplatePatch; /** * Optional service type for Kubernetes solver service. Supported values * are NodePort or ClusterIP. If unset, defaults to NodePort. @@ -16681,2112 +11626,6 @@ export namespace cert_manager { serviceType: string; } - /** - * Optional pod template used to configure the ACME challenge solver pods - * used for HTTP01 challenges. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplate { - metadata: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadata; - spec: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpec; - } - - /** - * ObjectMeta overrides for the pod used to solve HTTP01 challenges. - * Only the 'labels' and 'annotations' fields may be set. - * If labels or annotations overlap with in-built values, the values here - * will override the in-built values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadata { - /** - * Annotations that should be added to the created ACME HTTP01 solver pods. - */ - annotations: {[key: string]: string}; - /** - * Labels that should be added to the created ACME HTTP01 solver pods. - */ - labels: {[key: string]: string}; - } - - /** - * ObjectMeta overrides for the pod used to solve HTTP01 challenges. - * Only the 'labels' and 'annotations' fields may be set. - * If labels or annotations overlap with in-built values, the values here - * will override the in-built values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadataPatch { - /** - * Annotations that should be added to the created ACME HTTP01 solver pods. - */ - annotations: {[key: string]: string}; - /** - * Labels that should be added to the created ACME HTTP01 solver pods. - */ - labels: {[key: string]: string}; - } - - /** - * Optional pod template used to configure the ACME challenge solver pods - * used for HTTP01 challenges. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplatePatch { - metadata: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadataPatch; - spec: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecPatch; - } - - /** - * PodSpec defines overrides for the HTTP01 challenge solver pod. - * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - * All other fields will be ignored. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpec { - affinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinity; - /** - * If specified, the pod's imagePullSecrets - */ - imagePullSecrets: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets[]; - /** - * NodeSelector is a selector which must be true for the pod to fit on a node. - * Selector which must match a node's labels for the pod to be scheduled on that node. - * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - */ - nodeSelector: {[key: string]: string}; - /** - * If specified, the pod's priorityClassName. - */ - priorityClassName: string; - resources: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResources; - securityContext: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext; - /** - * If specified, the pod's service account - */ - serviceAccountName: string; - /** - * If specified, the pod's tolerations. - */ - tolerations: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerations[]; - } - - /** - * If specified, the pod's scheduling constraints - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinity { - nodeAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity; - podAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity; - podAntiAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity; - } - - /** - * Describes node affinity scheduling rules for the pod. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node matches the corresponding matchExpressions; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution[]; - requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution; - } - - /** - * Describes node affinity scheduling rules for the pod. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node matches the corresponding matchExpressions; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[]; - requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch; - } - - /** - * An empty preferred scheduling term matches all objects with implicit weight 0 - * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution { - preference: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference; - /** - * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - */ - weight: number; - } - - /** - * An empty preferred scheduling term matches all objects with implicit weight 0 - * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - preference: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch; - /** - * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - */ - weight: number; - } - - /** - * A node selector term, associated with the corresponding weight. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions[]; - /** - * A list of node selector requirements by node's fields. - */ - matchFields: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields[]; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - - /** - * A node selector term, associated with the corresponding weight. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch[]; - /** - * A list of node selector requirements by node's fields. - */ - matchFields: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch[]; - } - - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to an update), the system - * may or may not try to eventually evict the pod from its node. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution { - /** - * Required. A list of node selector terms. The terms are ORed. - */ - nodeSelectorTerms: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms[]; - } - - /** - * A null or empty node selector term matches no objects. The requirements of - * them are ANDed. - * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions[]; - /** - * A list of node selector requirements by node's fields. - */ - matchFields: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields[]; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - - /** - * A node selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch { - /** - * The label key that the selector applies to. - */ - key: string; - /** - * Represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - */ - operator: string; - /** - * An array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. If the operator is Gt or Lt, the values - * array must have a single element, which will be interpreted as an integer. - * This array is replaced during a strategic merge patch. - */ - values: string[]; - } - - /** - * A null or empty node selector term matches no objects. The requirements of - * them are ANDed. - * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch { - /** - * A list of node selector requirements by node's labels. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch[]; - /** - * A list of node selector requirements by node's fields. - */ - matchFields: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch[]; - } - - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to an update), the system - * may or may not try to eventually evict the pod from its node. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - /** - * Required. A list of node selector terms. The terms are ORed. - */ - nodeSelectorTerms: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch[]; - } - - /** - * If specified, the pod's scheduling constraints - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch { - nodeAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch; - podAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch; - podAntiAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch; - } - - /** - * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution[]; - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution[]; - } - - /** - * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and adding - * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[]; - /** - * If the affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[]; - } - - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution { - podAffinityTerm: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight: number; - } - - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - podAffinityTerm: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight: number; - } - - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm { - labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch { - labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution { - labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - - /** - * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the anti-affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution[]; - /** - * If the anti-affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the anti-affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution[]; - } - - /** - * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch { - /** - * The scheduler will prefer to schedule pods to nodes that satisfy - * the anti-affinity expressions specified by this field, but it may choose - * a node that violates one or more of the expressions. The node that is - * most preferred is the one with the greatest sum of weights, i.e. - * for each node that meets all of the scheduling requirements (resource - * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - * node(s) with the highest sum are the most preferred. - */ - preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[]; - /** - * If the anti-affinity requirements specified by this field are not met at - * scheduling time, the pod will not be scheduled onto the node. - * If the anti-affinity requirements specified by this field cease to be met - * at some point during pod execution (e.g. due to a pod label update), the - * system may or may not try to eventually evict the pod from its node. - * When there are multiple elements, the lists of nodes corresponding to each - * podAffinityTerm are intersected, i.e. all terms must be satisfied. - */ - requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[]; - } - - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution { - podAffinityTerm: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight: number; - } - - /** - * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch { - podAffinityTerm: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch; - /** - * weight associated with matching the corresponding podAffinityTerm, - * in the range 1-100. - */ - weight: number; - } - - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm { - labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * Required. A pod affinity term, associated with the corresponding weight. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch { - labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution { - labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label query over a set of resources, in this case pods. - * If it's null, this PodAffinityTerm matches with no Pods. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label query over the set of namespaces that the term applies to. - * The term is applied to the union of the namespaces selected by this field - * and the ones listed in the namespaces field. - * null selector and null or empty namespaces list means "this pod's namespace". - * An empty selector ({}) matches all namespaces. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * Defines a set of pods (namely those matching the labelSelector - * relative to the given namespace(s)) that this pod should be - * co-located (affinity) or not co-located (anti-affinity) with, - * where co-located is defined as running on a node whose value of - * the label with key matches that of any node on which - * a pod of the set of pods is running - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch { - labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch; - /** - * MatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both matchLabelKeys and labelSelector. - * Also, matchLabelKeys cannot be set when labelSelector isn't set. - */ - matchLabelKeys: string[]; - /** - * MismatchLabelKeys is a set of pod label keys to select which pods will - * be taken into consideration. The keys are used to lookup values from the - * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - * to select the group of existing pods which pods will be taken into consideration - * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - * pod labels will be ignored. The default value is empty. - * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - */ - mismatchLabelKeys: string[]; - namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch; - /** - * namespaces specifies a static list of namespace names that the term applies to. - * The term is applied to the union of the namespaces listed in this field - * and the ones selected by namespaceSelector. - * null or empty namespaces list and null namespaceSelector means "this pod's namespace". - */ - namespaces: string[]; - /** - * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - * the labelSelector in the specified namespaces, where co-located is defined as running on a node - * whose value of the label with key topologyKey matches that of any node on which any of the - * selected pods is running. - * Empty topologyKey is not allowed. - */ - topologyKey: string; - } - - /** - * LocalObjectReference contains enough information to let you locate the - * referenced object inside the same namespace. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets { - /** - * Name of the referent. - * This field is effectively required, but due to backwards compatibility is - * allowed to be empty. Instances of this type with an empty value here are - * almost certainly wrong. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name: string; - } - - /** - * LocalObjectReference contains enough information to let you locate the - * referenced object inside the same namespace. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch { - /** - * Name of the referent. - * This field is effectively required, but due to backwards compatibility is - * allowed to be empty. Instances of this type with an empty value here are - * almost certainly wrong. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name: string; - } - - /** - * PodSpec defines overrides for the HTTP01 challenge solver pod. - * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. - * All other fields will be ignored. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecPatch { - affinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch; - /** - * If specified, the pod's imagePullSecrets - */ - imagePullSecrets: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch[]; - /** - * NodeSelector is a selector which must be true for the pod to fit on a node. - * Selector which must match a node's labels for the pod to be scheduled on that node. - * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - */ - nodeSelector: {[key: string]: string}; - /** - * If specified, the pod's priorityClassName. - */ - priorityClassName: string; - resources: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch; - securityContext: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch; - /** - * If specified, the pod's service account - */ - serviceAccountName: string; - /** - * If specified, the pod's tolerations. - */ - tolerations: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch[]; - } - - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResources { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits: {[key: string]: number | string}; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests: {[key: string]: number | string}; - } - - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits: {[key: string]: number | string}; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests: {[key: string]: number | string}; - } - - /** - * If specified, the pod's security context - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup: number; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy: string; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup: number; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot: boolean; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser: number; - seLinuxOptions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions; - seccompProfile: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups: number[]; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls[]; - } - - /** - * If specified, the pod's security context - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup: number; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy: string; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup: number; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot: boolean; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser: number; - seLinuxOptions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch; - seccompProfile: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups: number[]; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch[]; - } - - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions { - /** - * Level is SELinux level label that applies to the container. - */ - level: string; - /** - * Role is a SELinux role label that applies to the container. - */ - role: string; - /** - * Type is a SELinux type label that applies to the container. - */ - type: string; - /** - * User is a SELinux user label that applies to the container. - */ - user: string; - } - - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch { - /** - * Level is SELinux level label that applies to the container. - */ - level: string; - /** - * Role is a SELinux role label that applies to the container. - */ - role: string; - /** - * Type is a SELinux type label that applies to the container. - */ - type: string; - /** - * User is a SELinux user label that applies to the container. - */ - user: string; - } - - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile: string; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type: string; - } - - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile: string; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type: string; - } - - /** - * Sysctl defines a kernel parameter to be set - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls { - /** - * Name of a property to set - */ - name: string; - /** - * Value of a property to set - */ - value: string; - } - - /** - * Sysctl defines a kernel parameter to be set - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch { - /** - * Name of a property to set - */ - name: string; - /** - * Value of a property to set - */ - value: string; - } - - /** - * The pod this Toleration is attached to tolerates any taint that matches - * the triple using the matching operator . - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerations { - /** - * Effect indicates the taint effect to match. Empty means match all taint effects. - * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - */ - effect: string; - /** - * Key is the taint key that the toleration applies to. Empty means match all taint keys. - * If the key is empty, operator must be Exists; this combination means to match all values and all keys. - */ - key: string; - /** - * Operator represents a key's relationship to the value. - * Valid operators are Exists and Equal. Defaults to Equal. - * Exists is equivalent to wildcard for value, so that a pod can - * tolerate all taints of a particular category. - */ - operator: string; - /** - * TolerationSeconds represents the period of time the toleration (which must be - * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - * it is not set, which means tolerate the taint forever (do not evict). Zero and - * negative values will be treated as 0 (evict immediately) by the system. - */ - tolerationSeconds: number; - /** - * Value is the taint value the toleration matches to. - * If the operator is Exists, the value should be empty, otherwise just a regular string. - */ - value: string; - } - - /** - * The pod this Toleration is attached to tolerates any taint that matches - * the triple using the matching operator . - */ - export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch { - /** - * Effect indicates the taint effect to match. Empty means match all taint effects. - * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - */ - effect: string; - /** - * Key is the taint key that the toleration applies to. Empty means match all taint keys. - * If the key is empty, operator must be Exists; this combination means to match all values and all keys. - */ - key: string; - /** - * Operator represents a key's relationship to the value. - * Valid operators are Exists and Equal. Defaults to Equal. - * Exists is equivalent to wildcard for value, so that a pod can - * tolerate all taints of a particular category. - */ - operator: string; - /** - * TolerationSeconds represents the period of time the toleration (which must be - * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - * it is not set, which means tolerate the taint forever (do not evict). Zero and - * negative values will be treated as 0 (evict immediately) by the system. - */ - tolerationSeconds: number; - /** - * Value is the taint value the toleration matches to. - * If the operator is Exists, the value should be empty, otherwise just a regular string. - */ - value: string; - } - /** * The ingress based HTTP01 challenge solver will solve challenges by * creating or modifying Ingress resources in order to route requests for @@ -18932,7 +11771,7 @@ export namespace cert_manager { */ export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateMetadata { /** - * Annotations that should be added to the created ACME HTTP01 solver pods. + * Annotations that should be added to the create ACME HTTP01 solver pods. */ annotations: {[key: string]: string}; /** @@ -18949,7 +11788,7 @@ export namespace cert_manager { */ export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateMetadataPatch { /** - * Annotations that should be added to the created ACME HTTP01 solver pods. + * Annotations that should be added to the create ACME HTTP01 solver pods. */ annotations: {[key: string]: string}; /** @@ -18988,8 +11827,6 @@ export namespace cert_manager { * If specified, the pod's priorityClassName. */ priorityClassName: string; - resources: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResources; - securityContext: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContext; /** * If specified, the pod's service account */ @@ -19454,6 +12291,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -19465,6 +12303,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector; @@ -19665,6 +12504,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -19676,6 +12516,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch; @@ -19715,6 +12556,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -19726,6 +12568,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector; @@ -19931,6 +12774,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -19942,6 +12786,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch; @@ -19973,8 +12818,8 @@ export namespace cert_manager { * most preferred is the one with the greatest sum of weights, i.e. * for each node that meets all of the scheduling requirements (resource * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + * compute a sum by iterating through the elements of this field and adding + * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the * node(s) with the highest sum are the most preferred. */ preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution[]; @@ -20001,8 +12846,8 @@ export namespace cert_manager { * most preferred is the one with the greatest sum of weights, i.e. * for each node that meets all of the scheduling requirements (resource * request, requiredDuringScheduling anti-affinity expressions, etc.), - * compute a sum by iterating through the elements of this field and subtracting - * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + * compute a sum by iterating through the elements of this field and adding + * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the * node(s) with the highest sum are the most preferred. */ preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[]; @@ -20056,6 +12901,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -20067,6 +12913,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector; @@ -20267,6 +13114,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -20278,6 +13126,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch; @@ -20317,6 +13166,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -20328,6 +13178,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector; @@ -20533,6 +13384,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both matchLabelKeys and labelSelector. * Also, matchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ matchLabelKeys: string[]; /** @@ -20544,6 +13396,7 @@ export namespace cert_manager { * pod labels will be ignored. The default value is empty. * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. * Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + * This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. */ mismatchLabelKeys: string[]; namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch; @@ -20574,7 +13427,9 @@ export namespace cert_manager { * This field is effectively required, but due to backwards compatibility is * allowed to be empty. Instances of this type with an empty value here are * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name: string; } @@ -20589,7 +13444,9 @@ export namespace cert_manager { * This field is effectively required, but due to backwards compatibility is * allowed to be empty. Instances of this type with an empty value here are * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name: string; } @@ -20615,8 +13472,6 @@ export namespace cert_manager { * If specified, the pod's priorityClassName. */ priorityClassName: string; - resources: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResourcesPatch; - securityContext: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextPatch; /** * If specified, the pod's service account */ @@ -20627,328 +13482,6 @@ export namespace cert_manager { tolerations: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerationsPatch[]; } - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResources { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits: {[key: string]: number | string}; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests: {[key: string]: number | string}; - } - - /** - * If specified, the pod's resource requirements. - * These values override the global resource configuration flags. - * Note that when only specifying resource limits, ensure they are greater than or equal - * to the corresponding global resource requests configured via controller flags - * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). - * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures. - */ - export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResourcesPatch { - /** - * Limits describes the maximum amount of compute resources allowed. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - limits: {[key: string]: number | string}; - /** - * Requests describes the minimum amount of compute resources required. - * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - * otherwise to the global values configured via controller flags. Requests cannot exceed Limits. - * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - */ - requests: {[key: string]: number | string}; - } - - /** - * If specified, the pod's security context - */ - export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContext { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup: number; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy: string; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup: number; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot: boolean; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser: number; - seLinuxOptions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions; - seccompProfile: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups: number[]; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls[]; - } - - /** - * If specified, the pod's security context - */ - export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextPatch { - /** - * A special supplemental group that applies to all containers in a pod. - * Some volume types allow the Kubelet to change the ownership of that volume - * to be owned by the pod: - * - * 1. The owning GID will be the FSGroup - * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - * 3. The permission bits are OR'd with rw-rw---- - * - * If unset, the Kubelet will not modify the ownership and permissions of any volume. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroup: number; - /** - * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - * before being exposed inside Pod. This field will only apply to - * volume types which support fsGroup based ownership(and permissions). - * It will have no effect on ephemeral volume types such as: secret, configmaps - * and emptydir. - * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - * Note that this field cannot be set when spec.os.name is windows. - */ - fsGroupChangePolicy: string; - /** - * The GID to run the entrypoint of the container process. - * Uses runtime default if unset. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsGroup: number; - /** - * Indicates that the container must run as a non-root user. - * If true, the Kubelet will validate the image at runtime to ensure that it - * does not run as UID 0 (root) and fail to start the container if it does. - * If unset or false, no such validation will be performed. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence. - */ - runAsNonRoot: boolean; - /** - * The UID to run the entrypoint of the container process. - * Defaults to user specified in image metadata if unspecified. - * May also be set in SecurityContext. If set in both SecurityContext and - * PodSecurityContext, the value specified in SecurityContext takes precedence - * for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - runAsUser: number; - seLinuxOptions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch; - seccompProfile: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch; - /** - * A list of groups applied to the first process run in each container, in addition - * to the container's primary GID, the fsGroup (if specified), and group memberships - * defined in the container image for the uid of the container process. If unspecified, - * no additional groups are added to any container. Note that group memberships - * defined in the container image for the uid of the container process are still effective, - * even if they are not included in this list. - * Note that this field cannot be set when spec.os.name is windows. - */ - supplementalGroups: number[]; - /** - * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - * sysctls (by the container runtime) might fail to launch. - * Note that this field cannot be set when spec.os.name is windows. - */ - sysctls: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch[]; - } - - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions { - /** - * Level is SELinux level label that applies to the container. - */ - level: string; - /** - * Role is a SELinux role label that applies to the container. - */ - role: string; - /** - * Type is a SELinux type label that applies to the container. - */ - type: string; - /** - * User is a SELinux user label that applies to the container. - */ - user: string; - } - - /** - * The SELinux context to be applied to all containers. - * If unspecified, the container runtime will allocate a random SELinux context for each - * container. May also be set in SecurityContext. If set in - * both SecurityContext and PodSecurityContext, the value specified in SecurityContext - * takes precedence for that container. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch { - /** - * Level is SELinux level label that applies to the container. - */ - level: string; - /** - * Role is a SELinux role label that applies to the container. - */ - role: string; - /** - * Type is a SELinux type label that applies to the container. - */ - type: string; - /** - * User is a SELinux user label that applies to the container. - */ - user: string; - } - - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile: string; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type: string; - } - - /** - * The seccomp options to use by the containers in this pod. - * Note that this field cannot be set when spec.os.name is windows. - */ - export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch { - /** - * localhostProfile indicates a profile defined in a file on the node should be used. - * The profile must be preconfigured on the node to work. - * Must be a descending path, relative to the kubelet's configured seccomp profile location. - * Must be set if type is "Localhost". Must NOT be set for any other type. - */ - localhostProfile: string; - /** - * type indicates which kind of seccomp profile will be applied. - * Valid options are: - * - * Localhost - a profile defined in a file on the node should be used. - * RuntimeDefault - the container runtime default profile should be used. - * Unconfined - no profile should be applied. - */ - type: string; - } - - /** - * Sysctl defines a kernel parameter to be set - */ - export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls { - /** - * Name of a property to set - */ - name: string; - /** - * Value of a property to set - */ - value: string; - } - - /** - * Sysctl defines a kernel parameter to be set - */ - export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch { - /** - * Name of a property to set - */ - name: string; - /** - * Value of a property to set - */ - value: string; - } - /** * The pod this Toleration is attached to tolerates any taint that matches * the triple using the matching operator . @@ -21025,7 +13558,7 @@ export namespace cert_manager { * Configures cert-manager to attempt to complete authorizations by * performing the HTTP01 challenge flow. * It is not possible to obtain certificates for wildcard domain names - * (e.g., `*.example.com`) using the HTTP01 challenge mechanism. + * (e.g. `*.example.com`) using the HTTP01 challenge mechanism. */ export interface IssuerSpecAcmeSolversHttp01Patch { gatewayHTTPRoute: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePatch; @@ -21252,11 +13785,6 @@ export namespace cert_manager { * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200". */ server: string; - /** - * ServerName is used to verify the hostname on the returned certificates - * by the Vault server. - */ - serverName: string; } /** @@ -21264,7 +13792,6 @@ export namespace cert_manager { */ export interface IssuerSpecVaultAuth { appRole: outputs.cert_manager.v1.IssuerSpecVaultAuthAppRole; - clientCertificate: outputs.cert_manager.v1.IssuerSpecVaultAuthClientCertificate; kubernetes: outputs.cert_manager.v1.IssuerSpecVaultAuthKubernetes; tokenSecretRef: outputs.cert_manager.v1.IssuerSpecVaultAuthTokenSecretRef; } @@ -21345,58 +13872,6 @@ export namespace cert_manager { name: string; } - /** - * ClientCertificate authenticates with Vault by presenting a client - * certificate during the request's TLS handshake. - * Works only when using HTTPS protocol. - */ - export interface IssuerSpecVaultAuthClientCertificate { - /** - * The Vault mountPath here is the mount path to use when authenticating with - * Vault. For example, setting a value to `/v1/auth/foo`, will use the path - * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the - * default value "/v1/auth/cert" will be used. - */ - mountPath: string; - /** - * Name of the certificate role to authenticate against. - * If not set, matching any certificate role, if available. - */ - name: string; - /** - * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing - * tls.crt and tls.key) used to authenticate to Vault using TLS client - * authentication. - */ - secretName: string; - } - - /** - * ClientCertificate authenticates with Vault by presenting a client - * certificate during the request's TLS handshake. - * Works only when using HTTPS protocol. - */ - export interface IssuerSpecVaultAuthClientCertificatePatch { - /** - * The Vault mountPath here is the mount path to use when authenticating with - * Vault. For example, setting a value to `/v1/auth/foo`, will use the path - * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the - * default value "/v1/auth/cert" will be used. - */ - mountPath: string; - /** - * Name of the certificate role to authenticate against. - * If not set, matching any certificate role, if available. - */ - name: string; - /** - * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing - * tls.crt and tls.key) used to authenticate to Vault using TLS client - * authentication. - */ - secretName: string; - } - /** * Kubernetes authenticates with Vault by passing the ServiceAccount * token stored in the named Secret resource to the Vault server. @@ -21520,7 +13995,6 @@ export namespace cert_manager { */ export interface IssuerSpecVaultAuthPatch { appRole: outputs.cert_manager.v1.IssuerSpecVaultAuthAppRolePatch; - clientCertificate: outputs.cert_manager.v1.IssuerSpecVaultAuthClientCertificatePatch; kubernetes: outputs.cert_manager.v1.IssuerSpecVaultAuthKubernetesPatch; tokenSecretRef: outputs.cert_manager.v1.IssuerSpecVaultAuthTokenSecretRefPatch; } @@ -21707,11 +14181,6 @@ export namespace cert_manager { * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200". */ server: string; - /** - * ServerName is used to verify the hostname on the returned certificates - * by the Vault server. - */ - serverName: string; } /** @@ -21738,7 +14207,7 @@ export namespace cert_manager { apiTokenSecretRef: outputs.cert_manager.v1.IssuerSpecVenafiCloudApiTokenSecretRef; /** * URL is the base URL for Venafi Cloud. - * Defaults to "https://api.venafi.cloud/". + * Defaults to "https://api.venafi.cloud/v1". */ url: string; } @@ -21785,7 +14254,7 @@ export namespace cert_manager { apiTokenSecretRef: outputs.cert_manager.v1.IssuerSpecVenafiCloudApiTokenSecretRefPatch; /** * URL is the base URL for Venafi Cloud. - * Defaults to "https://api.venafi.cloud/". + * Defaults to "https://api.venafi.cloud/v1". */ url: string; } @@ -21818,7 +14287,6 @@ export namespace cert_manager { * is used to validate the chain. */ caBundle: string; - caBundleSecretRef: outputs.cert_manager.v1.IssuerSpecVenafiTppCaBundleSecretRef; credentialsRef: outputs.cert_manager.v1.IssuerSpecVenafiTppCredentialsRef; /** * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, @@ -21828,51 +14296,9 @@ export namespace cert_manager { } /** - * Reference to a Secret containing a base64-encoded bundle of PEM CAs - * which will be used to validate the certificate chain presented by the TPP server. - * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle. - * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in - * the cert-manager controller container is used to validate the TLS connection. - */ - export interface IssuerSpecVenafiTppCaBundleSecretRef { - /** - * The key of the entry in the Secret resource's `data` field to be used. - * Some instances of this field may be defaulted, in others it may be - * required. - */ - key: string; - /** - * Name of the resource being referred to. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name: string; - } - - /** - * Reference to a Secret containing a base64-encoded bundle of PEM CAs - * which will be used to validate the certificate chain presented by the TPP server. - * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle. - * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in - * the cert-manager controller container is used to validate the TLS connection. - */ - export interface IssuerSpecVenafiTppCaBundleSecretRefPatch { - /** - * The key of the entry in the Secret resource's `data` field to be used. - * Some instances of this field may be defaulted, in others it may be - * required. - */ - key: string; - /** - * Name of the resource being referred to. - * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - */ - name: string; - } - - /** - * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials. - * The secret must contain the key 'access-token' for the Access Token Authentication, - * or two keys, 'username' and 'password' for the API Keys Authentication. + * CredentialsRef is a reference to a Secret containing the username and + * password for the TPP server. + * The secret must contain two keys, 'username' and 'password'. */ export interface IssuerSpecVenafiTppCredentialsRef { /** @@ -21883,9 +14309,9 @@ export namespace cert_manager { } /** - * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials. - * The secret must contain the key 'access-token' for the Access Token Authentication, - * or two keys, 'username' and 'password' for the API Keys Authentication. + * CredentialsRef is a reference to a Secret containing the username and + * password for the TPP server. + * The secret must contain two keys, 'username' and 'password'. */ export interface IssuerSpecVenafiTppCredentialsRefPatch { /** @@ -21907,7 +14333,6 @@ export namespace cert_manager { * is used to validate the chain. */ caBundle: string; - caBundleSecretRef: outputs.cert_manager.v1.IssuerSpecVenafiTppCaBundleSecretRefPatch; credentialsRef: outputs.cert_manager.v1.IssuerSpecVenafiTppCredentialsRefPatch; /** * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, @@ -22069,1021 +14494,20 @@ export namespace cert_manager { export namespace gateway { export namespace v1 { - /** - * BackendTLSPolicy provides a way to configure how a Gateway - * connects to a Backend via TLS. - */ - export interface BackendTLSPolicy { - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - apiVersion: "gateway.networking.k8s.io/v1"; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - kind: "BackendTLSPolicy"; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - metadata: outputs.meta.v1.ObjectMeta; - spec: outputs.gateway.v1.BackendTLSPolicySpec; - status: outputs.gateway.v1.BackendTLSPolicyStatus; - } - - /** - * Spec defines the desired state of BackendTLSPolicy. - */ - export interface BackendTLSPolicySpec { - /** - * Options are a list of key/value pairs to enable extended TLS - * configuration for each implementation. For example, configuring the - * minimum TLS version or supported cipher suites. - * - * A set of common keys MAY be defined by the API in the future. To avoid - * any ambiguity, implementation-specific definitions MUST use - * domain-prefixed names, such as `example.com/my-custom-option`. - * Un-prefixed names are reserved for key names defined by Gateway API. - * - * Support: Implementation-specific - */ - options: {[key: string]: string}; - /** - * TargetRefs identifies an API object to apply the policy to. - * Only Services have Extended support. Implementations MAY support - * additional objects, with Implementation Specific support. - * Note that this config applies to the entire referenced resource - * by default, but this default may change in the future to provide - * a more granular application of the policy. - * - * TargetRefs must be _distinct_. This means either that: - * - * * They select different targets. If this is the case, then targetRef - * entries are distinct. In terms of fields, this means that the - * multi-part key defined by `group`, `kind`, and `name` must - * be unique across all targetRef entries in the BackendTLSPolicy. - * * They select different sectionNames in the same target. - * - * When more than one BackendTLSPolicy selects the same target and - * sectionName, implementations MUST determine precedence using the - * following criteria, continuing on ties: - * - * * The older policy by creation timestamp takes precedence. For - * example, a policy with a creation timestamp of "2021-07-15 - * 01:02:03" MUST be given precedence over a policy with a - * creation timestamp of "2021-07-15 01:02:04". - * * The policy appearing first in alphabetical order by {name}. - * For example, a policy named `bar` is given precedence over a - * policy named `baz`. - * - * For any BackendTLSPolicy that does not take precedence, the - * implementation MUST ensure the `Accepted` Condition is set to - * `status: False`, with Reason `Conflicted`. - * - * Support: Extended for Kubernetes Service - * - * Support: Implementation-specific for any other resource - */ - targetRefs: outputs.gateway.v1.BackendTLSPolicySpecTargetRefs[]; - validation: outputs.gateway.v1.BackendTLSPolicySpecValidation; - } - - /** - * Spec defines the desired state of BackendTLSPolicy. - */ - export interface BackendTLSPolicySpecPatch { - /** - * Options are a list of key/value pairs to enable extended TLS - * configuration for each implementation. For example, configuring the - * minimum TLS version or supported cipher suites. - * - * A set of common keys MAY be defined by the API in the future. To avoid - * any ambiguity, implementation-specific definitions MUST use - * domain-prefixed names, such as `example.com/my-custom-option`. - * Un-prefixed names are reserved for key names defined by Gateway API. - * - * Support: Implementation-specific - */ - options: {[key: string]: string}; - /** - * TargetRefs identifies an API object to apply the policy to. - * Only Services have Extended support. Implementations MAY support - * additional objects, with Implementation Specific support. - * Note that this config applies to the entire referenced resource - * by default, but this default may change in the future to provide - * a more granular application of the policy. - * - * TargetRefs must be _distinct_. This means either that: - * - * * They select different targets. If this is the case, then targetRef - * entries are distinct. In terms of fields, this means that the - * multi-part key defined by `group`, `kind`, and `name` must - * be unique across all targetRef entries in the BackendTLSPolicy. - * * They select different sectionNames in the same target. - * - * When more than one BackendTLSPolicy selects the same target and - * sectionName, implementations MUST determine precedence using the - * following criteria, continuing on ties: - * - * * The older policy by creation timestamp takes precedence. For - * example, a policy with a creation timestamp of "2021-07-15 - * 01:02:03" MUST be given precedence over a policy with a - * creation timestamp of "2021-07-15 01:02:04". - * * The policy appearing first in alphabetical order by {name}. - * For example, a policy named `bar` is given precedence over a - * policy named `baz`. - * - * For any BackendTLSPolicy that does not take precedence, the - * implementation MUST ensure the `Accepted` Condition is set to - * `status: False`, with Reason `Conflicted`. - * - * Support: Extended for Kubernetes Service - * - * Support: Implementation-specific for any other resource - */ - targetRefs: outputs.gateway.v1.BackendTLSPolicySpecTargetRefsPatch[]; - validation: outputs.gateway.v1.BackendTLSPolicySpecValidationPatch; - } - - /** - * LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a - * direct policy to. This should be used as part of Policy resources that can - * target single resources. For more information on how this policy attachment - * mode works, and a sample Policy resource, refer to the policy attachment - * documentation for Gateway API. - * - * Note: This should only be used for direct policy attachment when references - * to SectionName are actually needed. In all other cases, - * LocalPolicyTargetReference should be used. - */ - export interface BackendTLSPolicySpecTargetRefs { - /** - * Group is the group of the target resource. - */ - group: string; - /** - * Kind is kind of the target resource. - */ - kind: string; - /** - * Name is the name of the target resource. - */ - name: string; - /** - * SectionName is the name of a section within the target resource. When - * unspecified, this targetRef targets the entire resource. In the following - * resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name - * * HTTPRoute: HTTPRouteRule name - * * Service: Port name - * - * If a SectionName is specified, but does not exist on the targeted object, - * the Policy must fail to attach, and the policy implementation should record - * a `ResolvedRefs` or similar Condition in the Policy's status. - */ - sectionName: string; - } - - /** - * LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a - * direct policy to. This should be used as part of Policy resources that can - * target single resources. For more information on how this policy attachment - * mode works, and a sample Policy resource, refer to the policy attachment - * documentation for Gateway API. - * - * Note: This should only be used for direct policy attachment when references - * to SectionName are actually needed. In all other cases, - * LocalPolicyTargetReference should be used. - */ - export interface BackendTLSPolicySpecTargetRefsPatch { - /** - * Group is the group of the target resource. - */ - group: string; - /** - * Kind is kind of the target resource. - */ - kind: string; - /** - * Name is the name of the target resource. - */ - name: string; - /** - * SectionName is the name of a section within the target resource. When - * unspecified, this targetRef targets the entire resource. In the following - * resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name - * * HTTPRoute: HTTPRouteRule name - * * Service: Port name - * - * If a SectionName is specified, but does not exist on the targeted object, - * the Policy must fail to attach, and the policy implementation should record - * a `ResolvedRefs` or similar Condition in the Policy's status. - */ - sectionName: string; - } - - /** - * Validation contains backend TLS validation configuration. - */ - export interface BackendTLSPolicySpecValidation { - /** - * CACertificateRefs contains one or more references to Kubernetes objects that - * contain a PEM-encoded TLS CA certificate bundle, which is used to - * validate a TLS handshake between the Gateway and backend Pod. - * - * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be - * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, - * not both. If CACertificateRefs is empty or unspecified, the configuration for - * WellKnownCACertificates MUST be honored instead if supported by the implementation. - * - * A CACertificateRef is invalid if: - * - * * It refers to a resource that cannot be resolved (e.g., the referenced resource - * does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key - * named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef` - * and the Message of the Condition must indicate which reference is invalid and why. - * - * * It refers to an unknown or unsupported kind of resource. In this case, the Reason - * must be set to `InvalidKind` and the Message of the Condition must explain which - * kind of resource is unknown or unsupported. - * - * * It refers to a resource in another namespace. This may change in future - * spec updates. - * - * Implementations MAY choose to perform further validation of the certificate - * content (e.g., checking expiry or enforcing specific formats). In such cases, - * an implementation-specific Reason and Message must be set for the invalid reference. - * - * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on - * the BackendTLSPolicy is set to `status: False`, with a Reason and Message - * that indicate the cause of the error. Connections using an invalid - * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error - * response. If ALL CACertificateRefs are invalid, the implementation MUST also - * ensure the `Accepted` Condition on the BackendTLSPolicy is set to - * `status: False`, with a Reason `NoValidCACertificate`. - * - * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support. - * Implementations MAY choose to support attaching multiple certificates to - * a backend, but this behavior is implementation-specific. - * - * Support: Core - An optional single reference to a Kubernetes ConfigMap, - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific - More than one reference, other kinds - * of resources, or a single reference that includes multiple certificates. - */ - caCertificateRefs: outputs.gateway.v1.BackendTLSPolicySpecValidationCaCertificateRefs[]; - /** - * Hostname is used for two purposes in the connection between Gateways and - * backends: - * - * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). - * 2. Hostname MUST be used for authentication and MUST match the certificate - * served by the matching backend, unless SubjectAltNames is specified. - * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection - * but MUST NOT be used for authentication. If you want to use the value - * of the Hostname field for authentication, you MUST add it to the SubjectAltNames list. - * - * Support: Core - */ - hostname: string; - /** - * SubjectAltNames contains one or more Subject Alternative Names. - * When specified the certificate served from the backend MUST - * have at least one Subject Alternate Name matching one of the specified SubjectAltNames. - * - * Support: Extended - */ - subjectAltNames: outputs.gateway.v1.BackendTLSPolicySpecValidationSubjectAltNames[]; - /** - * WellKnownCACertificates specifies whether system CA certificates may be used in - * the TLS handshake between the gateway and backend pod. - * - * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs - * must be specified with at least one entry for a valid configuration. Only one of - * CACertificateRefs or WellKnownCACertificates may be specified, not both. - * If an implementation does not support the WellKnownCACertificates field, or - * the supplied value is not recognized, the implementation MUST ensure the - * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with - * a Reason `Invalid`. - * - * Support: Implementation-specific - */ - wellKnownCACertificates: string; - } - - /** - * LocalObjectReference identifies an API object within the namespace of the - * referrer. - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - export interface BackendTLSPolicySpecValidationCaCertificateRefs { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "HTTPRoute" or "Service". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - } - - /** - * LocalObjectReference identifies an API object within the namespace of the - * referrer. - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - export interface BackendTLSPolicySpecValidationCaCertificateRefsPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "HTTPRoute" or "Service". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - } - - /** - * Validation contains backend TLS validation configuration. - */ - export interface BackendTLSPolicySpecValidationPatch { - /** - * CACertificateRefs contains one or more references to Kubernetes objects that - * contain a PEM-encoded TLS CA certificate bundle, which is used to - * validate a TLS handshake between the Gateway and backend Pod. - * - * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be - * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, - * not both. If CACertificateRefs is empty or unspecified, the configuration for - * WellKnownCACertificates MUST be honored instead if supported by the implementation. - * - * A CACertificateRef is invalid if: - * - * * It refers to a resource that cannot be resolved (e.g., the referenced resource - * does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key - * named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef` - * and the Message of the Condition must indicate which reference is invalid and why. - * - * * It refers to an unknown or unsupported kind of resource. In this case, the Reason - * must be set to `InvalidKind` and the Message of the Condition must explain which - * kind of resource is unknown or unsupported. - * - * * It refers to a resource in another namespace. This may change in future - * spec updates. - * - * Implementations MAY choose to perform further validation of the certificate - * content (e.g., checking expiry or enforcing specific formats). In such cases, - * an implementation-specific Reason and Message must be set for the invalid reference. - * - * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on - * the BackendTLSPolicy is set to `status: False`, with a Reason and Message - * that indicate the cause of the error. Connections using an invalid - * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error - * response. If ALL CACertificateRefs are invalid, the implementation MUST also - * ensure the `Accepted` Condition on the BackendTLSPolicy is set to - * `status: False`, with a Reason `NoValidCACertificate`. - * - * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support. - * Implementations MAY choose to support attaching multiple certificates to - * a backend, but this behavior is implementation-specific. - * - * Support: Core - An optional single reference to a Kubernetes ConfigMap, - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific - More than one reference, other kinds - * of resources, or a single reference that includes multiple certificates. - */ - caCertificateRefs: outputs.gateway.v1.BackendTLSPolicySpecValidationCaCertificateRefsPatch[]; - /** - * Hostname is used for two purposes in the connection between Gateways and - * backends: - * - * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). - * 2. Hostname MUST be used for authentication and MUST match the certificate - * served by the matching backend, unless SubjectAltNames is specified. - * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection - * but MUST NOT be used for authentication. If you want to use the value - * of the Hostname field for authentication, you MUST add it to the SubjectAltNames list. - * - * Support: Core - */ - hostname: string; - /** - * SubjectAltNames contains one or more Subject Alternative Names. - * When specified the certificate served from the backend MUST - * have at least one Subject Alternate Name matching one of the specified SubjectAltNames. - * - * Support: Extended - */ - subjectAltNames: outputs.gateway.v1.BackendTLSPolicySpecValidationSubjectAltNamesPatch[]; - /** - * WellKnownCACertificates specifies whether system CA certificates may be used in - * the TLS handshake between the gateway and backend pod. - * - * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs - * must be specified with at least one entry for a valid configuration. Only one of - * CACertificateRefs or WellKnownCACertificates may be specified, not both. - * If an implementation does not support the WellKnownCACertificates field, or - * the supplied value is not recognized, the implementation MUST ensure the - * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with - * a Reason `Invalid`. - * - * Support: Implementation-specific - */ - wellKnownCACertificates: string; - } - - /** - * SubjectAltName represents Subject Alternative Name. - */ - export interface BackendTLSPolicySpecValidationSubjectAltNames { - /** - * Hostname contains Subject Alternative Name specified in DNS name format. - * Required when Type is set to Hostname, ignored otherwise. - * - * Support: Core - */ - hostname: string; - /** - * Type determines the format of the Subject Alternative Name. Always required. - * - * Support: Core - */ - type: string; - /** - * URI contains Subject Alternative Name specified in a full URI format. - * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. - * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa". - * Required when Type is set to URI, ignored otherwise. - * - * Support: Core - */ - uri: string; - } - - /** - * SubjectAltName represents Subject Alternative Name. - */ - export interface BackendTLSPolicySpecValidationSubjectAltNamesPatch { - /** - * Hostname contains Subject Alternative Name specified in DNS name format. - * Required when Type is set to Hostname, ignored otherwise. - * - * Support: Core - */ - hostname: string; - /** - * Type determines the format of the Subject Alternative Name. Always required. - * - * Support: Core - */ - type: string; - /** - * URI contains Subject Alternative Name specified in a full URI format. - * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. - * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa". - * Required when Type is set to URI, ignored otherwise. - * - * Support: Core - */ - uri: string; - } - - /** - * Status defines the current state of BackendTLSPolicy. - */ - export interface BackendTLSPolicyStatus { - /** - * Ancestors is a list of ancestor resources (usually Gateways) that are - * associated with the policy, and the status of the policy with respect to - * each ancestor. When this policy attaches to a parent, the controller that - * manages the parent and the ancestors MUST add an entry to this list when - * the controller first sees the policy and SHOULD update the entry as - * appropriate when the relevant ancestor is modified. - * - * Note that choosing the relevant ancestor is left to the Policy designers; - * an important part of Policy design is designing the right object level at - * which to namespace this status. - * - * Note also that implementations MUST ONLY populate ancestor status for - * the Ancestor resources they are responsible for. Implementations MUST - * use the ControllerName field to uniquely identify the entries in this list - * that they are responsible for. - * - * Note that to achieve this, the list of PolicyAncestorStatus structs - * MUST be treated as a map with a composite key, made up of the AncestorRef - * and ControllerName fields combined. - * - * A maximum of 16 ancestors will be represented in this list. An empty list - * means the Policy is not relevant for any ancestors. - * - * If this slice is full, implementations MUST NOT add further entries. - * Instead they MUST consider the policy unimplementable and signal that - * on any related resources such as the ancestor that would be referenced - * here. For example, if this list was full on BackendTLSPolicy, no - * additional Gateways would be able to reference the Service targeted by - * the BackendTLSPolicy. - */ - ancestors: outputs.gateway.v1.BackendTLSPolicyStatusAncestors[]; - } - - /** - * PolicyAncestorStatus describes the status of a route with respect to an - * associated Ancestor. - * - * Ancestors refer to objects that are either the Target of a policy or above it - * in terms of object hierarchy. For example, if a policy targets a Service, the - * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and - * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most - * useful object to place Policy status on, so we recommend that implementations - * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers - * have a _very_ good reason otherwise. - * - * In the context of policy attachment, the Ancestor is used to distinguish which - * resource results in a distinct application of this policy. For example, if a policy - * targets a Service, it may have a distinct result per attached Gateway. - * - * Policies targeting the same resource may have different effects depending on the - * ancestors of those resources. For example, different Gateways targeting the same - * Service may have different capabilities, especially if they have different underlying - * implementations. - * - * For example, in BackendTLSPolicy, the Policy attaches to a Service that is - * used as a backend in a HTTPRoute that is itself attached to a Gateway. - * In this case, the relevant object for status is the Gateway, and that is the - * ancestor object referred to in this status. - * - * Note that a parent is also an ancestor, so for objects where the parent is the - * relevant object for status, this struct SHOULD still be used. - * - * This struct is intended to be used in a slice that's effectively a map, - * with a composite key made up of the AncestorRef and the ControllerName. - */ - export interface BackendTLSPolicyStatusAncestors { - ancestorRef: outputs.gateway.v1.BackendTLSPolicyStatusAncestorsAncestorRef; - /** - * Conditions describes the status of the Policy with respect to the given Ancestor. - */ - conditions: outputs.gateway.v1.BackendTLSPolicyStatusAncestorsConditions[]; - /** - * ControllerName is a domain/path string that indicates the name of the - * controller that wrote this status. This corresponds with the - * controllerName field on GatewayClass. - * - * Example: "example.net/gateway-controller". - * - * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - * valid Kubernetes names - * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - * - * Controllers MUST populate this field when writing status. Controllers should ensure that - * entries to status populated with their ControllerName are cleaned up when they are no - * longer necessary. - */ - controllerName: string; - } - - /** - * AncestorRef corresponds with a ParentRef in the spec that this - * PolicyAncestorStatus struct describes the status of. - */ - export interface BackendTLSPolicyStatusAncestorsAncestorRef { - /** - * Group is the group of the referent. - * When unspecified, "gateway.networking.k8s.io" is inferred. - * To set the core API group (such as for a "Service" kind referent), - * Group must be explicitly set to "" (empty string). - * - * Support: Core - */ - group: string; - /** - * Kind is kind of the referent. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * Support for other resources is Implementation-Specific. - */ - kind: string; - /** - * Name is the name of the referent. - * - * Support: Core - */ - name: string; - /** - * Namespace is the namespace of the referent. When unspecified, this refers - * to the local namespace of the Route. - * - * Note that there are specific rules for ParentRefs which cross namespace - * boundaries. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example: - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable any other kind of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - * - * - * Support: Core - */ - namespace: string; - /** - * Port is the network port this Route targets. It can be interpreted - * differently based on the type of parent resource. - * - * When the parent resource is a Gateway, this targets all listeners - * listening on the specified port that also support this kind of Route(and - * select this Route). It's not recommended to set `Port` unless the - * networking behaviors specified in a Route must apply to a specific port - * as opposed to a listener(s) whose port(s) may be changed. When both Port - * and SectionName are specified, the name and port of the selected listener - * must match both specified values. - * - * - * When the parent resource is a Service, this targets a specific port in the - * Service spec. When both Port (experimental) and SectionName are specified, - * the name and port of the selected port must match both specified values. - * - * - * Implementations MAY choose to support other parent resources. - * Implementations supporting other types of parent resources MUST clearly - * document how/if Port is interpreted. - * - * For the purpose of status, an attachment is considered successful as - * long as the parent resource accepts it partially. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - * from the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, - * the Route MUST be considered detached from the Gateway. - * - * Support: Extended - */ - port: number; - /** - * SectionName is the name of a section within the target resource. In the - * following resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * * Service: Port name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * - * Implementations MAY choose to support attaching Routes to other resources. - * If that is the case, they MUST clearly document how SectionName is - * interpreted. - * - * When unspecified (empty string), this will reference the entire resource. - * For the purpose of status, an attachment is considered successful if at - * least one section in the parent resource accepts it. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - * the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, the - * Route MUST be considered detached from the Gateway. - * - * Support: Core - */ - sectionName: string; - } - - /** - * AncestorRef corresponds with a ParentRef in the spec that this - * PolicyAncestorStatus struct describes the status of. - */ - export interface BackendTLSPolicyStatusAncestorsAncestorRefPatch { - /** - * Group is the group of the referent. - * When unspecified, "gateway.networking.k8s.io" is inferred. - * To set the core API group (such as for a "Service" kind referent), - * Group must be explicitly set to "" (empty string). - * - * Support: Core - */ - group: string; - /** - * Kind is kind of the referent. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * Support for other resources is Implementation-Specific. - */ - kind: string; - /** - * Name is the name of the referent. - * - * Support: Core - */ - name: string; - /** - * Namespace is the namespace of the referent. When unspecified, this refers - * to the local namespace of the Route. - * - * Note that there are specific rules for ParentRefs which cross namespace - * boundaries. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example: - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable any other kind of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - * - * - * Support: Core - */ - namespace: string; - /** - * Port is the network port this Route targets. It can be interpreted - * differently based on the type of parent resource. - * - * When the parent resource is a Gateway, this targets all listeners - * listening on the specified port that also support this kind of Route(and - * select this Route). It's not recommended to set `Port` unless the - * networking behaviors specified in a Route must apply to a specific port - * as opposed to a listener(s) whose port(s) may be changed. When both Port - * and SectionName are specified, the name and port of the selected listener - * must match both specified values. - * - * - * When the parent resource is a Service, this targets a specific port in the - * Service spec. When both Port (experimental) and SectionName are specified, - * the name and port of the selected port must match both specified values. - * - * - * Implementations MAY choose to support other parent resources. - * Implementations supporting other types of parent resources MUST clearly - * document how/if Port is interpreted. - * - * For the purpose of status, an attachment is considered successful as - * long as the parent resource accepts it partially. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - * from the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, - * the Route MUST be considered detached from the Gateway. - * - * Support: Extended - */ - port: number; - /** - * SectionName is the name of a section within the target resource. In the - * following resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * * Service: Port name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * - * Implementations MAY choose to support attaching Routes to other resources. - * If that is the case, they MUST clearly document how SectionName is - * interpreted. - * - * When unspecified (empty string), this will reference the entire resource. - * For the purpose of status, an attachment is considered successful if at - * least one section in the parent resource accepts it. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - * the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, the - * Route MUST be considered detached from the Gateway. - * - * Support: Core - */ - sectionName: string; - } - - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - export interface BackendTLSPolicyStatusAncestorsConditions { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime: string; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message: string; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration: number; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason: string; - /** - * status of the condition, one of True, False, Unknown. - */ - status: string; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type: string; - } - - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - export interface BackendTLSPolicyStatusAncestorsConditionsPatch { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime: string; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message: string; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration: number; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason: string; - /** - * status of the condition, one of True, False, Unknown. - */ - status: string; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type: string; - } - - /** - * PolicyAncestorStatus describes the status of a route with respect to an - * associated Ancestor. - * - * Ancestors refer to objects that are either the Target of a policy or above it - * in terms of object hierarchy. For example, if a policy targets a Service, the - * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and - * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most - * useful object to place Policy status on, so we recommend that implementations - * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers - * have a _very_ good reason otherwise. - * - * In the context of policy attachment, the Ancestor is used to distinguish which - * resource results in a distinct application of this policy. For example, if a policy - * targets a Service, it may have a distinct result per attached Gateway. - * - * Policies targeting the same resource may have different effects depending on the - * ancestors of those resources. For example, different Gateways targeting the same - * Service may have different capabilities, especially if they have different underlying - * implementations. - * - * For example, in BackendTLSPolicy, the Policy attaches to a Service that is - * used as a backend in a HTTPRoute that is itself attached to a Gateway. - * In this case, the relevant object for status is the Gateway, and that is the - * ancestor object referred to in this status. - * - * Note that a parent is also an ancestor, so for objects where the parent is the - * relevant object for status, this struct SHOULD still be used. - * - * This struct is intended to be used in a slice that's effectively a map, - * with a composite key made up of the AncestorRef and the ControllerName. - */ - export interface BackendTLSPolicyStatusAncestorsPatch { - ancestorRef: outputs.gateway.v1.BackendTLSPolicyStatusAncestorsAncestorRefPatch; - /** - * Conditions describes the status of the Policy with respect to the given Ancestor. - */ - conditions: outputs.gateway.v1.BackendTLSPolicyStatusAncestorsConditionsPatch[]; - /** - * ControllerName is a domain/path string that indicates the name of the - * controller that wrote this status. This corresponds with the - * controllerName field on GatewayClass. - * - * Example: "example.net/gateway-controller". - * - * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - * valid Kubernetes names - * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - * - * Controllers MUST populate this field when writing status. Controllers should ensure that - * entries to status populated with their ControllerName are cleaned up when they are no - * longer necessary. - */ - controllerName: string; - } - - /** - * Status defines the current state of BackendTLSPolicy. - */ - export interface BackendTLSPolicyStatusPatch { - /** - * Ancestors is a list of ancestor resources (usually Gateways) that are - * associated with the policy, and the status of the policy with respect to - * each ancestor. When this policy attaches to a parent, the controller that - * manages the parent and the ancestors MUST add an entry to this list when - * the controller first sees the policy and SHOULD update the entry as - * appropriate when the relevant ancestor is modified. - * - * Note that choosing the relevant ancestor is left to the Policy designers; - * an important part of Policy design is designing the right object level at - * which to namespace this status. - * - * Note also that implementations MUST ONLY populate ancestor status for - * the Ancestor resources they are responsible for. Implementations MUST - * use the ControllerName field to uniquely identify the entries in this list - * that they are responsible for. - * - * Note that to achieve this, the list of PolicyAncestorStatus structs - * MUST be treated as a map with a composite key, made up of the AncestorRef - * and ControllerName fields combined. - * - * A maximum of 16 ancestors will be represented in this list. An empty list - * means the Policy is not relevant for any ancestors. - * - * If this slice is full, implementations MUST NOT add further entries. - * Instead they MUST consider the policy unimplementable and signal that - * on any related resources such as the ancestor that would be referenced - * here. For example, if this list was full on BackendTLSPolicy, no - * additional Gateways would be able to reference the Service targeted by - * the BackendTLSPolicy. - */ - ancestors: outputs.gateway.v1.BackendTLSPolicyStatusAncestorsPatch[]; - } - /** * GRPCRoute provides a way to route gRPC requests. This includes the capability * to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. * Filters can be used to specify additional processing steps. Backends specify * where matching requests will be routed. * + * * GRPCRoute falls under extended support within the Gateway API. Within the * following specification, the word "MUST" indicates that an implementation * supporting GRPCRoute must conform to the indicated requirement, but an * implementation not supporting this route type need not follow the requirement * unless explicitly indicated. * + * * Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST * accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via * ALPN. If the implementation does not support this, then it MUST set the @@ -23091,6 +14515,7 @@ export namespace gateway { * "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections * with an upgrade from HTTP/1. * + * * Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST * support HTTP/2 over cleartext TCP (h2c, * https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial @@ -23127,14 +14552,17 @@ export namespace gateway { * Host header to select a GRPCRoute to process the request. This matches * the RFC 1123 definition of a hostname with 2 notable exceptions: * + * * 1. IPs are not allowed. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label MUST appear by itself as the first label. * + * * If a hostname is specified by both the Listener and GRPCRoute, there * MUST be at least one intersecting hostname for the GRPCRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches GRPCRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -23144,34 +14572,41 @@ export namespace gateway { * `test.example.com` and `*.example.com` would both match. On the other * hand, `example.com` and `test.example.net` would not match. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * If both the Listener and GRPCRoute have specified hostnames, any * GRPCRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * GRPCRoute specified `test.example.com` and `test.example.net`, * `test.example.net` MUST NOT be considered for a match. * + * * If both the Listener and GRPCRoute have specified hostnames, and none * match with the criteria above, then the GRPCRoute MUST NOT be accepted by * the implementation. The implementation MUST raise an 'Accepted' Condition * with a status of `False` in the corresponding RouteParentStatus. * + * * If a Route (A) of type HTTPRoute or GRPCRoute is attached to a * Listener and that listener already has another Route (B) of the other * type attached and the intersection of the hostnames of A and B is * non-empty, then the implementation MUST accept exactly one of these two * routes, determined by the following criteria, in order: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * The rejected Route MUST raise an 'Accepted' condition with a status of * 'False' in the corresponding RouteParentStatus. * + * * Support: Core */ hostnames: string[]; @@ -23187,16 +14622,21 @@ export namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -23206,8 +14646,10 @@ export namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -23215,12 +14657,14 @@ export namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -23228,10 +14672,12 @@ export namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -23243,21 +14689,6 @@ export namespace gateway { * Rules are a list of GRPC matchers, filters and actions. */ rules: outputs.gateway.v1.GRPCRouteSpecRules[]; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways: string; } /** @@ -23265,12 +14696,15 @@ export namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -23281,23 +14715,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -23305,6 +14744,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -23312,10 +14752,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -23323,6 +14765,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -23330,6 +14773,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -23339,15 +14783,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -23356,6 +14803,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -23363,6 +14811,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -23370,10 +14819,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -23383,6 +14834,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -23393,12 +14845,15 @@ export namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -23409,23 +14864,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -23433,6 +14893,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -23440,10 +14901,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -23451,6 +14914,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -23458,6 +14922,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -23467,15 +14932,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -23484,6 +14952,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -23491,6 +14960,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -23498,10 +14968,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -23511,6 +14983,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -23525,14 +14998,17 @@ export namespace gateway { * Host header to select a GRPCRoute to process the request. This matches * the RFC 1123 definition of a hostname with 2 notable exceptions: * + * * 1. IPs are not allowed. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label MUST appear by itself as the first label. * + * * If a hostname is specified by both the Listener and GRPCRoute, there * MUST be at least one intersecting hostname for the GRPCRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches GRPCRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -23542,34 +15018,41 @@ export namespace gateway { * `test.example.com` and `*.example.com` would both match. On the other * hand, `example.com` and `test.example.net` would not match. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * If both the Listener and GRPCRoute have specified hostnames, any * GRPCRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * GRPCRoute specified `test.example.com` and `test.example.net`, * `test.example.net` MUST NOT be considered for a match. * + * * If both the Listener and GRPCRoute have specified hostnames, and none * match with the criteria above, then the GRPCRoute MUST NOT be accepted by * the implementation. The implementation MUST raise an 'Accepted' Condition * with a status of `False` in the corresponding RouteParentStatus. * + * * If a Route (A) of type HTTPRoute or GRPCRoute is attached to a * Listener and that listener already has another Route (B) of the other * type attached and the intersection of the hostnames of A and B is * non-empty, then the implementation MUST accept exactly one of these two * routes, determined by the following criteria, in order: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * The rejected Route MUST raise an 'Accepted' condition with a status of * 'False' in the corresponding RouteParentStatus. * + * * Support: Core */ hostnames: string[]; @@ -23585,16 +15068,21 @@ export namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -23604,8 +15092,10 @@ export namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -23613,12 +15103,14 @@ export namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -23626,10 +15118,12 @@ export namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -23641,21 +15135,6 @@ export namespace gateway { * Rules are a list of GRPC matchers, filters and actions. */ rules: outputs.gateway.v1.GRPCRouteSpecRulesPatch[]; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways: string; } /** @@ -23668,30 +15147,38 @@ export namespace gateway { * BackendRefs defines the backend(s) where matching requests should be * sent. * + * * Failure behavior here depends on how many BackendRefs are specified and * how many are invalid. * + * * If *all* entries in BackendRefs are invalid, and there are also no filters * specified in this route rule, *all* traffic which matches this rule MUST * receive an `UNAVAILABLE` status. * + * * See the GRPCBackendRef definition for the rules about what makes a single * GRPCBackendRef invalid. * + * * When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for * requests that would have otherwise been routed to an invalid backend. If * multiple backends are specified, and some are invalid, the proportion of * requests that would otherwise have been routed to an invalid backend * MUST receive an `UNAVAILABLE` status. * + * * For example, if two backends are specified with equal weights, and one is * invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. * Implementations may choose how that 50 percent is determined. * + * * Support: Core for Kubernetes Service * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Core */ backendRefs: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefs[]; @@ -23699,26 +15186,32 @@ export namespace gateway { * Filters define the filters that are applied to requests that match * this rule. * + * * The effects of ordering of multiple behaviors are currently unspecified. * This can change in the future based on feedback during the alpha stage. * + * * Conformance-levels at this level are defined based on the type of filter: * + * * - ALL core filters MUST be supported by all implementations that support * GRPCRoute. * - Implementers are encouraged to support extended filters. * - Implementation-specific custom filters have no API guarantees across * implementations. * + * * Specifying the same filter multiple times is not supported unless explicitly * indicated in the filter. * - * If an implementation cannot support a combination of filters, it must clearly + * + * If an implementation can not support a combination of filters, it must clearly * document that limitation. In cases where incompatible or unsupported * filters are specified and cause the `Accepted` condition to be set to status * `False`, implementations may use the `IncompatibleFilters` reason to specify * this configuration error. * + * * Support: Core */ filters: outputs.gateway.v1.GRPCRouteSpecRulesFilters[]; @@ -23727,8 +15220,10 @@ export namespace gateway { * gRPC requests. Each match is independent, i.e. this rule will be matched * if **any** one of the matches is satisfied. * + * * For example, take the following matches configuration: * + * * ``` * matches: * - method: @@ -23740,77 +15235,91 @@ export namespace gateway { * service: foo.bar.v2 * ``` * + * * For a request to match against this rule, it MUST satisfy * EITHER of the two conditions: * + * * - service of foo.bar AND contains the header `version: 2` * - service of foo.bar.v2 * + * * See the documentation for GRPCRouteMatch on how to specify multiple * match conditions to be ANDed together. * + * * If no matches are specified, the implementation MUST match every gRPC request. * + * * Proxy or Load Balancer routing configuration generated from GRPCRoutes * MUST prioritize rules based on the following criteria, continuing on * ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. * Precedence MUST be given to the rule with the largest number of: * + * * * Characters in a matching non-wildcard hostname. * * Characters in a matching hostname. * * Characters in a matching service. * * Characters in a matching method. * * Header matches. * + * * If ties still exist across multiple Routes, matching precedence MUST be * determined in order of the following criteria, continuing on ties: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * If ties still exist within the Route that has been given precedence, * matching precedence MUST be granted to the first matching rule meeting * the above criteria. */ matches: outputs.gateway.v1.GRPCRouteSpecRulesMatches[]; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name: string; sessionPersistence: outputs.gateway.v1.GRPCRouteSpecRulesSessionPersistence; } /** * GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * */ export interface GRPCRouteSpecRulesBackendRefs { /** * Filters defined at this level MUST be executed if and only if the * request is being forwarded to the backend defined here. * + * * Support: Implementation-specific (For broader support of filters, use the * Filters field in GRPCRouteRule.) */ @@ -23824,16 +15333,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -23845,11 +15358,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -23869,11 +15384,13 @@ export namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight: number; @@ -23896,14 +15413,17 @@ export namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations supporting GRPCRoute MUST support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by specific vendors. * In the future, filters showing convergence in behavior across multiple * implementations will be considered for inclusion in extended or core @@ -23911,9 +15431,11 @@ export namespace gateway { * is specified using the ExtensionRef field. `Type` MUST be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. @@ -23927,8 +15449,10 @@ export namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * Support: Implementation-specific * + * * This filter can be used multiple times within the same rule. */ export interface GRPCRouteSpecRulesBackendRefsFiltersExtensionRef { @@ -23953,8 +15477,10 @@ export namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * Support: Implementation-specific * + * * This filter can be used multiple times within the same rule. */ export interface GRPCRouteSpecRulesBackendRefsFiltersExtensionRefPatch { @@ -23990,14 +15516,17 @@ export namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations supporting GRPCRoute MUST support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by specific vendors. * In the future, filters showing convergence in behavior across multiple * implementations will be considered for inclusion in extended or core @@ -24005,9 +15534,11 @@ export namespace gateway { * is specified using the ExtensionRef field. `Type` MUST be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. @@ -24019,6 +15550,7 @@ export namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifier { @@ -24027,15 +15559,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -24047,15 +15582,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -24065,15 +15603,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -24087,7 +15628,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24108,7 +15650,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24127,6 +15670,7 @@ export namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch { @@ -24135,15 +15679,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -24155,15 +15702,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -24173,15 +15723,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -24195,7 +15748,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24216,7 +15770,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24236,49 +15791,47 @@ export namespace gateway { * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirror { backendRef: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef; - fraction: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorFraction; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent: number; } /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef { @@ -24291,16 +15844,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -24312,11 +15869,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -24333,26 +15892,32 @@ export namespace gateway { /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch { @@ -24365,16 +15930,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -24386,11 +15955,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -24404,59 +15975,28 @@ export namespace gateway { port: number; } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorFraction { - denominator: number; - numerator: number; - } - - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch { - denominator: number; - numerator: number; - } - /** * RequestMirror defines a schema for a filter that mirrors requests. * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorPatch { backendRef: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch; - fraction: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent: number; } /** * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifier { @@ -24465,15 +16005,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -24485,15 +16028,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -24503,15 +16049,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -24525,7 +16074,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24546,7 +16096,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24565,6 +16116,7 @@ export namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch { @@ -24573,15 +16125,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -24593,15 +16148,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -24611,15 +16169,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -24633,7 +16194,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24654,7 +16216,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24672,31 +16235,42 @@ export namespace gateway { /** * GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * */ export interface GRPCRouteSpecRulesBackendRefsPatch { /** * Filters defined at this level MUST be executed if and only if the * request is being forwarded to the backend defined here. * + * * Support: Implementation-specific (For broader support of filters, use the * Filters field in GRPCRouteRule.) */ @@ -24710,16 +16284,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -24731,11 +16309,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -24755,11 +16335,13 @@ export namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight: number; @@ -24782,14 +16364,17 @@ export namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations supporting GRPCRoute MUST support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by specific vendors. * In the future, filters showing convergence in behavior across multiple * implementations will be considered for inclusion in extended or core @@ -24797,9 +16382,11 @@ export namespace gateway { * is specified using the ExtensionRef field. `Type` MUST be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. @@ -24813,8 +16400,10 @@ export namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * Support: Implementation-specific * + * * This filter can be used multiple times within the same rule. */ export interface GRPCRouteSpecRulesFiltersExtensionRef { @@ -24839,8 +16428,10 @@ export namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * Support: Implementation-specific * + * * This filter can be used multiple times within the same rule. */ export interface GRPCRouteSpecRulesFiltersExtensionRefPatch { @@ -24876,14 +16467,17 @@ export namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations supporting GRPCRoute MUST support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by specific vendors. * In the future, filters showing convergence in behavior across multiple * implementations will be considered for inclusion in extended or core @@ -24891,9 +16485,11 @@ export namespace gateway { * is specified using the ExtensionRef field. `Type` MUST be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. @@ -24905,6 +16501,7 @@ export namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ export interface GRPCRouteSpecRulesFiltersRequestHeaderModifier { @@ -24913,15 +16510,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -24933,15 +16533,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -24951,15 +16554,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -24973,7 +16579,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -24994,7 +16601,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -25013,6 +16621,7 @@ export namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierPatch { @@ -25021,15 +16630,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -25041,15 +16653,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -25059,15 +16674,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -25081,7 +16699,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -25102,7 +16721,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -25122,49 +16742,47 @@ export namespace gateway { * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ export interface GRPCRouteSpecRulesFiltersRequestMirror { backendRef: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirrorBackendRef; - fraction: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirrorFraction; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent: number; } /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ export interface GRPCRouteSpecRulesFiltersRequestMirrorBackendRef { @@ -25177,16 +16795,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -25198,11 +16820,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -25219,26 +16843,32 @@ export namespace gateway { /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ export interface GRPCRouteSpecRulesFiltersRequestMirrorBackendRefPatch { @@ -25251,16 +16881,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -25272,11 +16906,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -25290,59 +16926,28 @@ export namespace gateway { port: number; } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - export interface GRPCRouteSpecRulesFiltersRequestMirrorFraction { - denominator: number; - numerator: number; - } - - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - export interface GRPCRouteSpecRulesFiltersRequestMirrorFractionPatch { - denominator: number; - numerator: number; - } - /** * RequestMirror defines a schema for a filter that mirrors requests. * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ export interface GRPCRouteSpecRulesFiltersRequestMirrorPatch { backendRef: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirrorBackendRefPatch; - fraction: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirrorFractionPatch; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent: number; } /** * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ export interface GRPCRouteSpecRulesFiltersResponseHeaderModifier { @@ -25351,15 +16956,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -25371,15 +16979,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -25389,15 +17000,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -25411,7 +17025,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -25432,7 +17047,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -25451,6 +17067,7 @@ export namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierPatch { @@ -25459,15 +17076,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -25479,15 +17099,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -25497,15 +17120,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -25519,7 +17145,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -25540,7 +17167,8 @@ export namespace gateway { export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -25560,9 +17188,11 @@ export namespace gateway { * action. Multiple match types are ANDed together, i.e. the match will * evaluate to true only if all conditions are satisfied. * + * * For example, the match below will match a gRPC request only if its service * is `foo` AND it contains the `version: v1` header: * + * * ``` * matches: * - method: @@ -25572,6 +17202,7 @@ export namespace gateway { * - name: "version" * value "v1" * + * * ``` */ export interface GRPCRouteSpecRulesMatches { @@ -25592,6 +17223,7 @@ export namespace gateway { /** * Name is the name of the gRPC Header to be matched. * + * * If multiple entries specify equivalent header names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent * entries with an equivalent header name MUST be ignored. Due to the @@ -25617,6 +17249,7 @@ export namespace gateway { /** * Name is the name of the gRPC Header to be matched. * + * * If multiple entries specify equivalent header names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent * entries with an equivalent header name MUST be ignored. Due to the @@ -25643,6 +17276,7 @@ export namespace gateway { * Value of the method to match against. If left empty or omitted, will * match all services. * + * * At least one of Service and Method MUST be a non-empty string. */ method: string; @@ -25650,6 +17284,7 @@ export namespace gateway { * Value of the service to match against. If left empty or omitted, will * match any service. * + * * At least one of Service and Method MUST be a non-empty string. */ service: string; @@ -25657,8 +17292,10 @@ export namespace gateway { * Type specifies how to match against the service and/or method. * Support: Core (Exact with service and method specified) * + * * Support: Implementation-specific (Exact with method specified but no service specified) * + * * Support: Implementation-specific (RegularExpression) */ type: string; @@ -25673,6 +17310,7 @@ export namespace gateway { * Value of the method to match against. If left empty or omitted, will * match all services. * + * * At least one of Service and Method MUST be a non-empty string. */ method: string; @@ -25680,6 +17318,7 @@ export namespace gateway { * Value of the service to match against. If left empty or omitted, will * match any service. * + * * At least one of Service and Method MUST be a non-empty string. */ service: string; @@ -25687,8 +17326,10 @@ export namespace gateway { * Type specifies how to match against the service and/or method. * Support: Core (Exact with service and method specified) * + * * Support: Implementation-specific (Exact with method specified but no service specified) * + * * Support: Implementation-specific (RegularExpression) */ type: string; @@ -25699,9 +17340,11 @@ export namespace gateway { * action. Multiple match types are ANDed together, i.e. the match will * evaluate to true only if all conditions are satisfied. * + * * For example, the match below will match a gRPC request only if its service * is `foo` AND it contains the `version: v1` header: * + * * ``` * matches: * - method: @@ -25711,6 +17354,7 @@ export namespace gateway { * - name: "version" * value "v1" * + * * ``` */ export interface GRPCRouteSpecRulesMatchesPatch { @@ -25733,30 +17377,38 @@ export namespace gateway { * BackendRefs defines the backend(s) where matching requests should be * sent. * + * * Failure behavior here depends on how many BackendRefs are specified and * how many are invalid. * + * * If *all* entries in BackendRefs are invalid, and there are also no filters * specified in this route rule, *all* traffic which matches this rule MUST * receive an `UNAVAILABLE` status. * + * * See the GRPCBackendRef definition for the rules about what makes a single * GRPCBackendRef invalid. * + * * When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for * requests that would have otherwise been routed to an invalid backend. If * multiple backends are specified, and some are invalid, the proportion of * requests that would otherwise have been routed to an invalid backend * MUST receive an `UNAVAILABLE` status. * + * * For example, if two backends are specified with equal weights, and one is * invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. * Implementations may choose how that 50 percent is determined. * + * * Support: Core for Kubernetes Service * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Core */ backendRefs: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsPatch[]; @@ -25764,26 +17416,32 @@ export namespace gateway { * Filters define the filters that are applied to requests that match * this rule. * + * * The effects of ordering of multiple behaviors are currently unspecified. * This can change in the future based on feedback during the alpha stage. * + * * Conformance-levels at this level are defined based on the type of filter: * + * * - ALL core filters MUST be supported by all implementations that support * GRPCRoute. * - Implementers are encouraged to support extended filters. * - Implementation-specific custom filters have no API guarantees across * implementations. * + * * Specifying the same filter multiple times is not supported unless explicitly * indicated in the filter. * - * If an implementation cannot support a combination of filters, it must clearly + * + * If an implementation can not support a combination of filters, it must clearly * document that limitation. In cases where incompatible or unsupported * filters are specified and cause the `Accepted` condition to be set to status * `False`, implementations may use the `IncompatibleFilters` reason to specify * this configuration error. * + * * Support: Core */ filters: outputs.gateway.v1.GRPCRouteSpecRulesFiltersPatch[]; @@ -25792,8 +17450,10 @@ export namespace gateway { * gRPC requests. Each match is independent, i.e. this rule will be matched * if **any** one of the matches is satisfied. * + * * For example, take the following matches configuration: * + * * ``` * matches: * - method: @@ -25805,46 +17465,49 @@ export namespace gateway { * service: foo.bar.v2 * ``` * + * * For a request to match against this rule, it MUST satisfy * EITHER of the two conditions: * + * * - service of foo.bar AND contains the header `version: 2` * - service of foo.bar.v2 * + * * See the documentation for GRPCRouteMatch on how to specify multiple * match conditions to be ANDed together. * + * * If no matches are specified, the implementation MUST match every gRPC request. * + * * Proxy or Load Balancer routing configuration generated from GRPCRoutes * MUST prioritize rules based on the following criteria, continuing on * ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. * Precedence MUST be given to the rule with the largest number of: * + * * * Characters in a matching non-wildcard hostname. * * Characters in a matching hostname. * * Characters in a matching service. * * Characters in a matching method. * * Header matches. * + * * If ties still exist across multiple Routes, matching precedence MUST be * determined in order of the following criteria, continuing on ties: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * If ties still exist within the Route that has been given precedence, * matching precedence MUST be granted to the first matching rule meeting * the above criteria. */ matches: outputs.gateway.v1.GRPCRouteSpecRulesMatchesPatch[]; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name: string; sessionPersistence: outputs.gateway.v1.GRPCRouteSpecRulesSessionPersistencePatch; } @@ -25852,6 +17515,7 @@ export namespace gateway { * SessionPersistence defines and configures session persistence * for the route rule. * + * * Support: Extended */ export interface GRPCRouteSpecRulesSessionPersistence { @@ -25860,6 +17524,7 @@ export namespace gateway { * session. Once the AbsoluteTimeout duration has elapsed, the * session becomes invalid. * + * * Support: Extended */ absoluteTimeout: string; @@ -25869,6 +17534,7 @@ export namespace gateway { * Once the session has been idle for more than the specified * IdleTimeout duration, the session becomes invalid. * + * * Support: Extended */ idleTimeout: string; @@ -25878,6 +17544,7 @@ export namespace gateway { * should avoid reusing session names to prevent unintended * consequences, such as rejection or unpredictable behavior. * + * * Support: Implementation-specific */ sessionName: string; @@ -25886,8 +17553,10 @@ export namespace gateway { * the use a header or cookie. Defaults to cookie based session * persistence. * + * * Support: Core for "Cookie" type * + * * Support: Extended for "Header" type */ type: string; @@ -25897,6 +17566,7 @@ export namespace gateway { * CookieConfig provides configuration settings that are specific * to cookie-based session persistence. * + * * Support: Core */ export interface GRPCRouteSpecRulesSessionPersistenceCookieConfig { @@ -25907,18 +17577,20 @@ export namespace gateway { * attributes, while a session cookie is deleted when the current * session ends. * + * * When set to "Permanent", AbsoluteTimeout indicates the * cookie's lifetime via the Expires or Max-Age cookie attributes * and is required. * + * * When set to "Session", AbsoluteTimeout indicates the * absolute lifetime of the cookie tracked by the gateway and * is optional. * - * Defaults to "Session". * * Support: Core for "Session" type * + * * Support: Extended for "Permanent" type */ lifetimeType: string; @@ -25928,6 +17600,7 @@ export namespace gateway { * CookieConfig provides configuration settings that are specific * to cookie-based session persistence. * + * * Support: Core */ export interface GRPCRouteSpecRulesSessionPersistenceCookieConfigPatch { @@ -25938,18 +17611,20 @@ export namespace gateway { * attributes, while a session cookie is deleted when the current * session ends. * + * * When set to "Permanent", AbsoluteTimeout indicates the * cookie's lifetime via the Expires or Max-Age cookie attributes * and is required. * + * * When set to "Session", AbsoluteTimeout indicates the * absolute lifetime of the cookie tracked by the gateway and * is optional. * - * Defaults to "Session". * * Support: Core for "Session" type * + * * Support: Extended for "Permanent" type */ lifetimeType: string; @@ -25959,6 +17634,7 @@ export namespace gateway { * SessionPersistence defines and configures session persistence * for the route rule. * + * * Support: Extended */ export interface GRPCRouteSpecRulesSessionPersistencePatch { @@ -25967,6 +17643,7 @@ export namespace gateway { * session. Once the AbsoluteTimeout duration has elapsed, the * session becomes invalid. * + * * Support: Extended */ absoluteTimeout: string; @@ -25976,6 +17653,7 @@ export namespace gateway { * Once the session has been idle for more than the specified * IdleTimeout duration, the session becomes invalid. * + * * Support: Extended */ idleTimeout: string; @@ -25985,6 +17663,7 @@ export namespace gateway { * should avoid reusing session names to prevent unintended * consequences, such as rejection or unpredictable behavior. * + * * Support: Implementation-specific */ sessionName: string; @@ -25993,8 +17672,10 @@ export namespace gateway { * the use a header or cookie. Defaults to cookie based session * persistence. * + * * Support: Core for "Cookie" type * + * * Support: Extended for "Header" type */ type: string; @@ -26012,11 +17693,13 @@ export namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -26033,19 +17716,23 @@ export namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -26055,12 +17742,15 @@ export namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -26071,6 +17761,22 @@ export namespace gateway { /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface GRPCRouteStatusParentsConditions { /** @@ -26103,12 +17809,32 @@ export namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface GRPCRouteStatusParentsConditionsPatch { /** @@ -26141,6 +17867,10 @@ export namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } @@ -26156,23 +17886,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -26180,6 +17915,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -26187,10 +17923,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -26198,6 +17936,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -26205,6 +17944,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -26214,15 +17954,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -26231,6 +17974,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -26238,6 +17982,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -26245,10 +17990,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -26258,6 +18005,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -26274,23 +18022,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -26298,6 +18051,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -26305,10 +18059,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -26316,6 +18072,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -26323,6 +18080,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -26332,15 +18090,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -26349,6 +18110,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -26356,6 +18118,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -26363,10 +18126,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -26376,6 +18141,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -26391,19 +18157,23 @@ export namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -26413,12 +18183,15 @@ export namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -26439,11 +18212,13 @@ export namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -26475,6 +18250,7 @@ export namespace gateway { * GatewayClass describes a class of Gateways available to the user for creating * Gateway resources. * + * * It is recommended that this resource be used as a template for Gateways. This * means that a Gateway is based on the state of the GatewayClass at the time it * was created and changes to the GatewayClass or associated parameters are not @@ -26483,11 +18259,13 @@ export namespace gateway { * If implementations choose to propagate GatewayClass changes to existing * Gateways, that MUST be clearly documented by the implementation. * + * * Whenever one or more Gateways are using a GatewayClass, implementations SHOULD * add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the * associated GatewayClass. This ensures that a GatewayClass associated with a * Gateway is not deleted while in use. * + * * GatewayClass is a Cluster level resource. */ export interface GatewayClass { @@ -26515,10 +18293,13 @@ export namespace gateway { * ControllerName is the name of the controller that is managing Gateways of * this class. The value of this field MUST be a domain prefixed path. * + * * Example: "example.net/gateway-controller". * + * * This field is not mutable and cannot be empty. * + * * Support: Core */ controllerName: string; @@ -26534,19 +18315,21 @@ export namespace gateway { * parameters corresponding to the GatewayClass. This is optional if the * controller does not require any additional configuration. * + * * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, * or an implementation-specific custom resource. The resource can be * cluster-scoped or namespace-scoped. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the GatewayClass SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. + * + * If the referent cannot be found, the GatewayClass's "InvalidParameters" + * status condition will be true. + * * * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * + * * Support: Implementation-specific */ export interface GatewayClassSpecParametersRef { @@ -26575,19 +18358,21 @@ export namespace gateway { * parameters corresponding to the GatewayClass. This is optional if the * controller does not require any additional configuration. * + * * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, * or an implementation-specific custom resource. The resource can be * cluster-scoped or namespace-scoped. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the GatewayClass SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. + * + * If the referent cannot be found, the GatewayClass's "InvalidParameters" + * status condition will be true. + * * * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * + * * Support: Implementation-specific */ export interface GatewayClassSpecParametersRefPatch { @@ -26619,10 +18404,13 @@ export namespace gateway { * ControllerName is the name of the controller that is managing Gateways of * this class. The value of this field MUST be a domain prefixed path. * + * * Example: "example.net/gateway-controller". * + * * This field is not mutable and cannot be empty. * + * * Support: Core */ controllerName: string; @@ -26636,6 +18424,7 @@ export namespace gateway { /** * Status defines the current state of GatewayClass. * + * * Implementations MUST populate status on all GatewayClass resources which * specify their controller name. */ @@ -26644,19 +18433,36 @@ export namespace gateway { * Conditions is the current status from the controller for * this GatewayClass. * + * * Controllers should prefer to publish conditions using values * of GatewayClassConditionType for the type of each Condition. */ conditions: outputs.gateway.v1.GatewayClassStatusConditions[]; /** * SupportedFeatures is the set of features the GatewayClass support. - * It MUST be sorted in ascending alphabetical order by the Name key. + * It MUST be sorted in ascending alphabetical order. */ - supportedFeatures: outputs.gateway.v1.GatewayClassStatusSupportedFeatures[]; + supportedFeatures: string[]; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface GatewayClassStatusConditions { /** @@ -26689,12 +18495,32 @@ export namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface GatewayClassStatusConditionsPatch { /** @@ -26727,6 +18553,10 @@ export namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } @@ -26734,6 +18564,7 @@ export namespace gateway { /** * Status defines the current state of GatewayClass. * + * * Implementations MUST populate status on all GatewayClass resources which * specify their controller name. */ @@ -26742,31 +18573,16 @@ export namespace gateway { * Conditions is the current status from the controller for * this GatewayClass. * + * * Controllers should prefer to publish conditions using values * of GatewayClassConditionType for the type of each Condition. */ conditions: outputs.gateway.v1.GatewayClassStatusConditionsPatch[]; /** * SupportedFeatures is the set of features the GatewayClass support. - * It MUST be sorted in ascending alphabetical order by the Name key. + * It MUST be sorted in ascending alphabetical order. */ - supportedFeatures: outputs.gateway.v1.GatewayClassStatusSupportedFeaturesPatch[]; - } - - export interface GatewayClassStatusSupportedFeatures { - /** - * FeatureName is used to describe distinct features that are covered by - * conformance tests. - */ - name: string; - } - - export interface GatewayClassStatusSupportedFeaturesPatch { - /** - * FeatureName is used to describe distinct features that are covered by - * conformance tests. - */ - name: string; + supportedFeatures: string[]; } /** @@ -26777,7 +18593,8 @@ export namespace gateway { * Addresses requested for this Gateway. This is optional and behavior can * depend on the implementation. If a value is set in the spec and the * requested address is invalid or unavailable, the implementation MUST - * indicate this in an associated entry in GatewayStatus.Conditions. + * indicate this in the associated entry in GatewayStatus.Addresses. + * * * The Addresses field represents a request for the address(es) on the * "outside of the Gateway", that traffic bound for this Gateway will use. @@ -26785,38 +18602,20 @@ export namespace gateway { * other networking infrastructure, or some other address that traffic will * be sent to. * + * * If no Addresses are specified, the implementation MAY schedule the * Gateway in an implementation-specific manner, assigning an appropriate * set of Addresses. * + * * The implementation MUST bind all Listeners to every GatewayAddress that * it assigns to the Gateway and add a corresponding entry in * GatewayStatus.Addresses. * + * * Support: Extended */ addresses: outputs.gateway.v1.GatewaySpecAddresses[]; - allowedListeners: outputs.gateway.v1.GatewaySpecAllowedListeners; - /** - * DefaultScope, when set, configures the Gateway as a default Gateway, - * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute) - * attached to it, according to the scope configured here. - * - * If unset (the default) or set to None, the Gateway will not act as a - * default Gateway; if set, the Gateway will claim any Route with a - * matching scope set in its UseDefaultGateway field, subject to the usual - * rules about which routes the Gateway can attach to. - * - * Think carefully before using this functionality! While the normal rules - * about which Route can apply are still enforced, it is simply easier for - * the wrong Route to be accidentally attached to this Gateway in this - * configuration. If the Gateway operator is not also the operator in - * control of the scope (e.g. namespace) with tight controls and checks on - * what kind of workloads and Routes get added in that scope, we strongly - * recommend not using this just because it seems convenient, and instead - * stick to direct Route attachment. - */ - defaultScope: string; /** * GatewayClassName used for this Gateway. This is the name of a * GatewayClass resource. @@ -26828,7 +18627,6 @@ export namespace gateway { * logical endpoints that are bound on this Gateway's addresses. * At least one Listener MUST be specified. * - * ## Distinct Listeners * * Each Listener in a set of Listeners (for example, in a single Gateway) * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to @@ -26837,107 +18635,97 @@ export namespace gateway { * from multiple Gateways onto a single data plane, and these rules _also_ * apply in that case). * + * * Practically, this means that each listener in a set MUST have a unique * combination of Port, Protocol, and, if supported by the protocol, Hostname. * - * Some combinations of port, protocol, and TLS settings are considered - * Core support and MUST be supported by implementations based on the objects - * they support: * - * HTTPRoute + * Some combinations of port, protocol, and TLS settings are considered + * Core support and MUST be supported by implementations based on their + * targeted conformance profile: + * + * + * HTTP Profile + * * * 1. HTTPRoute, Port: 80, Protocol: HTTP * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided * - * TLSRoute + * + * TLS Profile + * * * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough * + * * "Distinct" Listeners have the following property: * - * **The implementation can match inbound requests to a single distinct - * Listener**. * - * When multiple Listeners share values for fields (for + * The implementation can match inbound requests to a single distinct + * Listener. When multiple Listeners share values for fields (for * example, two Listeners with the same Port value), the implementation * can match requests to only one of the Listeners using other * Listener fields. * - * When multiple listeners have the same value for the Protocol field, then - * each of the Listeners with matching Protocol values MUST have different - * values for other fields. * - * The set of fields that MUST be different for a Listener differs per protocol. - * The following rules define the rules for what fields MUST be considered for - * Listeners to be distinct with each protocol currently defined in the - * Gateway API spec. + * For example, the following Listener scenarios are distinct: * - * The set of listeners that all share a protocol value MUST have _different_ - * values for _at least one_ of these fields to be distinct: * - * * **HTTP, HTTPS, TLS**: Port, Hostname - * * **TCP, UDP**: Port + * 1. Multiple Listeners with the same Port that all use the "HTTP" + * Protocol that all have unique Hostname values. + * 2. Multiple Listeners with the same Port that use either the "HTTPS" or + * "TLS" Protocol that all have unique Hostname values. + * 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener + * with the same Protocol has the same Port value. * - * One **very** important rule to call out involves what happens when an - * implementation: * - * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol - * Listeners, and - * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP - * Protocol. + * Some fields in the Listener struct have possible values that affect + * whether the Listener is distinct. Hostname is particularly relevant + * for HTTP or HTTPS protocols. * - * In this case all the Listeners that share a port with the - * TCP Listener are not distinct and so MUST NOT be accepted. * - * If an implementation does not support TCP Protocol Listeners, then the - * previous rule does not apply, and the TCP Listeners SHOULD NOT be - * accepted. + * When using the Hostname value to select between same-Port, same-Protocol + * Listeners, the Hostname value must be different on each Listener for the + * Listener to be distinct. * - * Note that the `tls` field is not used for determining if a listener is distinct, because - * Listeners that _only_ differ on TLS config will still conflict in all cases. * - * ### Listeners that are distinct only by Hostname - * - * When the Listeners are distinct based only on Hostname, inbound request + * When the Listeners are distinct based on Hostname, inbound request * hostnames MUST match from the most specific to least specific Hostname * values to choose the correct Listener and its associated set of Routes. * - * Exact matches MUST be processed before wildcard matches, and wildcard - * matches MUST be processed before fallback (empty Hostname value) + * + * Exact matches must be processed before wildcard matches, and wildcard + * matches must be processed before fallback (empty Hostname value) * matches. For example, `"foo.example.com"` takes precedence over * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. * + * * Additionally, if there are multiple wildcard entries, more specific * wildcard entries must be processed before less specific wildcard entries. * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. - * * The precise definition here is that the higher the number of dots in the * hostname to the right of the wildcard character, the higher the precedence. * + * * The wildcard character will match any number of characters _and dots_ to * the left, however, so `"*.example.com"` will match both * `"foo.bar.example.com"` _and_ `"bar.example.com"`. * - * ## Handling indistinct Listeners * * If a set of Listeners contains Listeners that are not distinct, then those - * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted" + * Listeners are Conflicted, and the implementation MUST set the "Conflicted" * condition in the Listener Status to "True". * - * The words "indistinct" and "conflicted" are considered equivalent for the - * purpose of this documentation. * * Implementations MAY choose to accept a Gateway with some Conflicted * Listeners only if they only accept the partial Listener set that contains - * no Conflicted Listeners. + * no Conflicted Listeners. To put this another way, implementations may + * accept a partial Listener set only if they throw out *all* the conflicting + * Listeners. No picking one of the conflicting listeners as the winner. + * This also means that the Gateway must have at least one non-conflicting + * Listener in this case, otherwise it violates the requirement that at + * least one Listener must be present. * - * Specifically, an implementation MAY accept a partial Listener set subject to - * the following rules: - * - * * The implementation MUST NOT pick one conflicting Listener as the winner. - * ALL indistinct Listeners must not be accepted for processing. - * * At least one distinct Listener MUST be present, or else the Gateway effectively - * contains _no_ Listeners, and must be rejected from processing as a whole. * * The implementation MUST set a "ListenersNotValid" condition on the * Gateway Status when the Gateway contains Conflicted Listeners whether or @@ -26946,52 +18734,45 @@ export namespace gateway { * Accepted. Additionally, the Listener status for those listeners SHOULD * indicate which Listeners are conflicted and not Accepted. * - * ## General Listener behavior * - * Note that, for all distinct Listeners, requests SHOULD match at most one Listener. - * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a - * request to "foo.example.com" SHOULD only be routed using routes attached - * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * A Gateway's Listeners are considered "compatible" if: * - * This concept is known as "Listener Isolation", and it is an Extended feature - * of Gateway API. Implementations that do not support Listener Isolation MUST - * clearly document this, and MUST NOT claim support for the - * `GatewayHTTPListenerIsolation` feature. - * - * Implementations that _do_ support Listener Isolation SHOULD claim support - * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated - * conformance tests. - * - * ## Compatible Listeners - * - * A Gateway's Listeners are considered _compatible_ if: * * 1. They are distinct. * 2. The implementation can serve them in compliance with the Addresses * requirement that all Listeners are available on all assigned * addresses. * + * * Compatible combinations in Extended support are expected to vary across * implementations. A combination that is compatible for one implementation * may not be compatible for another. * + * * For example, an implementation that cannot serve both TCP and UDP listeners * on the same address, or cannot mix HTTPS and generic TLS listens on the same port * would not consider those cases compatible, even though they are distinct. * + * + * Note that requests SHOULD match at most one Listener. For example, if + * Listeners are defined for "foo.example.com" and "*.example.com", a + * request to "foo.example.com" SHOULD only be routed using routes attached + * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * This concept is known as "Listener Isolation". Implementations that do + * not support Listener Isolation MUST clearly document this. + * + * * Implementations MAY merge separate Gateways onto a single set of * Addresses if all Listeners across all Gateways are compatible. * - * In a future release the MinItems=1 requirement MAY be dropped. * * Support: Core */ listeners: outputs.gateway.v1.GatewaySpecListeners[]; - tls: outputs.gateway.v1.GatewaySpecTls; } /** - * GatewaySpecAddress describes an address that can be bound to a Gateway. + * GatewayAddress describes an address that can be bound to a Gateway. */ export interface GatewaySpecAddresses { /** @@ -26999,11 +18780,9 @@ export namespace gateway { */ type: string; /** - * When a value is unspecified, an implementation SHOULD automatically - * assign an address matching the requested type if possible. + * Value of the address. The validity of the values will depend + * on the type and support by the controller. * - * If an implementation does not support an empty value, they MUST set the - * "Programmed" condition in status to False with a reason of "AddressNotAssigned". * * Examples: `1.2.3.4`, `128::1`, `my-ip-address`. */ @@ -27011,7 +18790,7 @@ export namespace gateway { } /** - * GatewaySpecAddress describes an address that can be bound to a Gateway. + * GatewayAddress describes an address that can be bound to a Gateway. */ export interface GatewaySpecAddressesPatch { /** @@ -27019,182 +18798,46 @@ export namespace gateway { */ type: string; /** - * When a value is unspecified, an implementation SHOULD automatically - * assign an address matching the requested type if possible. + * Value of the address. The validity of the values will depend + * on the type and support by the controller. * - * If an implementation does not support an empty value, they MUST set the - * "Programmed" condition in status to False with a reason of "AddressNotAssigned". * * Examples: `1.2.3.4`, `128::1`, `my-ip-address`. */ value: string; } - /** - * AllowedListeners defines which ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - export interface GatewaySpecAllowedListeners { - namespaces: outputs.gateway.v1.GatewaySpecAllowedListenersNamespaces; - } - - /** - * Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - export interface GatewaySpecAllowedListenersNamespaces { - /** - * From indicates where ListenerSets can attach to this Gateway. Possible - * values are: - * - * * Same: Only ListenerSets in the same namespace may be attached to this Gateway. - * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway. - * * All: ListenerSets in all namespaces may be attached to this Gateway. - * * None: Only listeners defined in the Gateway's spec are allowed - * - * While this feature is experimental, the default value None - */ - from: string; - selector: outputs.gateway.v1.GatewaySpecAllowedListenersNamespacesSelector; - } - - /** - * Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - export interface GatewaySpecAllowedListenersNamespacesPatch { - /** - * From indicates where ListenerSets can attach to this Gateway. Possible - * values are: - * - * * Same: Only ListenerSets in the same namespace may be attached to this Gateway. - * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway. - * * All: ListenerSets in all namespaces may be attached to this Gateway. - * * None: Only listeners defined in the Gateway's spec are allowed - * - * While this feature is experimental, the default value None - */ - from: string; - selector: outputs.gateway.v1.GatewaySpecAllowedListenersNamespacesSelectorPatch; - } - - /** - * Selector must be specified when From is set to "Selector". In that case, - * only ListenerSets in Namespaces matching this Selector will be selected by this - * Gateway. This field is ignored for other values of "From". - */ - export interface GatewaySpecAllowedListenersNamespacesSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.gateway.v1.GatewaySpecAllowedListenersNamespacesSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * Selector must be specified when From is set to "Selector". In that case, - * only ListenerSets in Namespaces matching this Selector will be selected by this - * Gateway. This field is ignored for other values of "From". - */ - export interface GatewaySpecAllowedListenersNamespacesSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.gateway.v1.GatewaySpecAllowedListenersNamespacesSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * AllowedListeners defines which ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - export interface GatewaySpecAllowedListenersPatch { - namespaces: outputs.gateway.v1.GatewaySpecAllowedListenersNamespacesPatch; - } - /** * Infrastructure defines infrastructure level attributes about this Gateway instance. * - * Support: Extended + * + * Support: Core */ export interface GatewaySpecInfrastructure { /** * Annotations that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. * + * * An implementation may chose to add additional implementation-specific annotations as they see fit. * + * * Support: Extended */ annotations: {[key: string]: string}; /** * Labels that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. * For other implementations, this refers to any relevant (implementation specific) "labels" concepts. * + * * An implementation may chose to add additional implementation-specific labels as they see fit. * - * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels - * change, it SHOULD clearly warn about this behavior in documentation. * * Support: Extended */ @@ -27207,16 +18850,14 @@ export namespace gateway { * parameters corresponding to the Gateway. This is optional if the * controller does not require any additional configuration. * + * * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis * + * * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the Gateway SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. * * Support: Implementation-specific */ @@ -27240,16 +18881,14 @@ export namespace gateway { * parameters corresponding to the Gateway. This is optional if the * controller does not require any additional configuration. * + * * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis * + * * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the Gateway SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. * * Support: Implementation-specific */ @@ -27271,30 +18910,34 @@ export namespace gateway { /** * Infrastructure defines infrastructure level attributes about this Gateway instance. * - * Support: Extended + * + * Support: Core */ export interface GatewaySpecInfrastructurePatch { /** * Annotations that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. * + * * An implementation may chose to add additional implementation-specific annotations as they see fit. * + * * Support: Extended */ annotations: {[key: string]: string}; /** * Labels that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. * For other implementations, this refers to any relevant (implementation specific) "labels" concepts. * + * * An implementation may chose to add additional implementation-specific labels as they see fit. * - * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels - * change, it SHOULD clearly warn about this behavior in documentation. * * Support: Extended */ @@ -27314,36 +18957,18 @@ export namespace gateway { * field is ignored for protocols that don't require hostname based * matching. * + * * Implementations MUST apply Hostname matching appropriately for each of * the following protocols: * + * * * TLS: The Listener Hostname MUST match the SNI. * * HTTP: The Listener Hostname MUST match the Host header of the request. - * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header. - * Note that this does not require the SNI and Host header to be the same. - * The semantics of this are described in more detail below. + * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + * protocol layers as described above. If an implementation does not + * ensure that both the SNI and Host header match the Listener hostname, + * it MUST clearly document that. * - * To ensure security, Section 11.1 of RFC-6066 emphasizes that server - * implementations that rely on SNI hostname matching MUST also verify - * hostnames within the application protocol. - * - * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the - * reuse of a connection by responding with the HTTP 421 Misdirected Request - * status code. This indicates that the origin server has rejected the - * request because it appears to have been misdirected. - * - * To detect misdirected requests, Gateways SHOULD match the authority of - * the requests with all the SNI hostname(s) configured across all the - * Gateway Listeners on the same port and protocol: - * - * * If another Listener has an exact match or more specific wildcard entry, - * the Gateway SHOULD return a 421. - * * If the current Listener (selected by SNI matching during ClientHello) - * does not match the Host: - * * If another Listener does match the Host the Gateway SHOULD return a - * 421. - * * If no other Listener matches the Host, the Gateway MUST return a - * 404. * * For HTTPRoute and TLSRoute resources, there is an interaction with the * `spec.hostnames` array. When both listener and route specify hostnames, @@ -27351,10 +18976,12 @@ export namespace gateway { * accepted. For more information, refer to the Route specific Hostnames * documentation. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * Support: Core */ hostname: string; @@ -27362,6 +18989,7 @@ export namespace gateway { * Name is the name of the Listener. This name MUST be unique within a * Gateway. * + * * Support: Core */ name: string; @@ -27369,12 +18997,14 @@ export namespace gateway { * Port is the network port. Multiple listeners may use the * same port, subject to the Listener compatibility rules. * + * * Support: Core */ port: number; /** * Protocol specifies the network protocol this listener expects to receive. * + * * Support: Core */ protocol: string; @@ -27386,10 +19016,12 @@ export namespace gateway { * Listener and the trusted namespaces where those Route resources MAY be * present. * + * * Although a client request may match multiple route rules, only one rule * may ultimately receive the request. Matching precedence MUST be * determined in order of the following criteria: * + * * * The most specific match as defined by the Route type. * * The oldest Route based on creation timestamp. For example, a Route with * a creation timestamp of "2020-09-08 01:02:03" is given precedence over @@ -27398,6 +19030,7 @@ export namespace gateway { * alphabetical order (namespace/name) should be given precedence. For * example, foo/bar is given precedence over foo/baz. * + * * All valid rules within a Route attached to this Listener should be * implemented. Invalid Route rules can be ignored (sometimes that will mean * the full Route). If a Route rule transitions from valid to invalid, @@ -27405,6 +19038,7 @@ export namespace gateway { * example, even if a filter specified by a Route rule is invalid, the rest * of the rules within that Route should still be supported. * + * * Support: Core */ export interface GatewaySpecListenersAllowedRoutes { @@ -27413,12 +19047,14 @@ export namespace gateway { * to this Gateway Listener. When unspecified or empty, the kinds of Routes * selected are determined using the Listener protocol. * + * * A RouteGroupKind MUST correspond to kinds of Routes that are compatible * with the application protocol specified in the Listener's Protocol field. * If an implementation does not support or recognize this resource type, it * MUST set the "ResolvedRefs" condition to False for this Listener with the * "InvalidRouteKinds" reason. * + * * Support: Core */ kinds: outputs.gateway.v1.GatewaySpecListenersAllowedRoutesKinds[]; @@ -27457,6 +19093,7 @@ export namespace gateway { * Namespaces indicates namespaces from which Routes may be attached to this * Listener. This is restricted to the namespace of this Gateway by default. * + * * Support: Core */ export interface GatewaySpecListenersAllowedRoutesNamespaces { @@ -27464,11 +19101,13 @@ export namespace gateway { * From indicates where Routes will be selected for this Gateway. Possible * values are: * + * * * All: Routes in all namespaces may be used by this Gateway. * * Selector: Routes in namespaces selected by the selector may be used by * this Gateway. * * Same: Only Routes in the same namespace may be used by this Gateway. * + * * Support: Core */ from: string; @@ -27479,6 +19118,7 @@ export namespace gateway { * Namespaces indicates namespaces from which Routes may be attached to this * Listener. This is restricted to the namespace of this Gateway by default. * + * * Support: Core */ export interface GatewaySpecListenersAllowedRoutesNamespacesPatch { @@ -27486,11 +19126,13 @@ export namespace gateway { * From indicates where Routes will be selected for this Gateway. Possible * values are: * + * * * All: Routes in all namespaces may be used by this Gateway. * * Selector: Routes in namespaces selected by the selector may be used by * this Gateway. * * Same: Only Routes in the same namespace may be used by this Gateway. * + * * Support: Core */ from: string; @@ -27502,6 +19144,7 @@ export namespace gateway { * only Routes in Namespaces matching this Selector will be selected by this * Gateway. This field is ignored for other values of "From". * + * * Support: Core */ export interface GatewaySpecListenersAllowedRoutesNamespacesSelector { @@ -27568,6 +19211,7 @@ export namespace gateway { * only Routes in Namespaces matching this Selector will be selected by this * Gateway. This field is ignored for other values of "From". * + * * Support: Core */ export interface GatewaySpecListenersAllowedRoutesNamespacesSelectorPatch { @@ -27588,10 +19232,12 @@ export namespace gateway { * Listener and the trusted namespaces where those Route resources MAY be * present. * + * * Although a client request may match multiple route rules, only one rule * may ultimately receive the request. Matching precedence MUST be * determined in order of the following criteria: * + * * * The most specific match as defined by the Route type. * * The oldest Route based on creation timestamp. For example, a Route with * a creation timestamp of "2020-09-08 01:02:03" is given precedence over @@ -27600,6 +19246,7 @@ export namespace gateway { * alphabetical order (namespace/name) should be given precedence. For * example, foo/bar is given precedence over foo/baz. * + * * All valid rules within a Route attached to this Listener should be * implemented. Invalid Route rules can be ignored (sometimes that will mean * the full Route). If a Route rule transitions from valid to invalid, @@ -27607,6 +19254,7 @@ export namespace gateway { * example, even if a filter specified by a Route rule is invalid, the rest * of the rules within that Route should still be supported. * + * * Support: Core */ export interface GatewaySpecListenersAllowedRoutesPatch { @@ -27615,12 +19263,14 @@ export namespace gateway { * to this Gateway Listener. When unspecified or empty, the kinds of Routes * selected are determined using the Listener protocol. * + * * A RouteGroupKind MUST correspond to kinds of Routes that are compatible * with the application protocol specified in the Listener's Protocol field. * If an implementation does not support or recognize this resource type, it * MUST set the "ResolvedRefs" condition to False for this Listener with the * "InvalidRouteKinds" reason. * + * * Support: Core */ kinds: outputs.gateway.v1.GatewaySpecListenersAllowedRoutesKindsPatch[]; @@ -27639,36 +19289,18 @@ export namespace gateway { * field is ignored for protocols that don't require hostname based * matching. * + * * Implementations MUST apply Hostname matching appropriately for each of * the following protocols: * + * * * TLS: The Listener Hostname MUST match the SNI. * * HTTP: The Listener Hostname MUST match the Host header of the request. - * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header. - * Note that this does not require the SNI and Host header to be the same. - * The semantics of this are described in more detail below. + * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + * protocol layers as described above. If an implementation does not + * ensure that both the SNI and Host header match the Listener hostname, + * it MUST clearly document that. * - * To ensure security, Section 11.1 of RFC-6066 emphasizes that server - * implementations that rely on SNI hostname matching MUST also verify - * hostnames within the application protocol. - * - * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the - * reuse of a connection by responding with the HTTP 421 Misdirected Request - * status code. This indicates that the origin server has rejected the - * request because it appears to have been misdirected. - * - * To detect misdirected requests, Gateways SHOULD match the authority of - * the requests with all the SNI hostname(s) configured across all the - * Gateway Listeners on the same port and protocol: - * - * * If another Listener has an exact match or more specific wildcard entry, - * the Gateway SHOULD return a 421. - * * If the current Listener (selected by SNI matching during ClientHello) - * does not match the Host: - * * If another Listener does match the Host the Gateway SHOULD return a - * 421. - * * If no other Listener matches the Host, the Gateway MUST return a - * 404. * * For HTTPRoute and TLSRoute resources, there is an interaction with the * `spec.hostnames` array. When both listener and route specify hostnames, @@ -27676,10 +19308,12 @@ export namespace gateway { * accepted. For more information, refer to the Route specific Hostnames * documentation. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * Support: Core */ hostname: string; @@ -27687,6 +19321,7 @@ export namespace gateway { * Name is the name of the Listener. This name MUST be unique within a * Gateway. * + * * Support: Core */ name: string; @@ -27694,12 +19329,14 @@ export namespace gateway { * Port is the network port. Multiple listeners may use the * same port, subject to the Listener compatibility rules. * + * * Support: Core */ port: number; /** * Protocol specifies the network protocol this listener expects to receive. * + * * Support: Core */ protocol: string; @@ -27711,12 +19348,15 @@ export namespace gateway { * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field * if the Protocol field is "HTTP", "TCP", or "UDP". * - * The association of SNIs to Certificate defined in ListenerTLSConfig is + * + * The association of SNIs to Certificate defined in GatewayTLSConfig is * defined based on the Hostname field for this listener. * + * * The GatewayClass MUST use the longest matching SNI out of all * available certificates for any TLS handshake. * + * * Support: Core */ export interface GatewaySpecListenersTls { @@ -27726,31 +19366,39 @@ export namespace gateway { * establish a TLS handshake for requests that match the hostname of the * associated listener. * + * * A single CertificateRef to a Kubernetes Secret has "Core" support. * Implementations MAY choose to support attaching multiple certificates to * a Listener, but this behavior is implementation-specific. * + * * References to a resource in different namespace are invalid UNLESS there * is a ReferenceGrant in the target namespace that allows the certificate * to be attached. If a ReferenceGrant does not allow this reference, the * "ResolvedRefs" condition MUST be set to False for this listener with the * "RefNotPermitted" reason. * + * * This field is required to have at least one element when the mode is set * to "Terminate" (default) and is optional otherwise. * + * * CertificateRefs can reference to standard Kubernetes resources, i.e. * Secret, or implementation-specific custom resources. * + * * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls * + * * Support: Implementation-specific (More than one reference or other resource types) */ certificateRefs: outputs.gateway.v1.GatewaySpecListenersTlsCertificateRefs[]; + frontendValidation: outputs.gateway.v1.GatewaySpecListenersTlsFrontendValidation; /** * Mode defines the TLS behavior for the TLS session initiated by the client. * There are two possible modes: * + * * - Terminate: The TLS session between the downstream client and the * Gateway is terminated at the Gateway. This mode requires certificates * to be specified in some way, such as populating the certificateRefs @@ -27760,6 +19408,7 @@ export namespace gateway { * the ClientHello message of the TLS protocol. The certificateRefs field * is ignored in this mode. * + * * Support: Core */ mode: string; @@ -27768,11 +19417,13 @@ export namespace gateway { * configuration for each implementation. For example, configuring the * minimum TLS version or supported cipher suites. * + * * A set of common keys MAY be defined by the API in the future. To avoid * any ambiguity, implementation-specific definitions MUST use * domain-prefixed names, such as `example.com/my-custom-option`. * Un-prefixed names are reserved for key names defined by Gateway API. * + * * Support: Implementation-specific */ options: {[key: string]: string}; @@ -27782,9 +19433,11 @@ export namespace gateway { * SecretObjectReference identifies an API object including its namespace, * defaulting to Secret. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. * + * * References to objects with invalid Group and Kind are not valid, and must * be rejected by the implementation, with appropriate Conditions set * on the containing object. @@ -27807,11 +19460,13 @@ export namespace gateway { * Namespace is the namespace of the referenced object. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -27821,9 +19476,11 @@ export namespace gateway { * SecretObjectReference identifies an API object including its namespace, * defaulting to Secret. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. * + * * References to objects with invalid Group and Kind are not valid, and must * be rejected by the implementation, with appropriate Conditions set * on the containing object. @@ -27846,27 +19503,198 @@ export namespace gateway { * Namespace is the namespace of the referenced object. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; } + /** + * FrontendValidation holds configuration information for validating the frontend (client). + * Setting this field will require clients to send a client certificate + * required for validation during the TLS handshake. In browsers this may result in a dialog appearing + * that requests a user to specify the client certificate. + * The maximum depth of a certificate chain accepted in verification is Implementation specific. + * + * + * Support: Extended + */ + export interface GatewaySpecListenersTlsFrontendValidation { + /** + * CACertificateRefs contains one or more references to + * Kubernetes objects that contain TLS certificates of + * the Certificate Authorities that can be used + * as a trust anchor to validate the certificates presented by the client. + * + * + * A single CA certificate reference to a Kubernetes ConfigMap + * has "Core" support. + * Implementations MAY choose to support attaching multiple CA certificates to + * a Listener, but this behavior is implementation-specific. + * + * + * Support: Core - A single reference to a Kubernetes ConfigMap + * with the CA certificate in a key named `ca.crt`. + * + * + * Support: Implementation-specific (More than one reference, or other kinds + * of resources). + * + * + * References to a resource in a different namespace are invalid UNLESS there + * is a ReferenceGrant in the target namespace that allows the certificate + * to be attached. If a ReferenceGrant does not allow this reference, the + * "ResolvedRefs" condition MUST be set to False for this listener with the + * "RefNotPermitted" reason. + */ + caCertificateRefs: outputs.gateway.v1.GatewaySpecListenersTlsFrontendValidationCaCertificateRefs[]; + } + + /** + * ObjectReference identifies an API object including its namespace. + * + * + * The API object must be valid in the cluster; the Group and Kind must + * be registered in the cluster for this reference to be valid. + * + * + * References to objects with invalid Group and Kind are not valid, and must + * be rejected by the implementation, with appropriate Conditions set + * on the containing object. + */ + export interface GatewaySpecListenersTlsFrontendValidationCaCertificateRefs { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group: string; + /** + * Kind is kind of the referent. For example "ConfigMap" or "Service". + */ + kind: string; + /** + * Name is the name of the referent. + */ + name: string; + /** + * Namespace is the namespace of the referenced object. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace: string; + } + + /** + * ObjectReference identifies an API object including its namespace. + * + * + * The API object must be valid in the cluster; the Group and Kind must + * be registered in the cluster for this reference to be valid. + * + * + * References to objects with invalid Group and Kind are not valid, and must + * be rejected by the implementation, with appropriate Conditions set + * on the containing object. + */ + export interface GatewaySpecListenersTlsFrontendValidationCaCertificateRefsPatch { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group: string; + /** + * Kind is kind of the referent. For example "ConfigMap" or "Service". + */ + kind: string; + /** + * Name is the name of the referent. + */ + name: string; + /** + * Namespace is the namespace of the referenced object. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace: string; + } + + /** + * FrontendValidation holds configuration information for validating the frontend (client). + * Setting this field will require clients to send a client certificate + * required for validation during the TLS handshake. In browsers this may result in a dialog appearing + * that requests a user to specify the client certificate. + * The maximum depth of a certificate chain accepted in verification is Implementation specific. + * + * + * Support: Extended + */ + export interface GatewaySpecListenersTlsFrontendValidationPatch { + /** + * CACertificateRefs contains one or more references to + * Kubernetes objects that contain TLS certificates of + * the Certificate Authorities that can be used + * as a trust anchor to validate the certificates presented by the client. + * + * + * A single CA certificate reference to a Kubernetes ConfigMap + * has "Core" support. + * Implementations MAY choose to support attaching multiple CA certificates to + * a Listener, but this behavior is implementation-specific. + * + * + * Support: Core - A single reference to a Kubernetes ConfigMap + * with the CA certificate in a key named `ca.crt`. + * + * + * Support: Implementation-specific (More than one reference, or other kinds + * of resources). + * + * + * References to a resource in a different namespace are invalid UNLESS there + * is a ReferenceGrant in the target namespace that allows the certificate + * to be attached. If a ReferenceGrant does not allow this reference, the + * "ResolvedRefs" condition MUST be set to False for this listener with the + * "RefNotPermitted" reason. + */ + caCertificateRefs: outputs.gateway.v1.GatewaySpecListenersTlsFrontendValidationCaCertificateRefsPatch[]; + } + /** * TLS is the TLS configuration for the Listener. This field is required if * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field * if the Protocol field is "HTTP", "TCP", or "UDP". * - * The association of SNIs to Certificate defined in ListenerTLSConfig is + * + * The association of SNIs to Certificate defined in GatewayTLSConfig is * defined based on the Hostname field for this listener. * + * * The GatewayClass MUST use the longest matching SNI out of all * available certificates for any TLS handshake. * + * * Support: Core */ export interface GatewaySpecListenersTlsPatch { @@ -27876,31 +19704,39 @@ export namespace gateway { * establish a TLS handshake for requests that match the hostname of the * associated listener. * + * * A single CertificateRef to a Kubernetes Secret has "Core" support. * Implementations MAY choose to support attaching multiple certificates to * a Listener, but this behavior is implementation-specific. * + * * References to a resource in different namespace are invalid UNLESS there * is a ReferenceGrant in the target namespace that allows the certificate * to be attached. If a ReferenceGrant does not allow this reference, the * "ResolvedRefs" condition MUST be set to False for this listener with the * "RefNotPermitted" reason. * + * * This field is required to have at least one element when the mode is set * to "Terminate" (default) and is optional otherwise. * + * * CertificateRefs can reference to standard Kubernetes resources, i.e. * Secret, or implementation-specific custom resources. * + * * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls * + * * Support: Implementation-specific (More than one reference or other resource types) */ certificateRefs: outputs.gateway.v1.GatewaySpecListenersTlsCertificateRefsPatch[]; + frontendValidation: outputs.gateway.v1.GatewaySpecListenersTlsFrontendValidationPatch; /** * Mode defines the TLS behavior for the TLS session initiated by the client. * There are two possible modes: * + * * - Terminate: The TLS session between the downstream client and the * Gateway is terminated at the Gateway. This mode requires certificates * to be specified in some way, such as populating the certificateRefs @@ -27910,6 +19746,7 @@ export namespace gateway { * the ClientHello message of the TLS protocol. The certificateRefs field * is ignored in this mode. * + * * Support: Core */ mode: string; @@ -27918,11 +19755,13 @@ export namespace gateway { * configuration for each implementation. For example, configuring the * minimum TLS version or supported cipher suites. * + * * A set of common keys MAY be defined by the API in the future. To avoid * any ambiguity, implementation-specific definitions MUST use * domain-prefixed names, such as `example.com/my-custom-option`. * Un-prefixed names are reserved for key names defined by Gateway API. * + * * Support: Implementation-specific */ options: {[key: string]: string}; @@ -27936,7 +19775,8 @@ export namespace gateway { * Addresses requested for this Gateway. This is optional and behavior can * depend on the implementation. If a value is set in the spec and the * requested address is invalid or unavailable, the implementation MUST - * indicate this in an associated entry in GatewayStatus.Conditions. + * indicate this in the associated entry in GatewayStatus.Addresses. + * * * The Addresses field represents a request for the address(es) on the * "outside of the Gateway", that traffic bound for this Gateway will use. @@ -27944,38 +19784,20 @@ export namespace gateway { * other networking infrastructure, or some other address that traffic will * be sent to. * + * * If no Addresses are specified, the implementation MAY schedule the * Gateway in an implementation-specific manner, assigning an appropriate * set of Addresses. * + * * The implementation MUST bind all Listeners to every GatewayAddress that * it assigns to the Gateway and add a corresponding entry in * GatewayStatus.Addresses. * + * * Support: Extended */ addresses: outputs.gateway.v1.GatewaySpecAddressesPatch[]; - allowedListeners: outputs.gateway.v1.GatewaySpecAllowedListenersPatch; - /** - * DefaultScope, when set, configures the Gateway as a default Gateway, - * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute) - * attached to it, according to the scope configured here. - * - * If unset (the default) or set to None, the Gateway will not act as a - * default Gateway; if set, the Gateway will claim any Route with a - * matching scope set in its UseDefaultGateway field, subject to the usual - * rules about which routes the Gateway can attach to. - * - * Think carefully before using this functionality! While the normal rules - * about which Route can apply are still enforced, it is simply easier for - * the wrong Route to be accidentally attached to this Gateway in this - * configuration. If the Gateway operator is not also the operator in - * control of the scope (e.g. namespace) with tight controls and checks on - * what kind of workloads and Routes get added in that scope, we strongly - * recommend not using this just because it seems convenient, and instead - * stick to direct Route attachment. - */ - defaultScope: string; /** * GatewayClassName used for this Gateway. This is the name of a * GatewayClass resource. @@ -27987,7 +19809,6 @@ export namespace gateway { * logical endpoints that are bound on this Gateway's addresses. * At least one Listener MUST be specified. * - * ## Distinct Listeners * * Each Listener in a set of Listeners (for example, in a single Gateway) * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to @@ -27996,107 +19817,97 @@ export namespace gateway { * from multiple Gateways onto a single data plane, and these rules _also_ * apply in that case). * + * * Practically, this means that each listener in a set MUST have a unique * combination of Port, Protocol, and, if supported by the protocol, Hostname. * - * Some combinations of port, protocol, and TLS settings are considered - * Core support and MUST be supported by implementations based on the objects - * they support: * - * HTTPRoute + * Some combinations of port, protocol, and TLS settings are considered + * Core support and MUST be supported by implementations based on their + * targeted conformance profile: + * + * + * HTTP Profile + * * * 1. HTTPRoute, Port: 80, Protocol: HTTP * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided * - * TLSRoute + * + * TLS Profile + * * * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough * + * * "Distinct" Listeners have the following property: * - * **The implementation can match inbound requests to a single distinct - * Listener**. * - * When multiple Listeners share values for fields (for + * The implementation can match inbound requests to a single distinct + * Listener. When multiple Listeners share values for fields (for * example, two Listeners with the same Port value), the implementation * can match requests to only one of the Listeners using other * Listener fields. * - * When multiple listeners have the same value for the Protocol field, then - * each of the Listeners with matching Protocol values MUST have different - * values for other fields. * - * The set of fields that MUST be different for a Listener differs per protocol. - * The following rules define the rules for what fields MUST be considered for - * Listeners to be distinct with each protocol currently defined in the - * Gateway API spec. + * For example, the following Listener scenarios are distinct: * - * The set of listeners that all share a protocol value MUST have _different_ - * values for _at least one_ of these fields to be distinct: * - * * **HTTP, HTTPS, TLS**: Port, Hostname - * * **TCP, UDP**: Port + * 1. Multiple Listeners with the same Port that all use the "HTTP" + * Protocol that all have unique Hostname values. + * 2. Multiple Listeners with the same Port that use either the "HTTPS" or + * "TLS" Protocol that all have unique Hostname values. + * 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener + * with the same Protocol has the same Port value. * - * One **very** important rule to call out involves what happens when an - * implementation: * - * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol - * Listeners, and - * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP - * Protocol. + * Some fields in the Listener struct have possible values that affect + * whether the Listener is distinct. Hostname is particularly relevant + * for HTTP or HTTPS protocols. * - * In this case all the Listeners that share a port with the - * TCP Listener are not distinct and so MUST NOT be accepted. * - * If an implementation does not support TCP Protocol Listeners, then the - * previous rule does not apply, and the TCP Listeners SHOULD NOT be - * accepted. + * When using the Hostname value to select between same-Port, same-Protocol + * Listeners, the Hostname value must be different on each Listener for the + * Listener to be distinct. * - * Note that the `tls` field is not used for determining if a listener is distinct, because - * Listeners that _only_ differ on TLS config will still conflict in all cases. * - * ### Listeners that are distinct only by Hostname - * - * When the Listeners are distinct based only on Hostname, inbound request + * When the Listeners are distinct based on Hostname, inbound request * hostnames MUST match from the most specific to least specific Hostname * values to choose the correct Listener and its associated set of Routes. * - * Exact matches MUST be processed before wildcard matches, and wildcard - * matches MUST be processed before fallback (empty Hostname value) + * + * Exact matches must be processed before wildcard matches, and wildcard + * matches must be processed before fallback (empty Hostname value) * matches. For example, `"foo.example.com"` takes precedence over * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. * + * * Additionally, if there are multiple wildcard entries, more specific * wildcard entries must be processed before less specific wildcard entries. * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. - * * The precise definition here is that the higher the number of dots in the * hostname to the right of the wildcard character, the higher the precedence. * + * * The wildcard character will match any number of characters _and dots_ to * the left, however, so `"*.example.com"` will match both * `"foo.bar.example.com"` _and_ `"bar.example.com"`. * - * ## Handling indistinct Listeners * * If a set of Listeners contains Listeners that are not distinct, then those - * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted" + * Listeners are Conflicted, and the implementation MUST set the "Conflicted" * condition in the Listener Status to "True". * - * The words "indistinct" and "conflicted" are considered equivalent for the - * purpose of this documentation. * * Implementations MAY choose to accept a Gateway with some Conflicted * Listeners only if they only accept the partial Listener set that contains - * no Conflicted Listeners. + * no Conflicted Listeners. To put this another way, implementations may + * accept a partial Listener set only if they throw out *all* the conflicting + * Listeners. No picking one of the conflicting listeners as the winner. + * This also means that the Gateway must have at least one non-conflicting + * Listener in this case, otherwise it violates the requirement that at + * least one Listener must be present. * - * Specifically, an implementation MAY accept a partial Listener set subject to - * the following rules: - * - * * The implementation MUST NOT pick one conflicting Listener as the winner. - * ALL indistinct Listeners must not be accepted for processing. - * * At least one distinct Listener MUST be present, or else the Gateway effectively - * contains _no_ Listeners, and must be rejected from processing as a whole. * * The implementation MUST set a "ListenersNotValid" condition on the * Gateway Status when the Gateway contains Conflicted Listeners whether or @@ -28105,656 +19916,41 @@ export namespace gateway { * Accepted. Additionally, the Listener status for those listeners SHOULD * indicate which Listeners are conflicted and not Accepted. * - * ## General Listener behavior * - * Note that, for all distinct Listeners, requests SHOULD match at most one Listener. - * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a - * request to "foo.example.com" SHOULD only be routed using routes attached - * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * A Gateway's Listeners are considered "compatible" if: * - * This concept is known as "Listener Isolation", and it is an Extended feature - * of Gateway API. Implementations that do not support Listener Isolation MUST - * clearly document this, and MUST NOT claim support for the - * `GatewayHTTPListenerIsolation` feature. - * - * Implementations that _do_ support Listener Isolation SHOULD claim support - * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated - * conformance tests. - * - * ## Compatible Listeners - * - * A Gateway's Listeners are considered _compatible_ if: * * 1. They are distinct. * 2. The implementation can serve them in compliance with the Addresses * requirement that all Listeners are available on all assigned * addresses. * + * * Compatible combinations in Extended support are expected to vary across * implementations. A combination that is compatible for one implementation * may not be compatible for another. * + * * For example, an implementation that cannot serve both TCP and UDP listeners * on the same address, or cannot mix HTTPS and generic TLS listens on the same port * would not consider those cases compatible, even though they are distinct. * + * + * Note that requests SHOULD match at most one Listener. For example, if + * Listeners are defined for "foo.example.com" and "*.example.com", a + * request to "foo.example.com" SHOULD only be routed using routes attached + * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * This concept is known as "Listener Isolation". Implementations that do + * not support Listener Isolation MUST clearly document this. + * + * * Implementations MAY merge separate Gateways onto a single set of * Addresses if all Listeners across all Gateways are compatible. * - * In a future release the MinItems=1 requirement MAY be dropped. * * Support: Core */ listeners: outputs.gateway.v1.GatewaySpecListenersPatch[]; - tls: outputs.gateway.v1.GatewaySpecTlsPatch; - } - - /** - * TLS specifies frontend and backend tls configuration for entire gateway. - * - * Support: Extended - */ - export interface GatewaySpecTls { - backend: outputs.gateway.v1.GatewaySpecTlsBackend; - frontend: outputs.gateway.v1.GatewaySpecTlsFrontend; - } - - /** - * Backend describes TLS configuration for gateway when connecting - * to backends. - * - * Note that this contains only details for the Gateway as a TLS client, - * and does _not_ imply behavior about how to choose which backend should - * get a TLS connection. That is determined by the presence of a BackendTLSPolicy. - * - * Support: Core - */ - export interface GatewaySpecTlsBackend { - clientCertificateRef: outputs.gateway.v1.GatewaySpecTlsBackendClientCertificateRef; - } - - /** - * ClientCertificateRef is a reference to an object that contains a Client - * Certificate and the associated private key. - * - * References to a resource in different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - * - * ClientCertificateRef can reference to standard Kubernetes resources, i.e. - * Secret, or implementation-specific custom resources. - * - * Support: Core - */ - export interface GatewaySpecTlsBackendClientCertificateRef { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "Secret". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - } - - /** - * ClientCertificateRef is a reference to an object that contains a Client - * Certificate and the associated private key. - * - * References to a resource in different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - * - * ClientCertificateRef can reference to standard Kubernetes resources, i.e. - * Secret, or implementation-specific custom resources. - * - * Support: Core - */ - export interface GatewaySpecTlsBackendClientCertificateRefPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "Secret". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - } - - /** - * Backend describes TLS configuration for gateway when connecting - * to backends. - * - * Note that this contains only details for the Gateway as a TLS client, - * and does _not_ imply behavior about how to choose which backend should - * get a TLS connection. That is determined by the presence of a BackendTLSPolicy. - * - * Support: Core - */ - export interface GatewaySpecTlsBackendPatch { - clientCertificateRef: outputs.gateway.v1.GatewaySpecTlsBackendClientCertificateRefPatch; - } - - /** - * Frontend describes TLS config when client connects to Gateway. - * Support: Core - */ - export interface GatewaySpecTlsFrontend { - default: outputs.gateway.v1.GatewaySpecTlsFrontendDefault; - /** - * PerPort specifies tls configuration assigned per port. - * Per port configuration is optional. Once set this configuration overrides - * the default configuration for all Listeners handling HTTPS traffic - * that match this port. - * Each override port requires a unique TLS configuration. - * - * support: Core - */ - perPort: outputs.gateway.v1.GatewaySpecTlsFrontendPerPort[]; - } - - /** - * Default specifies the default client certificate validation configuration - * for all Listeners handling HTTPS traffic, unless a per-port configuration - * is defined. - * - * support: Core - */ - export interface GatewaySpecTlsFrontendDefault { - validation: outputs.gateway.v1.GatewaySpecTlsFrontendDefaultValidation; - } - - /** - * Default specifies the default client certificate validation configuration - * for all Listeners handling HTTPS traffic, unless a per-port configuration - * is defined. - * - * support: Core - */ - export interface GatewaySpecTlsFrontendDefaultPatch { - validation: outputs.gateway.v1.GatewaySpecTlsFrontendDefaultValidationPatch; - } - - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - export interface GatewaySpecTlsFrontendDefaultValidation { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs: outputs.gateway.v1.GatewaySpecTlsFrontendDefaultValidationCaCertificateRefs[]; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode: string; - } - - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - export interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefs { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - } - - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - export interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefsPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - } - - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - export interface GatewaySpecTlsFrontendDefaultValidationPatch { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs: outputs.gateway.v1.GatewaySpecTlsFrontendDefaultValidationCaCertificateRefsPatch[]; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode: string; - } - - /** - * Frontend describes TLS config when client connects to Gateway. - * Support: Core - */ - export interface GatewaySpecTlsFrontendPatch { - default: outputs.gateway.v1.GatewaySpecTlsFrontendDefaultPatch; - /** - * PerPort specifies tls configuration assigned per port. - * Per port configuration is optional. Once set this configuration overrides - * the default configuration for all Listeners handling HTTPS traffic - * that match this port. - * Each override port requires a unique TLS configuration. - * - * support: Core - */ - perPort: outputs.gateway.v1.GatewaySpecTlsFrontendPerPortPatch[]; - } - - export interface GatewaySpecTlsFrontendPerPort { - /** - * The Port indicates the Port Number to which the TLS configuration will be - * applied. This configuration will be applied to all Listeners handling HTTPS - * traffic that match this port. - * - * Support: Core - */ - port: number; - tls: outputs.gateway.v1.GatewaySpecTlsFrontendPerPortTls; - } - - export interface GatewaySpecTlsFrontendPerPortPatch { - /** - * The Port indicates the Port Number to which the TLS configuration will be - * applied. This configuration will be applied to all Listeners handling HTTPS - * traffic that match this port. - * - * Support: Core - */ - port: number; - tls: outputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsPatch; - } - - /** - * TLS store the configuration that will be applied to all Listeners handling - * HTTPS traffic and matching given port. - * - * Support: Core - */ - export interface GatewaySpecTlsFrontendPerPortTls { - validation: outputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsValidation; - } - - /** - * TLS store the configuration that will be applied to all Listeners handling - * HTTPS traffic and matching given port. - * - * Support: Core - */ - export interface GatewaySpecTlsFrontendPerPortTlsPatch { - validation: outputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsValidationPatch; - } - - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - export interface GatewaySpecTlsFrontendPerPortTlsValidation { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs: outputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefs[]; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode: string; - } - - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - export interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefs { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - } - - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - export interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefsPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - } - - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - export interface GatewaySpecTlsFrontendPerPortTlsValidationPatch { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs: outputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefsPatch[]; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode: string; - } - - /** - * TLS specifies frontend and backend tls configuration for entire gateway. - * - * Support: Extended - */ - export interface GatewaySpecTlsPatch { - backend: outputs.gateway.v1.GatewaySpecTlsBackendPatch; - frontend: outputs.gateway.v1.GatewaySpecTlsFrontendPatch; } /** @@ -28765,9 +19961,11 @@ export namespace gateway { * Addresses lists the network addresses that have been bound to the * Gateway. * + * * This list may differ from the addresses provided in the spec under some * conditions: * + * * * no addresses are specified, all addresses are dynamically assigned * * a combination of specified and dynamic addresses are assigned * * a specified address was unusable (e.g. already in use) @@ -28776,13 +19974,16 @@ export namespace gateway { /** * Conditions describe the current conditions of the Gateway. * + * * Implementations should prefer to express Gateway conditions * using the `GatewayConditionType` and `GatewayConditionReason` * constants so that operators and tools can converge on a common * vocabulary to describe Gateway state. * + * * Known condition types are: * + * * * "Accepted" * * "Programmed" * * "Ready" @@ -28806,6 +20007,7 @@ export namespace gateway { * Value of the address. The validity of the values will depend * on the type and support by the controller. * + * * Examples: `1.2.3.4`, `128::1`, `my-ip-address`. */ value: string; @@ -28823,6 +20025,7 @@ export namespace gateway { * Value of the address. The validity of the values will depend * on the type and support by the controller. * + * * Examples: `1.2.3.4`, `128::1`, `my-ip-address`. */ value: string; @@ -28830,6 +20033,22 @@ export namespace gateway { /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface GatewayStatusConditions { /** @@ -28862,12 +20081,32 @@ export namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface GatewayStatusConditionsPatch { /** @@ -28900,6 +20139,10 @@ export namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } @@ -28912,6 +20155,7 @@ export namespace gateway { * AttachedRoutes represents the total number of Routes that have been * successfully attached to this Listener. * + * * Successful attachment of a Route to a Listener is based solely on the * combination of the AllowedRoutes field on the corresponding Listener * and the Route's ParentRefs field. A Route is successfully attached to @@ -28924,6 +20168,7 @@ export namespace gateway { * for Listeners with condition Accepted: false and MUST count successfully * attached Routes that may themselves have Accepted: false conditions. * + * * Uses for this field include troubleshooting Route attachment and * measuring blast radius/impact of changes to a Listener. */ @@ -28941,6 +20186,7 @@ export namespace gateway { * listener. This MUST represent the kinds an implementation supports for * that Listener configuration. * + * * If kinds are specified in Spec that are not supported, they MUST NOT * appear in this list and an implementation MUST set the "ResolvedRefs" * condition to "False" with the "InvalidRouteKinds" reason. If both valid @@ -28952,6 +20198,22 @@ export namespace gateway { /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface GatewayStatusListenersConditions { /** @@ -28984,12 +20246,32 @@ export namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface GatewayStatusListenersConditionsPatch { /** @@ -29022,6 +20304,10 @@ export namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } @@ -29034,6 +20320,7 @@ export namespace gateway { * AttachedRoutes represents the total number of Routes that have been * successfully attached to this Listener. * + * * Successful attachment of a Route to a Listener is based solely on the * combination of the AllowedRoutes field on the corresponding Listener * and the Route's ParentRefs field. A Route is successfully attached to @@ -29046,6 +20333,7 @@ export namespace gateway { * for Listeners with condition Accepted: false and MUST count successfully * attached Routes that may themselves have Accepted: false conditions. * + * * Uses for this field include troubleshooting Route attachment and * measuring blast radius/impact of changes to a Listener. */ @@ -29063,6 +20351,7 @@ export namespace gateway { * listener. This MUST represent the kinds an implementation supports for * that Listener configuration. * + * * If kinds are specified in Spec that are not supported, they MUST NOT * appear in this list and an implementation MUST set the "ResolvedRefs" * condition to "False" with the "InvalidRouteKinds" reason. If both valid @@ -29108,9 +20397,11 @@ export namespace gateway { * Addresses lists the network addresses that have been bound to the * Gateway. * + * * This list may differ from the addresses provided in the spec under some * conditions: * + * * * no addresses are specified, all addresses are dynamically assigned * * a combination of specified and dynamic addresses are assigned * * a specified address was unusable (e.g. already in use) @@ -29119,13 +20410,16 @@ export namespace gateway { /** * Conditions describe the current conditions of the Gateway. * + * * Implementations should prefer to express Gateway conditions * using the `GatewayConditionType` and `GatewayConditionReason` * constants so that operators and tools can converge on a common * vocabulary to describe Gateway state. * + * * Known condition types are: * + * * * "Accepted" * * "Programmed" * * "Ready" @@ -29171,17 +20465,21 @@ export namespace gateway { * performing a match and (absent of any applicable header modification * configuration) MUST forward this header unmodified to the backend. * + * * Valid values for Hostnames are determined by RFC 1123 definition of a * hostname with 2 notable exceptions: * + * * 1. IPs are not allowed. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label must appear by itself as the first label. * + * * If a hostname is specified by both the Listener and HTTPRoute, there * must be at least one intersecting hostname for the HTTPRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches HTTPRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -29192,31 +20490,38 @@ export namespace gateway { * all match. On the other hand, `example.com` and `test.example.net` would * not match. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * If both the Listener and HTTPRoute have specified hostnames, any * HTTPRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * HTTPRoute specified `test.example.com` and `test.example.net`, * `test.example.net` must not be considered for a match. * + * * If both the Listener and HTTPRoute have specified hostnames, and none * match with the criteria above, then the HTTPRoute is not accepted. The * implementation must raise an 'Accepted' Condition with a status of * `False` in the corresponding RouteParentStatus. * + * * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. * overlapping wildcard matching and exact matching hostnames), precedence must * be given to rules from the HTTPRoute with the largest number of: * + * * * Characters in a matching non-wildcard hostname. * * Characters in a matching hostname. * + * * If ties exist across multiple Routes, the matching precedence rules for * HTTPRouteMatches takes over. * + * * Support: Core */ hostnames: string[]; @@ -29232,16 +20537,21 @@ export namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -29251,8 +20561,10 @@ export namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -29260,12 +20572,14 @@ export namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -29273,10 +20587,12 @@ export namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -29288,21 +20604,6 @@ export namespace gateway { * Rules are a list of HTTP matchers, filters and actions. */ rules: outputs.gateway.v1.HTTPRouteSpecRules[]; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways: string; } /** @@ -29310,12 +20611,15 @@ export namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -29326,23 +20630,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -29350,6 +20659,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -29357,10 +20667,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -29368,6 +20680,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -29375,6 +20688,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -29384,15 +20698,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -29401,6 +20718,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -29408,6 +20726,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -29415,10 +20734,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -29428,6 +20749,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -29438,12 +20760,15 @@ export namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -29454,23 +20779,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -29478,6 +20808,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -29485,10 +20816,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -29496,6 +20829,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -29503,6 +20837,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -29512,15 +20847,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -29529,6 +20867,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -29536,6 +20875,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -29543,10 +20883,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -29556,6 +20898,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -29572,17 +20915,21 @@ export namespace gateway { * performing a match and (absent of any applicable header modification * configuration) MUST forward this header unmodified to the backend. * + * * Valid values for Hostnames are determined by RFC 1123 definition of a * hostname with 2 notable exceptions: * + * * 1. IPs are not allowed. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label must appear by itself as the first label. * + * * If a hostname is specified by both the Listener and HTTPRoute, there * must be at least one intersecting hostname for the HTTPRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches HTTPRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -29593,31 +20940,38 @@ export namespace gateway { * all match. On the other hand, `example.com` and `test.example.net` would * not match. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * If both the Listener and HTTPRoute have specified hostnames, any * HTTPRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * HTTPRoute specified `test.example.com` and `test.example.net`, * `test.example.net` must not be considered for a match. * + * * If both the Listener and HTTPRoute have specified hostnames, and none * match with the criteria above, then the HTTPRoute is not accepted. The * implementation must raise an 'Accepted' Condition with a status of * `False` in the corresponding RouteParentStatus. * + * * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. * overlapping wildcard matching and exact matching hostnames), precedence must * be given to rules from the HTTPRoute with the largest number of: * + * * * Characters in a matching non-wildcard hostname. * * Characters in a matching hostname. * + * * If ties exist across multiple Routes, the matching precedence rules for * HTTPRouteMatches takes over. * + * * Support: Core */ hostnames: string[]; @@ -29633,16 +20987,21 @@ export namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -29652,8 +21011,10 @@ export namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -29661,12 +21022,14 @@ export namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -29674,10 +21037,12 @@ export namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -29689,21 +21054,6 @@ export namespace gateway { * Rules are a list of HTTP matchers, filters and actions. */ rules: outputs.gateway.v1.HTTPRouteSpecRulesPatch[]; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways: string; } /** @@ -29716,37 +21066,41 @@ export namespace gateway { * BackendRefs defines the backend(s) where matching requests should be * sent. * + * * Failure behavior here depends on how many BackendRefs are specified and * how many are invalid. * + * * If *all* entries in BackendRefs are invalid, and there are also no filters * specified in this route rule, *all* traffic which matches this rule MUST * receive a 500 status code. * + * * See the HTTPBackendRef definition for the rules about what makes a single * HTTPBackendRef invalid. * + * * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for * requests that would have otherwise been routed to an invalid backend. If * multiple backends are specified, and some are invalid, the proportion of * requests that would otherwise have been routed to an invalid backend * MUST receive a 500 status code. * + * * For example, if two backends are specified with equal weights, and one is * invalid, 50 percent of traffic must receive a 500. Implementations may * choose how that 50 percent is determined. * - * When a HTTPBackendRef refers to a Service that has no ready endpoints, - * implementations SHOULD return a 503 for requests to that backend instead. - * If an implementation chooses to do this, all of the above rules for 500 responses - * MUST also apply for responses that return a 503. * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Core */ backendRefs: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefs[]; @@ -29754,38 +21108,46 @@ export namespace gateway { * Filters define the filters that are applied to requests that match * this rule. * + * * Wherever possible, implementations SHOULD implement filters in the order * they are specified. * + * * Implementations MAY choose to implement this ordering strictly, rejecting - * any combination or order of filters that cannot be supported. If implementations + * any combination or order of filters that can not be supported. If implementations * choose a strict interpretation of filter ordering, they MUST clearly document * that behavior. * + * * To reject an invalid combination or order of filters, implementations SHOULD * consider the Route Rules with this configuration invalid. If all Route Rules * in a Route are invalid, the entire Route would be considered invalid. If only * a portion of Route Rules are invalid, implementations MUST set the * "PartiallyInvalid" condition for the Route. * + * * Conformance-levels at this level are defined based on the type of filter: * + * * - ALL core filters MUST be supported by all implementations. * - Implementers are encouraged to support extended filters. * - Implementation-specific custom filters have no API guarantees across * implementations. * + * * Specifying the same filter multiple times is not supported unless explicitly * indicated in the filter. * + * * All filters are expected to be compatible with each other except for the * URLRewrite and RequestRedirect filters, which may not be combined. If an - * implementation cannot support other combinations of filters, they must clearly + * implementation can not support other combinations of filters, they must clearly * document that limitation. In cases where incompatible or unsupported * filters are specified and cause the `Accepted` condition to be set to status * `False`, implementations may use the `IncompatibleFilters` reason to specify * this configuration error. * + * * Support: Core */ filters: outputs.gateway.v1.HTTPRouteSpecRulesFilters[]; @@ -29794,8 +21156,10 @@ export namespace gateway { * HTTP requests. Each match is independent, i.e. this rule will be matched * if **any** one of the matches is satisfied. * + * * For example, take the following matches configuration: * + * * ``` * matches: * - path: @@ -29807,54 +21171,58 @@ export namespace gateway { * value: "/v2/foo" * ``` * + * * For a request to match against this rule, a request must satisfy * EITHER of the two conditions: * + * * - path prefixed with `/foo` AND contains the header `version: v2` * - path prefix of `/v2/foo` * + * * See the documentation for HTTPRouteMatch on how to specify multiple * match conditions that should be ANDed together. * + * * If no matches are specified, the default is a prefix * path match on "/", which has the effect of matching every * HTTP request. * + * * Proxy or Load Balancer routing configuration generated from HTTPRoutes * MUST prioritize matches based on the following criteria, continuing on * ties. Across all rules specified on applicable Routes, precedence must be * given to the match having: * + * * * "Exact" path match. * * "Prefix" path match with largest number of characters. * * Method match. * * Largest number of header matches. * * Largest number of query param matches. * + * * Note: The precedence of RegularExpression path matches are implementation-specific. * + * * If ties still exist across multiple Routes, matching precedence MUST be * determined in order of the following criteria, continuing on ties: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * If ties still exist within an HTTPRoute, matching precedence MUST be granted * to the FIRST matching rule (in list order) with a match meeting the above * criteria. * + * * When no rules matching a request have been successfully attached to the * parent a request is coming from, a HTTP 404 status code MUST be returned. */ matches: outputs.gateway.v1.HTTPRouteSpecRulesMatches[]; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name: string; - retry: outputs.gateway.v1.HTTPRouteSpecRulesRetry; sessionPersistence: outputs.gateway.v1.HTTPRouteSpecRulesSessionPersistence; timeouts: outputs.gateway.v1.HTTPRouteSpecRulesTimeouts; } @@ -29862,31 +21230,42 @@ export namespace gateway { /** * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * */ export interface HTTPRouteSpecRulesBackendRefs { /** * Filters defined at this level should be executed if and only if the * request is being forwarded to the backend defined here. * + * * Support: Implementation-specific (For broader support of filters, use the * Filters field in HTTPRouteRule.) */ @@ -29900,16 +21279,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -29921,11 +21304,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -29945,11 +21330,13 @@ export namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight: number; @@ -29964,9 +21351,7 @@ export namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ export interface HTTPRouteSpecRulesBackendRefsFilters { - cors: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersCors; extensionRef: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExtensionRef; - externalAuth: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuth; requestHeaderModifier: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifier; requestMirror: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirror; requestRedirect: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirect; @@ -29975,14 +21360,17 @@ export namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -29991,16 +21379,20 @@ export namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -30009,426 +21401,16 @@ export namespace gateway { urlRewrite: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewrite; } - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersCors { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials: boolean; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders: string[]; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods: string[]; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins: string[]; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders: string[]; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge: number; - } - - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersCorsPatch { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials: boolean; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders: string[]; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods: string[]; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins: string[]; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders: string[]; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge: number; - } - /** * ExtensionRef is an optional, implementation-specific extension to the * "filter" behavior. For example, resource "myroutefilter" in group * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ export interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRef { @@ -30453,8 +21435,10 @@ export namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ export interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRefPatch { @@ -30473,410 +21457,6 @@ export namespace gateway { name: string; } - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuth { - backendRef: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRef; - forwardBody: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBody; - grpc: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpc; - http: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttp; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol: string; - } - - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRef { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port: number; - } - - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRefPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port: number; - } - - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBody { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize: number; - } - - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBodyPatch { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize: number; - } - - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpc { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders: string[]; - } - - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpcPatch { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders: string[]; - } - - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttp { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders: string[]; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders: string[]; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path: string; - } - - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttpPatch { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders: string[]; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders: string[]; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path: string; - } - - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthPatch { - backendRef: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRefPatch; - forwardBody: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBodyPatch; - grpc: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpcPatch; - http: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttpPatch; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol: string; - } - /** * HTTPRouteFilter defines processing steps that must be completed during the * request or response lifecycle. HTTPRouteFilters are meant as an extension @@ -30886,9 +21466,7 @@ export namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ export interface HTTPRouteSpecRulesBackendRefsFiltersPatch { - cors: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersCorsPatch; extensionRef: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExtensionRefPatch; - externalAuth: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthPatch; requestHeaderModifier: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch; requestMirror: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorPatch; requestRedirect: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPatch; @@ -30897,14 +21475,17 @@ export namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -30913,16 +21494,20 @@ export namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -30935,6 +21520,7 @@ export namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifier { @@ -30943,15 +21529,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -30963,15 +21552,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -30981,15 +21573,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -31003,7 +21598,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -31024,7 +21620,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -31043,6 +21640,7 @@ export namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch { @@ -31051,15 +21649,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -31071,15 +21672,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -31089,15 +21693,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -31111,7 +21718,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -31132,7 +21740,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -31152,49 +21761,47 @@ export namespace gateway { * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirror { backendRef: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef; - fraction: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFraction; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent: number; } /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef { @@ -31207,16 +21814,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -31228,11 +21839,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -31249,26 +21862,32 @@ export namespace gateway { /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch { @@ -31281,16 +21900,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -31302,11 +21925,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -31320,59 +21945,28 @@ export namespace gateway { port: number; } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFraction { - denominator: number; - numerator: number; - } - - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch { - denominator: number; - numerator: number; - } - /** * RequestMirror defines a schema for a filter that mirrors requests. * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorPatch { backendRef: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch; - fraction: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent: number; } /** * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirect { @@ -31381,6 +21975,7 @@ export namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname: string; @@ -31389,9 +21984,11 @@ export namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -31399,14 +21996,17 @@ export namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port: number; @@ -31414,29 +22014,36 @@ export namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme: string; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode: number; @@ -31446,6 +22053,7 @@ export namespace gateway { * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPatch { @@ -31454,6 +22062,7 @@ export namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname: string; @@ -31462,9 +22071,11 @@ export namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -31472,14 +22083,17 @@ export namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port: number; @@ -31487,29 +22101,36 @@ export namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme: string; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode: number; @@ -31520,6 +22141,7 @@ export namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPath { @@ -31534,26 +22156,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -31566,6 +22205,7 @@ export namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPathPatch { @@ -31580,26 +22220,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -31611,6 +22268,7 @@ export namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifier { @@ -31619,15 +22277,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -31639,15 +22300,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -31657,15 +22321,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -31679,7 +22346,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -31700,7 +22368,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -31719,6 +22388,7 @@ export namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch { @@ -31727,15 +22397,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -31747,15 +22420,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -31765,15 +22441,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -31787,7 +22466,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -31808,7 +22488,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -31826,6 +22507,7 @@ export namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewrite { @@ -31833,6 +22515,7 @@ export namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname: string; @@ -31842,6 +22525,7 @@ export namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePatch { @@ -31849,6 +22533,7 @@ export namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname: string; @@ -31858,6 +22543,7 @@ export namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePath { @@ -31872,26 +22558,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -31902,6 +22605,7 @@ export namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePathPatch { @@ -31916,26 +22620,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -31946,31 +22667,42 @@ export namespace gateway { /** * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * */ export interface HTTPRouteSpecRulesBackendRefsPatch { /** * Filters defined at this level should be executed if and only if the * request is being forwarded to the backend defined here. * + * * Support: Implementation-specific (For broader support of filters, use the * Filters field in HTTPRouteRule.) */ @@ -31984,16 +22716,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -32005,11 +22741,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -32029,11 +22767,13 @@ export namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight: number; @@ -32048,9 +22788,7 @@ export namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ export interface HTTPRouteSpecRulesFilters { - cors: outputs.gateway.v1.HTTPRouteSpecRulesFiltersCors; extensionRef: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExtensionRef; - externalAuth: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuth; requestHeaderModifier: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestHeaderModifier; requestMirror: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirror; requestRedirect: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestRedirect; @@ -32059,14 +22797,17 @@ export namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -32075,16 +22816,20 @@ export namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -32093,426 +22838,16 @@ export namespace gateway { urlRewrite: outputs.gateway.v1.HTTPRouteSpecRulesFiltersUrlRewrite; } - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesFiltersCors { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials: boolean; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders: string[]; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods: string[]; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins: string[]; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders: string[]; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge: number; - } - - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesFiltersCorsPatch { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials: boolean; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders: string[]; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods: string[]; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins: string[]; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders: string[]; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge: number; - } - /** * ExtensionRef is an optional, implementation-specific extension to the * "filter" behavior. For example, resource "myroutefilter" in group * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ export interface HTTPRouteSpecRulesFiltersExtensionRef { @@ -32537,8 +22872,10 @@ export namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ export interface HTTPRouteSpecRulesFiltersExtensionRefPatch { @@ -32557,410 +22894,6 @@ export namespace gateway { name: string; } - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesFiltersExternalAuth { - backendRef: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthBackendRef; - forwardBody: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthForwardBody; - grpc: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthGrpc; - http: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthHttp; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol: string; - } - - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthBackendRef { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port: number; - } - - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthBackendRefPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port: number; - } - - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthForwardBody { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize: number; - } - - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthForwardBodyPatch { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize: number; - } - - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthGrpc { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders: string[]; - } - - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthGrpcPatch { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders: string[]; - } - - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthHttp { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders: string[]; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders: string[]; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path: string; - } - - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthHttpPatch { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders: string[]; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders: string[]; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path: string; - } - - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthPatch { - backendRef: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthBackendRefPatch; - forwardBody: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthForwardBodyPatch; - grpc: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthGrpcPatch; - http: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthHttpPatch; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol: string; - } - /** * HTTPRouteFilter defines processing steps that must be completed during the * request or response lifecycle. HTTPRouteFilters are meant as an extension @@ -32970,9 +22903,7 @@ export namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ export interface HTTPRouteSpecRulesFiltersPatch { - cors: outputs.gateway.v1.HTTPRouteSpecRulesFiltersCorsPatch; extensionRef: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExtensionRefPatch; - externalAuth: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthPatch; requestHeaderModifier: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestHeaderModifierPatch; requestMirror: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorPatch; requestRedirect: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestRedirectPatch; @@ -32981,14 +22912,17 @@ export namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -32997,16 +22931,20 @@ export namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -33019,6 +22957,7 @@ export namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ export interface HTTPRouteSpecRulesFiltersRequestHeaderModifier { @@ -33027,15 +22966,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -33047,15 +22989,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -33065,15 +23010,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -33087,7 +23035,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -33108,7 +23057,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -33127,6 +23077,7 @@ export namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierPatch { @@ -33135,15 +23086,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -33155,15 +23109,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -33173,15 +23130,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -33195,7 +23155,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -33216,7 +23177,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -33236,49 +23198,47 @@ export namespace gateway { * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersRequestMirror { backendRef: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorBackendRef; - fraction: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorFraction; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent: number; } /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ export interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRef { @@ -33291,16 +23251,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -33312,11 +23276,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -33333,26 +23299,32 @@ export namespace gateway { /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ export interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRefPatch { @@ -33365,16 +23337,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -33386,11 +23362,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -33404,59 +23382,28 @@ export namespace gateway { port: number; } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - export interface HTTPRouteSpecRulesFiltersRequestMirrorFraction { - denominator: number; - numerator: number; - } - - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - export interface HTTPRouteSpecRulesFiltersRequestMirrorFractionPatch { - denominator: number; - numerator: number; - } - /** * RequestMirror defines a schema for a filter that mirrors requests. * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersRequestMirrorPatch { backendRef: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorBackendRefPatch; - fraction: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorFractionPatch; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent: number; } /** * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ export interface HTTPRouteSpecRulesFiltersRequestRedirect { @@ -33465,6 +23412,7 @@ export namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname: string; @@ -33473,9 +23421,11 @@ export namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -33483,14 +23433,17 @@ export namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port: number; @@ -33498,29 +23451,36 @@ export namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme: string; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode: number; @@ -33530,6 +23490,7 @@ export namespace gateway { * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ export interface HTTPRouteSpecRulesFiltersRequestRedirectPatch { @@ -33538,6 +23499,7 @@ export namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname: string; @@ -33546,9 +23508,11 @@ export namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -33556,14 +23520,17 @@ export namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port: number; @@ -33571,29 +23538,36 @@ export namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme: string; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode: number; @@ -33604,6 +23578,7 @@ export namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersRequestRedirectPath { @@ -33618,26 +23593,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -33650,6 +23642,7 @@ export namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersRequestRedirectPathPatch { @@ -33664,26 +23657,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -33695,6 +23705,7 @@ export namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersResponseHeaderModifier { @@ -33703,15 +23714,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -33723,15 +23737,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -33741,15 +23758,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -33763,7 +23783,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -33784,7 +23805,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -33803,6 +23825,7 @@ export namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierPatch { @@ -33811,15 +23834,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -33831,15 +23857,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -33849,15 +23878,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -33871,7 +23903,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -33892,7 +23925,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -33910,6 +23944,7 @@ export namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersUrlRewrite { @@ -33917,6 +23952,7 @@ export namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname: string; @@ -33926,6 +23962,7 @@ export namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersUrlRewritePatch { @@ -33933,6 +23970,7 @@ export namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname: string; @@ -33942,6 +23980,7 @@ export namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersUrlRewritePath { @@ -33956,26 +23995,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -33986,6 +24042,7 @@ export namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersUrlRewritePathPatch { @@ -34000,26 +24057,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -34032,18 +24106,22 @@ export namespace gateway { * action. Multiple match types are ANDed together, i.e. the match will * evaluate to true only if all conditions are satisfied. * + * * For example, the match below will match a HTTP request only if its path * starts with `/foo` AND it contains the `version: v1` header: * + * * ``` * match: * + * * path: * value: "/foo" * headers: * - name: "version" * value "v1" * + * * ``` */ export interface HTTPRouteSpecRulesMatches { @@ -34058,6 +24136,7 @@ export namespace gateway { * When specified, this route will be matched only if the request has the * specified method. * + * * Support: Extended */ method: string; @@ -34067,6 +24146,7 @@ export namespace gateway { * values are ANDed together, meaning, a request must match all the * specified query parameters to select the route. * + * * Support: Extended */ queryParams: outputs.gateway.v1.HTTPRouteSpecRulesMatchesQueryParams[]; @@ -34079,7 +24159,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesMatchesHeaders { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent @@ -34087,6 +24168,7 @@ export namespace gateway { * case-insensitivity of header names, "foo" and "Foo" are considered * equivalent. * + * * When a header is repeated in an HTTP request, it is * implementation-specific behavior as to how this is represented. * Generally, proxies should follow the guidance from the RFC: @@ -34097,10 +24179,13 @@ export namespace gateway { /** * Type specifies how to match against the value of the header. * + * * Support: Core (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression HeaderMatchType has implementation-specific * conformance, implementations can support POSIX, PCRE or any other dialects * of regular expressions. Please read the implementation's documentation to @@ -34120,7 +24205,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesMatchesHeadersPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent @@ -34128,6 +24214,7 @@ export namespace gateway { * case-insensitivity of header names, "foo" and "Foo" are considered * equivalent. * + * * When a header is repeated in an HTTP request, it is * implementation-specific behavior as to how this is represented. * Generally, proxies should follow the guidance from the RFC: @@ -34138,10 +24225,13 @@ export namespace gateway { /** * Type specifies how to match against the value of the header. * + * * Support: Core (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression HeaderMatchType has implementation-specific * conformance, implementations can support POSIX, PCRE or any other dialects * of regular expressions. Please read the implementation's documentation to @@ -34159,18 +24249,22 @@ export namespace gateway { * action. Multiple match types are ANDed together, i.e. the match will * evaluate to true only if all conditions are satisfied. * + * * For example, the match below will match a HTTP request only if its path * starts with `/foo` AND it contains the `version: v1` header: * + * * ``` * match: * + * * path: * value: "/foo" * headers: * - name: "version" * value "v1" * + * * ``` */ export interface HTTPRouteSpecRulesMatchesPatch { @@ -34185,6 +24279,7 @@ export namespace gateway { * When specified, this route will be matched only if the request has the * specified method. * + * * Support: Extended */ method: string; @@ -34194,6 +24289,7 @@ export namespace gateway { * values are ANDed together, meaning, a request must match all the * specified query parameters to select the route. * + * * Support: Extended */ queryParams: outputs.gateway.v1.HTTPRouteSpecRulesMatchesQueryParamsPatch[]; @@ -34207,8 +24303,10 @@ export namespace gateway { /** * Type specifies how to match against the path Value. * + * * Support: Core (Exact, PathPrefix) * + * * Support: Implementation-specific (RegularExpression) */ type: string; @@ -34226,8 +24324,10 @@ export namespace gateway { /** * Type specifies how to match against the path Value. * + * * Support: Core (Exact, PathPrefix) * + * * Support: Implementation-specific (RegularExpression) */ type: string; @@ -34247,10 +24347,12 @@ export namespace gateway { * exact string match. (See * https://tools.ietf.org/html/rfc7230#section-2.7.3). * + * * If multiple entries specify equivalent query param names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent * entries with an equivalent query param name MUST be ignored. * + * * If a query param is repeated in an HTTP request, the behavior is * purposely left undefined, since different data planes have different * capabilities. However, it is *recommended* that implementations should @@ -34258,6 +24360,7 @@ export namespace gateway { * as this behavior is expected in other load balancing contexts outside of * the Gateway API. * + * * Users SHOULD NOT route traffic based on repeated query params to guard * themselves against potential differences in the implementations. */ @@ -34265,10 +24368,13 @@ export namespace gateway { /** * Type specifies how to match against the value of the query parameter. * + * * Support: Extended (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression QueryParamMatchType has Implementation-specific * conformance, implementations can support POSIX, PCRE or any other * dialects of regular expressions. Please read the implementation's @@ -34291,10 +24397,12 @@ export namespace gateway { * exact string match. (See * https://tools.ietf.org/html/rfc7230#section-2.7.3). * + * * If multiple entries specify equivalent query param names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent * entries with an equivalent query param name MUST be ignored. * + * * If a query param is repeated in an HTTP request, the behavior is * purposely left undefined, since different data planes have different * capabilities. However, it is *recommended* that implementations should @@ -34302,6 +24410,7 @@ export namespace gateway { * as this behavior is expected in other load balancing contexts outside of * the Gateway API. * + * * Users SHOULD NOT route traffic based on repeated query params to guard * themselves against potential differences in the implementations. */ @@ -34309,10 +24418,13 @@ export namespace gateway { /** * Type specifies how to match against the value of the query parameter. * + * * Support: Extended (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression QueryParamMatchType has Implementation-specific * conformance, implementations can support POSIX, PCRE or any other * dialects of regular expressions. Please read the implementation's @@ -34335,37 +24447,41 @@ export namespace gateway { * BackendRefs defines the backend(s) where matching requests should be * sent. * + * * Failure behavior here depends on how many BackendRefs are specified and * how many are invalid. * + * * If *all* entries in BackendRefs are invalid, and there are also no filters * specified in this route rule, *all* traffic which matches this rule MUST * receive a 500 status code. * + * * See the HTTPBackendRef definition for the rules about what makes a single * HTTPBackendRef invalid. * + * * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for * requests that would have otherwise been routed to an invalid backend. If * multiple backends are specified, and some are invalid, the proportion of * requests that would otherwise have been routed to an invalid backend * MUST receive a 500 status code. * + * * For example, if two backends are specified with equal weights, and one is * invalid, 50 percent of traffic must receive a 500. Implementations may * choose how that 50 percent is determined. * - * When a HTTPBackendRef refers to a Service that has no ready endpoints, - * implementations SHOULD return a 503 for requests to that backend instead. - * If an implementation chooses to do this, all of the above rules for 500 responses - * MUST also apply for responses that return a 503. * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Core */ backendRefs: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsPatch[]; @@ -34373,38 +24489,46 @@ export namespace gateway { * Filters define the filters that are applied to requests that match * this rule. * + * * Wherever possible, implementations SHOULD implement filters in the order * they are specified. * + * * Implementations MAY choose to implement this ordering strictly, rejecting - * any combination or order of filters that cannot be supported. If implementations + * any combination or order of filters that can not be supported. If implementations * choose a strict interpretation of filter ordering, they MUST clearly document * that behavior. * + * * To reject an invalid combination or order of filters, implementations SHOULD * consider the Route Rules with this configuration invalid. If all Route Rules * in a Route are invalid, the entire Route would be considered invalid. If only * a portion of Route Rules are invalid, implementations MUST set the * "PartiallyInvalid" condition for the Route. * + * * Conformance-levels at this level are defined based on the type of filter: * + * * - ALL core filters MUST be supported by all implementations. * - Implementers are encouraged to support extended filters. * - Implementation-specific custom filters have no API guarantees across * implementations. * + * * Specifying the same filter multiple times is not supported unless explicitly * indicated in the filter. * + * * All filters are expected to be compatible with each other except for the * URLRewrite and RequestRedirect filters, which may not be combined. If an - * implementation cannot support other combinations of filters, they must clearly + * implementation can not support other combinations of filters, they must clearly * document that limitation. In cases where incompatible or unsupported * filters are specified and cause the `Accepted` condition to be set to status * `False`, implementations may use the `IncompatibleFilters` reason to specify * this configuration error. * + * * Support: Core */ filters: outputs.gateway.v1.HTTPRouteSpecRulesFiltersPatch[]; @@ -34413,8 +24537,10 @@ export namespace gateway { * HTTP requests. Each match is independent, i.e. this rule will be matched * if **any** one of the matches is satisfied. * + * * For example, take the following matches configuration: * + * * ``` * matches: * - path: @@ -34426,196 +24552,67 @@ export namespace gateway { * value: "/v2/foo" * ``` * + * * For a request to match against this rule, a request must satisfy * EITHER of the two conditions: * + * * - path prefixed with `/foo` AND contains the header `version: v2` * - path prefix of `/v2/foo` * + * * See the documentation for HTTPRouteMatch on how to specify multiple * match conditions that should be ANDed together. * + * * If no matches are specified, the default is a prefix * path match on "/", which has the effect of matching every * HTTP request. * + * * Proxy or Load Balancer routing configuration generated from HTTPRoutes * MUST prioritize matches based on the following criteria, continuing on * ties. Across all rules specified on applicable Routes, precedence must be * given to the match having: * + * * * "Exact" path match. * * "Prefix" path match with largest number of characters. * * Method match. * * Largest number of header matches. * * Largest number of query param matches. * + * * Note: The precedence of RegularExpression path matches are implementation-specific. * + * * If ties still exist across multiple Routes, matching precedence MUST be * determined in order of the following criteria, continuing on ties: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * If ties still exist within an HTTPRoute, matching precedence MUST be granted * to the FIRST matching rule (in list order) with a match meeting the above * criteria. * + * * When no rules matching a request have been successfully attached to the * parent a request is coming from, a HTTP 404 status code MUST be returned. */ matches: outputs.gateway.v1.HTTPRouteSpecRulesMatchesPatch[]; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name: string; - retry: outputs.gateway.v1.HTTPRouteSpecRulesRetryPatch; sessionPersistence: outputs.gateway.v1.HTTPRouteSpecRulesSessionPersistencePatch; timeouts: outputs.gateway.v1.HTTPRouteSpecRulesTimeoutsPatch; } - /** - * Retry defines the configuration for when to retry an HTTP request. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesRetry { - /** - * Attempts specifies the maximum number of times an individual request - * from the gateway to a backend should be retried. - * - * If the maximum number of retries has been attempted without a successful - * response from the backend, the Gateway MUST return an error. - * - * When this field is unspecified, the number of times to attempt to retry - * a backend request is implementation-specific. - * - * Support: Extended - */ - attempts: number; - /** - * Backoff specifies the minimum duration a Gateway should wait between - * retry attempts and is represented in Gateway API Duration formatting. - * - * For example, setting the `rules[].retry.backoff` field to the value - * `100ms` will cause a backend request to first be retried approximately - * 100 milliseconds after timing out or receiving a response code configured - * to be retryable. - * - * An implementation MAY use an exponential or alternative backoff strategy - * for subsequent retry attempts, MAY cap the maximum backoff duration to - * some amount greater than the specified minimum, and MAY add arbitrary - * jitter to stagger requests, as long as unsuccessful backend requests are - * not retried before the configured minimum duration. - * - * If a Request timeout (`rules[].timeouts.request`) is configured on the - * route, the entire duration of the initial request and any retry attempts - * MUST not exceed the Request timeout duration. If any retry attempts are - * still in progress when the Request timeout duration has been reached, - * these SHOULD be canceled if possible and the Gateway MUST immediately - * return a timeout error. - * - * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is - * configured on the route, any retry attempts which reach the configured - * BackendRequest timeout duration without a response SHOULD be canceled if - * possible and the Gateway should wait for at least the specified backoff - * duration before attempting to retry the backend request again. - * - * If a BackendRequest timeout is _not_ configured on the route, retry - * attempts MAY time out after an implementation default duration, or MAY - * remain pending until a configured Request timeout or implementation - * default duration for total request time is reached. - * - * When this field is unspecified, the time to wait between retry attempts - * is implementation-specific. - * - * Support: Extended - */ - backoff: string; - /** - * Codes defines the HTTP response status codes for which a backend request - * should be retried. - * - * Support: Extended - */ - codes: number[]; - } - - /** - * Retry defines the configuration for when to retry an HTTP request. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesRetryPatch { - /** - * Attempts specifies the maximum number of times an individual request - * from the gateway to a backend should be retried. - * - * If the maximum number of retries has been attempted without a successful - * response from the backend, the Gateway MUST return an error. - * - * When this field is unspecified, the number of times to attempt to retry - * a backend request is implementation-specific. - * - * Support: Extended - */ - attempts: number; - /** - * Backoff specifies the minimum duration a Gateway should wait between - * retry attempts and is represented in Gateway API Duration formatting. - * - * For example, setting the `rules[].retry.backoff` field to the value - * `100ms` will cause a backend request to first be retried approximately - * 100 milliseconds after timing out or receiving a response code configured - * to be retryable. - * - * An implementation MAY use an exponential or alternative backoff strategy - * for subsequent retry attempts, MAY cap the maximum backoff duration to - * some amount greater than the specified minimum, and MAY add arbitrary - * jitter to stagger requests, as long as unsuccessful backend requests are - * not retried before the configured minimum duration. - * - * If a Request timeout (`rules[].timeouts.request`) is configured on the - * route, the entire duration of the initial request and any retry attempts - * MUST not exceed the Request timeout duration. If any retry attempts are - * still in progress when the Request timeout duration has been reached, - * these SHOULD be canceled if possible and the Gateway MUST immediately - * return a timeout error. - * - * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is - * configured on the route, any retry attempts which reach the configured - * BackendRequest timeout duration without a response SHOULD be canceled if - * possible and the Gateway should wait for at least the specified backoff - * duration before attempting to retry the backend request again. - * - * If a BackendRequest timeout is _not_ configured on the route, retry - * attempts MAY time out after an implementation default duration, or MAY - * remain pending until a configured Request timeout or implementation - * default duration for total request time is reached. - * - * When this field is unspecified, the time to wait between retry attempts - * is implementation-specific. - * - * Support: Extended - */ - backoff: string; - /** - * Codes defines the HTTP response status codes for which a backend request - * should be retried. - * - * Support: Extended - */ - codes: number[]; - } - /** * SessionPersistence defines and configures session persistence * for the route rule. * + * * Support: Extended */ export interface HTTPRouteSpecRulesSessionPersistence { @@ -34624,6 +24621,7 @@ export namespace gateway { * session. Once the AbsoluteTimeout duration has elapsed, the * session becomes invalid. * + * * Support: Extended */ absoluteTimeout: string; @@ -34633,6 +24631,7 @@ export namespace gateway { * Once the session has been idle for more than the specified * IdleTimeout duration, the session becomes invalid. * + * * Support: Extended */ idleTimeout: string; @@ -34642,6 +24641,7 @@ export namespace gateway { * should avoid reusing session names to prevent unintended * consequences, such as rejection or unpredictable behavior. * + * * Support: Implementation-specific */ sessionName: string; @@ -34650,8 +24650,10 @@ export namespace gateway { * the use a header or cookie. Defaults to cookie based session * persistence. * + * * Support: Core for "Cookie" type * + * * Support: Extended for "Header" type */ type: string; @@ -34661,6 +24663,7 @@ export namespace gateway { * CookieConfig provides configuration settings that are specific * to cookie-based session persistence. * + * * Support: Core */ export interface HTTPRouteSpecRulesSessionPersistenceCookieConfig { @@ -34671,18 +24674,20 @@ export namespace gateway { * attributes, while a session cookie is deleted when the current * session ends. * + * * When set to "Permanent", AbsoluteTimeout indicates the * cookie's lifetime via the Expires or Max-Age cookie attributes * and is required. * + * * When set to "Session", AbsoluteTimeout indicates the * absolute lifetime of the cookie tracked by the gateway and * is optional. * - * Defaults to "Session". * * Support: Core for "Session" type * + * * Support: Extended for "Permanent" type */ lifetimeType: string; @@ -34692,6 +24697,7 @@ export namespace gateway { * CookieConfig provides configuration settings that are specific * to cookie-based session persistence. * + * * Support: Core */ export interface HTTPRouteSpecRulesSessionPersistenceCookieConfigPatch { @@ -34702,18 +24708,20 @@ export namespace gateway { * attributes, while a session cookie is deleted when the current * session ends. * + * * When set to "Permanent", AbsoluteTimeout indicates the * cookie's lifetime via the Expires or Max-Age cookie attributes * and is required. * + * * When set to "Session", AbsoluteTimeout indicates the * absolute lifetime of the cookie tracked by the gateway and * is optional. * - * Defaults to "Session". * * Support: Core for "Session" type * + * * Support: Extended for "Permanent" type */ lifetimeType: string; @@ -34723,6 +24731,7 @@ export namespace gateway { * SessionPersistence defines and configures session persistence * for the route rule. * + * * Support: Extended */ export interface HTTPRouteSpecRulesSessionPersistencePatch { @@ -34731,6 +24740,7 @@ export namespace gateway { * session. Once the AbsoluteTimeout duration has elapsed, the * session becomes invalid. * + * * Support: Extended */ absoluteTimeout: string; @@ -34740,6 +24750,7 @@ export namespace gateway { * Once the session has been idle for more than the specified * IdleTimeout duration, the session becomes invalid. * + * * Support: Extended */ idleTimeout: string; @@ -34749,6 +24760,7 @@ export namespace gateway { * should avoid reusing session names to prevent unintended * consequences, such as rejection or unpredictable behavior. * + * * Support: Implementation-specific */ sessionName: string; @@ -34757,8 +24769,10 @@ export namespace gateway { * the use a header or cookie. Defaults to cookie based session * persistence. * + * * Support: Core for "Cookie" type * + * * Support: Extended for "Header" type */ type: string; @@ -34767,6 +24781,7 @@ export namespace gateway { /** * Timeouts defines the timeouts that can be configured for an HTTP request. * + * * Support: Extended */ export interface HTTPRouteSpecRulesTimeouts { @@ -34775,19 +24790,21 @@ export namespace gateway { * to a backend. This covers the time from when the request first starts being * sent from the gateway to when the full response has been received from the backend. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * An entire client HTTP transaction with a gateway, covered by the Request timeout, * may result in more than one call from the gateway to the destination backend, * for example, if automatic retries are supported. * - * The value of BackendRequest must be a Gateway API Duration string as defined by - * GEP-2257. When this field is unspecified, its behavior is implementation-specific; - * when specified, the value of BackendRequest must be no more than the value of the - * Request timeout (since the Request timeout encompasses the BackendRequest timeout). + * + * Because the Request timeout encompasses the BackendRequest timeout, the value of + * BackendRequest must be <= the value of Request timeout. + * * * Support: Extended */ @@ -34797,22 +24814,26 @@ export namespace gateway { * If the gateway has not been able to respond before this deadline is met, the gateway * MUST return a timeout error. * + * * For example, setting the `rules.timeouts.request` field to the value `10s` in an * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds * to complete. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * This timeout is intended to cover as close to the whole request-response transaction * as possible although an implementation MAY choose to start the timeout after the entire * request stream has been received instead of immediately after the transaction is * initiated by the client. * - * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this - * field is unspecified, request timeout behavior is implementation-specific. + * + * When this field is unspecified, request timeout behavior is implementation-specific. + * * * Support: Extended */ @@ -34822,6 +24843,7 @@ export namespace gateway { /** * Timeouts defines the timeouts that can be configured for an HTTP request. * + * * Support: Extended */ export interface HTTPRouteSpecRulesTimeoutsPatch { @@ -34830,19 +24852,21 @@ export namespace gateway { * to a backend. This covers the time from when the request first starts being * sent from the gateway to when the full response has been received from the backend. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * An entire client HTTP transaction with a gateway, covered by the Request timeout, * may result in more than one call from the gateway to the destination backend, * for example, if automatic retries are supported. * - * The value of BackendRequest must be a Gateway API Duration string as defined by - * GEP-2257. When this field is unspecified, its behavior is implementation-specific; - * when specified, the value of BackendRequest must be no more than the value of the - * Request timeout (since the Request timeout encompasses the BackendRequest timeout). + * + * Because the Request timeout encompasses the BackendRequest timeout, the value of + * BackendRequest must be <= the value of Request timeout. + * * * Support: Extended */ @@ -34852,22 +24876,26 @@ export namespace gateway { * If the gateway has not been able to respond before this deadline is met, the gateway * MUST return a timeout error. * + * * For example, setting the `rules.timeouts.request` field to the value `10s` in an * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds * to complete. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * This timeout is intended to cover as close to the whole request-response transaction * as possible although an implementation MAY choose to start the timeout after the entire * request stream has been received instead of immediately after the transaction is * initiated by the client. * - * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this - * field is unspecified, request timeout behavior is implementation-specific. + * + * When this field is unspecified, request timeout behavior is implementation-specific. + * * * Support: Extended */ @@ -34886,11 +24914,13 @@ export namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -34907,19 +24937,23 @@ export namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -34929,12 +24963,15 @@ export namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -34945,6 +24982,22 @@ export namespace gateway { /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface HTTPRouteStatusParentsConditions { /** @@ -34977,12 +25030,32 @@ export namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface HTTPRouteStatusParentsConditionsPatch { /** @@ -35015,6 +25088,10 @@ export namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } @@ -35030,23 +25107,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -35054,6 +25136,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -35061,10 +25144,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -35072,6 +25157,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -35079,6 +25165,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -35088,15 +25175,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -35105,6 +25195,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -35112,6 +25203,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -35119,10 +25211,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -35132,6 +25226,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -35148,23 +25243,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -35172,6 +25272,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -35179,10 +25280,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -35190,6 +25293,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -35197,6 +25301,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -35206,15 +25311,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -35223,6 +25331,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -35230,6 +25339,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -35237,10 +25347,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -35250,6 +25362,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -35265,19 +25378,23 @@ export namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -35287,12 +25404,15 @@ export namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -35313,11 +25433,13 @@ export namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -35326,2271 +25448,4846 @@ export namespace gateway { } - export namespace v1alpha1 { - /** - * XBackendTrafficPolicy defines the configuration for how traffic to a - * target backend should be handled. - */ - export interface XBackendTrafficPolicy { - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - apiVersion: "gateway.networking.x-k8s.io/v1alpha1"; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - kind: "XBackendTrafficPolicy"; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - metadata: outputs.meta.v1.ObjectMeta; - spec: outputs.gateway.v1alpha1.XBackendTrafficPolicySpec; - status: outputs.gateway.v1alpha1.XBackendTrafficPolicyStatus; - } - - /** - * Spec defines the desired state of BackendTrafficPolicy. - */ - export interface XBackendTrafficPolicySpec { - retryConstraint: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraint; - sessionPersistence: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecSessionPersistence; - /** - * TargetRefs identifies API object(s) to apply this policy to. - * Currently, Backends (A grouping of like endpoints such as Service, - * ServiceImport, or any implementation-specific backendRef) are the only - * valid API target references. - * - * Currently, a TargetRef can not be scoped to a specific port on a - * Service. - */ - targetRefs: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecTargetRefs[]; - } - - /** - * Spec defines the desired state of BackendTrafficPolicy. - */ - export interface XBackendTrafficPolicySpecPatch { - retryConstraint: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintPatch; - sessionPersistence: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecSessionPersistencePatch; - /** - * TargetRefs identifies API object(s) to apply this policy to. - * Currently, Backends (A grouping of like endpoints such as Service, - * ServiceImport, or any implementation-specific backendRef) are the only - * valid API target references. - * - * Currently, a TargetRef can not be scoped to a specific port on a - * Service. - */ - targetRefs: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecTargetRefsPatch[]; - } - - /** - * RetryConstraint defines the configuration for when to allow or prevent - * further retries to a target backend, by dynamically calculating a 'retry - * budget'. This budget is calculated based on the percentage of incoming - * traffic composed of retries over a given time interval. Once the budget - * is exceeded, additional retries will be rejected. - * - * For example, if the retry budget interval is 10 seconds, there have been - * 1000 active requests in the past 10 seconds, and the allowed percentage - * of requests that can be retried is 20% (the default), then 200 of those - * requests may be composed of retries. Active requests will only be - * considered for the duration of the interval when calculating the retry - * budget. Retrying the same original request multiple times within the - * retry budget interval will lead to each retry being counted towards - * calculating the budget. - * - * Configuring a RetryConstraint in BackendTrafficPolicy is compatible with - * HTTPRoute Retry settings for each HTTPRouteRule that targets the same - * backend. While the HTTPRouteRule Retry stanza can specify whether a - * request will be retried, and the number of retry attempts each client - * may perform, RetryConstraint helps prevent cascading failures such as - * retry storms during periods of consistent failures. - * - * After the retry budget has been exceeded, additional retries to the - * backend MUST return a 503 response to the client. - * - * Additional configurations for defining a constraint on retries MAY be - * defined in the future. - * - * Support: Extended - */ - export interface XBackendTrafficPolicySpecRetryConstraint { - budget: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintBudget; - minRetryRate: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintMinRetryRate; - } - - /** - * Budget holds the details of the retry budget configuration. - */ - export interface XBackendTrafficPolicySpecRetryConstraintBudget { - /** - * Interval defines the duration in which requests will be considered - * for calculating the budget for retries. - * - * Support: Extended - */ - interval: string; - /** - * Percent defines the maximum percentage of active requests that may - * be made up of retries. - * - * Support: Extended - */ - percent: number; - } - - /** - * Budget holds the details of the retry budget configuration. - */ - export interface XBackendTrafficPolicySpecRetryConstraintBudgetPatch { - /** - * Interval defines the duration in which requests will be considered - * for calculating the budget for retries. - * - * Support: Extended - */ - interval: string; - /** - * Percent defines the maximum percentage of active requests that may - * be made up of retries. - * - * Support: Extended - */ - percent: number; - } - - /** - * MinRetryRate defines the minimum rate of retries that will be allowable - * over a specified duration of time. - * - * The effective overall minimum rate of retries targeting the backend - * service may be much higher, as there can be any number of clients which - * are applying this setting locally. - * - * This ensures that requests can still be retried during periods of low - * traffic, where the budget for retries may be calculated as a very low - * value. - * - * Support: Extended - */ - export interface XBackendTrafficPolicySpecRetryConstraintMinRetryRate { - /** - * Count specifies the number of requests per time interval. - * - * Support: Extended - */ - count: number; - /** - * Interval specifies the divisor of the rate of requests, the amount of - * time during which the given count of requests occur. - * - * Support: Extended - */ - interval: string; - } - - /** - * MinRetryRate defines the minimum rate of retries that will be allowable - * over a specified duration of time. - * - * The effective overall minimum rate of retries targeting the backend - * service may be much higher, as there can be any number of clients which - * are applying this setting locally. - * - * This ensures that requests can still be retried during periods of low - * traffic, where the budget for retries may be calculated as a very low - * value. - * - * Support: Extended - */ - export interface XBackendTrafficPolicySpecRetryConstraintMinRetryRatePatch { - /** - * Count specifies the number of requests per time interval. - * - * Support: Extended - */ - count: number; - /** - * Interval specifies the divisor of the rate of requests, the amount of - * time during which the given count of requests occur. - * - * Support: Extended - */ - interval: string; - } - - /** - * RetryConstraint defines the configuration for when to allow or prevent - * further retries to a target backend, by dynamically calculating a 'retry - * budget'. This budget is calculated based on the percentage of incoming - * traffic composed of retries over a given time interval. Once the budget - * is exceeded, additional retries will be rejected. - * - * For example, if the retry budget interval is 10 seconds, there have been - * 1000 active requests in the past 10 seconds, and the allowed percentage - * of requests that can be retried is 20% (the default), then 200 of those - * requests may be composed of retries. Active requests will only be - * considered for the duration of the interval when calculating the retry - * budget. Retrying the same original request multiple times within the - * retry budget interval will lead to each retry being counted towards - * calculating the budget. - * - * Configuring a RetryConstraint in BackendTrafficPolicy is compatible with - * HTTPRoute Retry settings for each HTTPRouteRule that targets the same - * backend. While the HTTPRouteRule Retry stanza can specify whether a - * request will be retried, and the number of retry attempts each client - * may perform, RetryConstraint helps prevent cascading failures such as - * retry storms during periods of consistent failures. - * - * After the retry budget has been exceeded, additional retries to the - * backend MUST return a 503 response to the client. - * - * Additional configurations for defining a constraint on retries MAY be - * defined in the future. - * - * Support: Extended - */ - export interface XBackendTrafficPolicySpecRetryConstraintPatch { - budget: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintBudgetPatch; - minRetryRate: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintMinRetryRatePatch; - } - - /** - * SessionPersistence defines and configures session persistence - * for the backend. - * - * Support: Extended - */ - export interface XBackendTrafficPolicySpecSessionPersistence { - /** - * AbsoluteTimeout defines the absolute timeout of the persistent - * session. Once the AbsoluteTimeout duration has elapsed, the - * session becomes invalid. - * - * Support: Extended - */ - absoluteTimeout: string; - cookieConfig: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecSessionPersistenceCookieConfig; - /** - * IdleTimeout defines the idle timeout of the persistent session. - * Once the session has been idle for more than the specified - * IdleTimeout duration, the session becomes invalid. - * - * Support: Extended - */ - idleTimeout: string; - /** - * SessionName defines the name of the persistent session token - * which may be reflected in the cookie or the header. Users - * should avoid reusing session names to prevent unintended - * consequences, such as rejection or unpredictable behavior. - * - * Support: Implementation-specific - */ - sessionName: string; - /** - * Type defines the type of session persistence such as through - * the use a header or cookie. Defaults to cookie based session - * persistence. - * - * Support: Core for "Cookie" type - * - * Support: Extended for "Header" type - */ - type: string; - } - - /** - * CookieConfig provides configuration settings that are specific - * to cookie-based session persistence. - * - * Support: Core - */ - export interface XBackendTrafficPolicySpecSessionPersistenceCookieConfig { - /** - * LifetimeType specifies whether the cookie has a permanent or - * session-based lifetime. A permanent cookie persists until its - * specified expiry time, defined by the Expires or Max-Age cookie - * attributes, while a session cookie is deleted when the current - * session ends. - * - * When set to "Permanent", AbsoluteTimeout indicates the - * cookie's lifetime via the Expires or Max-Age cookie attributes - * and is required. - * - * When set to "Session", AbsoluteTimeout indicates the - * absolute lifetime of the cookie tracked by the gateway and - * is optional. - * - * Defaults to "Session". - * - * Support: Core for "Session" type - * - * Support: Extended for "Permanent" type - */ - lifetimeType: string; - } - - /** - * CookieConfig provides configuration settings that are specific - * to cookie-based session persistence. - * - * Support: Core - */ - export interface XBackendTrafficPolicySpecSessionPersistenceCookieConfigPatch { - /** - * LifetimeType specifies whether the cookie has a permanent or - * session-based lifetime. A permanent cookie persists until its - * specified expiry time, defined by the Expires or Max-Age cookie - * attributes, while a session cookie is deleted when the current - * session ends. - * - * When set to "Permanent", AbsoluteTimeout indicates the - * cookie's lifetime via the Expires or Max-Age cookie attributes - * and is required. - * - * When set to "Session", AbsoluteTimeout indicates the - * absolute lifetime of the cookie tracked by the gateway and - * is optional. - * - * Defaults to "Session". - * - * Support: Core for "Session" type - * - * Support: Extended for "Permanent" type - */ - lifetimeType: string; - } - - /** - * SessionPersistence defines and configures session persistence - * for the backend. - * - * Support: Extended - */ - export interface XBackendTrafficPolicySpecSessionPersistencePatch { - /** - * AbsoluteTimeout defines the absolute timeout of the persistent - * session. Once the AbsoluteTimeout duration has elapsed, the - * session becomes invalid. - * - * Support: Extended - */ - absoluteTimeout: string; - cookieConfig: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecSessionPersistenceCookieConfigPatch; - /** - * IdleTimeout defines the idle timeout of the persistent session. - * Once the session has been idle for more than the specified - * IdleTimeout duration, the session becomes invalid. - * - * Support: Extended - */ - idleTimeout: string; - /** - * SessionName defines the name of the persistent session token - * which may be reflected in the cookie or the header. Users - * should avoid reusing session names to prevent unintended - * consequences, such as rejection or unpredictable behavior. - * - * Support: Implementation-specific - */ - sessionName: string; - /** - * Type defines the type of session persistence such as through - * the use a header or cookie. Defaults to cookie based session - * persistence. - * - * Support: Core for "Cookie" type - * - * Support: Extended for "Header" type - */ - type: string; - } - - /** - * LocalPolicyTargetReference identifies an API object to apply a direct or - * inherited policy to. This should be used as part of Policy resources - * that can target Gateway API resources. For more information on how this - * policy attachment model works, and a sample Policy resource, refer to - * the policy attachment documentation for Gateway API. - */ - export interface XBackendTrafficPolicySpecTargetRefs { - /** - * Group is the group of the target resource. - */ - group: string; - /** - * Kind is kind of the target resource. - */ - kind: string; - /** - * Name is the name of the target resource. - */ - name: string; - } - - /** - * LocalPolicyTargetReference identifies an API object to apply a direct or - * inherited policy to. This should be used as part of Policy resources - * that can target Gateway API resources. For more information on how this - * policy attachment model works, and a sample Policy resource, refer to - * the policy attachment documentation for Gateway API. - */ - export interface XBackendTrafficPolicySpecTargetRefsPatch { - /** - * Group is the group of the target resource. - */ - group: string; - /** - * Kind is kind of the target resource. - */ - kind: string; - /** - * Name is the name of the target resource. - */ - name: string; - } - - /** - * Status defines the current state of BackendTrafficPolicy. - */ - export interface XBackendTrafficPolicyStatus { - /** - * Ancestors is a list of ancestor resources (usually Gateways) that are - * associated with the policy, and the status of the policy with respect to - * each ancestor. When this policy attaches to a parent, the controller that - * manages the parent and the ancestors MUST add an entry to this list when - * the controller first sees the policy and SHOULD update the entry as - * appropriate when the relevant ancestor is modified. - * - * Note that choosing the relevant ancestor is left to the Policy designers; - * an important part of Policy design is designing the right object level at - * which to namespace this status. - * - * Note also that implementations MUST ONLY populate ancestor status for - * the Ancestor resources they are responsible for. Implementations MUST - * use the ControllerName field to uniquely identify the entries in this list - * that they are responsible for. - * - * Note that to achieve this, the list of PolicyAncestorStatus structs - * MUST be treated as a map with a composite key, made up of the AncestorRef - * and ControllerName fields combined. - * - * A maximum of 16 ancestors will be represented in this list. An empty list - * means the Policy is not relevant for any ancestors. - * - * If this slice is full, implementations MUST NOT add further entries. - * Instead they MUST consider the policy unimplementable and signal that - * on any related resources such as the ancestor that would be referenced - * here. For example, if this list was full on BackendTLSPolicy, no - * additional Gateways would be able to reference the Service targeted by - * the BackendTLSPolicy. - */ - ancestors: outputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestors[]; - } - - /** - * PolicyAncestorStatus describes the status of a route with respect to an - * associated Ancestor. - * - * Ancestors refer to objects that are either the Target of a policy or above it - * in terms of object hierarchy. For example, if a policy targets a Service, the - * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and - * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most - * useful object to place Policy status on, so we recommend that implementations - * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers - * have a _very_ good reason otherwise. - * - * In the context of policy attachment, the Ancestor is used to distinguish which - * resource results in a distinct application of this policy. For example, if a policy - * targets a Service, it may have a distinct result per attached Gateway. - * - * Policies targeting the same resource may have different effects depending on the - * ancestors of those resources. For example, different Gateways targeting the same - * Service may have different capabilities, especially if they have different underlying - * implementations. - * - * For example, in BackendTLSPolicy, the Policy attaches to a Service that is - * used as a backend in a HTTPRoute that is itself attached to a Gateway. - * In this case, the relevant object for status is the Gateway, and that is the - * ancestor object referred to in this status. - * - * Note that a parent is also an ancestor, so for objects where the parent is the - * relevant object for status, this struct SHOULD still be used. - * - * This struct is intended to be used in a slice that's effectively a map, - * with a composite key made up of the AncestorRef and the ControllerName. - */ - export interface XBackendTrafficPolicyStatusAncestors { - ancestorRef: outputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestorsAncestorRef; - /** - * Conditions describes the status of the Policy with respect to the given Ancestor. - */ - conditions: outputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestorsConditions[]; - /** - * ControllerName is a domain/path string that indicates the name of the - * controller that wrote this status. This corresponds with the - * controllerName field on GatewayClass. - * - * Example: "example.net/gateway-controller". - * - * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - * valid Kubernetes names - * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - * - * Controllers MUST populate this field when writing status. Controllers should ensure that - * entries to status populated with their ControllerName are cleaned up when they are no - * longer necessary. - */ - controllerName: string; - } - - /** - * AncestorRef corresponds with a ParentRef in the spec that this - * PolicyAncestorStatus struct describes the status of. - */ - export interface XBackendTrafficPolicyStatusAncestorsAncestorRef { - /** - * Group is the group of the referent. - * When unspecified, "gateway.networking.k8s.io" is inferred. - * To set the core API group (such as for a "Service" kind referent), - * Group must be explicitly set to "" (empty string). - * - * Support: Core - */ - group: string; - /** - * Kind is kind of the referent. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * Support for other resources is Implementation-Specific. - */ - kind: string; - /** - * Name is the name of the referent. - * - * Support: Core - */ - name: string; - /** - * Namespace is the namespace of the referent. When unspecified, this refers - * to the local namespace of the Route. - * - * Note that there are specific rules for ParentRefs which cross namespace - * boundaries. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example: - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable any other kind of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - * - * - * Support: Core - */ - namespace: string; - /** - * Port is the network port this Route targets. It can be interpreted - * differently based on the type of parent resource. - * - * When the parent resource is a Gateway, this targets all listeners - * listening on the specified port that also support this kind of Route(and - * select this Route). It's not recommended to set `Port` unless the - * networking behaviors specified in a Route must apply to a specific port - * as opposed to a listener(s) whose port(s) may be changed. When both Port - * and SectionName are specified, the name and port of the selected listener - * must match both specified values. - * - * - * When the parent resource is a Service, this targets a specific port in the - * Service spec. When both Port (experimental) and SectionName are specified, - * the name and port of the selected port must match both specified values. - * - * - * Implementations MAY choose to support other parent resources. - * Implementations supporting other types of parent resources MUST clearly - * document how/if Port is interpreted. - * - * For the purpose of status, an attachment is considered successful as - * long as the parent resource accepts it partially. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - * from the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, - * the Route MUST be considered detached from the Gateway. - * - * Support: Extended - */ - port: number; - /** - * SectionName is the name of a section within the target resource. In the - * following resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * * Service: Port name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * - * Implementations MAY choose to support attaching Routes to other resources. - * If that is the case, they MUST clearly document how SectionName is - * interpreted. - * - * When unspecified (empty string), this will reference the entire resource. - * For the purpose of status, an attachment is considered successful if at - * least one section in the parent resource accepts it. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - * the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, the - * Route MUST be considered detached from the Gateway. - * - * Support: Core - */ - sectionName: string; - } - - /** - * AncestorRef corresponds with a ParentRef in the spec that this - * PolicyAncestorStatus struct describes the status of. - */ - export interface XBackendTrafficPolicyStatusAncestorsAncestorRefPatch { - /** - * Group is the group of the referent. - * When unspecified, "gateway.networking.k8s.io" is inferred. - * To set the core API group (such as for a "Service" kind referent), - * Group must be explicitly set to "" (empty string). - * - * Support: Core - */ - group: string; - /** - * Kind is kind of the referent. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * Support for other resources is Implementation-Specific. - */ - kind: string; - /** - * Name is the name of the referent. - * - * Support: Core - */ - name: string; - /** - * Namespace is the namespace of the referent. When unspecified, this refers - * to the local namespace of the Route. - * - * Note that there are specific rules for ParentRefs which cross namespace - * boundaries. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example: - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable any other kind of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - * - * - * Support: Core - */ - namespace: string; - /** - * Port is the network port this Route targets. It can be interpreted - * differently based on the type of parent resource. - * - * When the parent resource is a Gateway, this targets all listeners - * listening on the specified port that also support this kind of Route(and - * select this Route). It's not recommended to set `Port` unless the - * networking behaviors specified in a Route must apply to a specific port - * as opposed to a listener(s) whose port(s) may be changed. When both Port - * and SectionName are specified, the name and port of the selected listener - * must match both specified values. - * - * - * When the parent resource is a Service, this targets a specific port in the - * Service spec. When both Port (experimental) and SectionName are specified, - * the name and port of the selected port must match both specified values. - * - * - * Implementations MAY choose to support other parent resources. - * Implementations supporting other types of parent resources MUST clearly - * document how/if Port is interpreted. - * - * For the purpose of status, an attachment is considered successful as - * long as the parent resource accepts it partially. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - * from the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, - * the Route MUST be considered detached from the Gateway. - * - * Support: Extended - */ - port: number; - /** - * SectionName is the name of a section within the target resource. In the - * following resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * * Service: Port name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * - * Implementations MAY choose to support attaching Routes to other resources. - * If that is the case, they MUST clearly document how SectionName is - * interpreted. - * - * When unspecified (empty string), this will reference the entire resource. - * For the purpose of status, an attachment is considered successful if at - * least one section in the parent resource accepts it. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - * the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, the - * Route MUST be considered detached from the Gateway. - * - * Support: Core - */ - sectionName: string; - } - - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - export interface XBackendTrafficPolicyStatusAncestorsConditions { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime: string; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message: string; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration: number; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason: string; - /** - * status of the condition, one of True, False, Unknown. - */ - status: string; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type: string; - } - - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - export interface XBackendTrafficPolicyStatusAncestorsConditionsPatch { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime: string; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message: string; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration: number; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason: string; - /** - * status of the condition, one of True, False, Unknown. - */ - status: string; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type: string; - } - - /** - * PolicyAncestorStatus describes the status of a route with respect to an - * associated Ancestor. - * - * Ancestors refer to objects that are either the Target of a policy or above it - * in terms of object hierarchy. For example, if a policy targets a Service, the - * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and - * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most - * useful object to place Policy status on, so we recommend that implementations - * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers - * have a _very_ good reason otherwise. - * - * In the context of policy attachment, the Ancestor is used to distinguish which - * resource results in a distinct application of this policy. For example, if a policy - * targets a Service, it may have a distinct result per attached Gateway. - * - * Policies targeting the same resource may have different effects depending on the - * ancestors of those resources. For example, different Gateways targeting the same - * Service may have different capabilities, especially if they have different underlying - * implementations. - * - * For example, in BackendTLSPolicy, the Policy attaches to a Service that is - * used as a backend in a HTTPRoute that is itself attached to a Gateway. - * In this case, the relevant object for status is the Gateway, and that is the - * ancestor object referred to in this status. - * - * Note that a parent is also an ancestor, so for objects where the parent is the - * relevant object for status, this struct SHOULD still be used. - * - * This struct is intended to be used in a slice that's effectively a map, - * with a composite key made up of the AncestorRef and the ControllerName. - */ - export interface XBackendTrafficPolicyStatusAncestorsPatch { - ancestorRef: outputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestorsAncestorRefPatch; - /** - * Conditions describes the status of the Policy with respect to the given Ancestor. - */ - conditions: outputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestorsConditionsPatch[]; - /** - * ControllerName is a domain/path string that indicates the name of the - * controller that wrote this status. This corresponds with the - * controllerName field on GatewayClass. - * - * Example: "example.net/gateway-controller". - * - * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - * valid Kubernetes names - * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - * - * Controllers MUST populate this field when writing status. Controllers should ensure that - * entries to status populated with their ControllerName are cleaned up when they are no - * longer necessary. - */ - controllerName: string; - } - - /** - * Status defines the current state of BackendTrafficPolicy. - */ - export interface XBackendTrafficPolicyStatusPatch { - /** - * Ancestors is a list of ancestor resources (usually Gateways) that are - * associated with the policy, and the status of the policy with respect to - * each ancestor. When this policy attaches to a parent, the controller that - * manages the parent and the ancestors MUST add an entry to this list when - * the controller first sees the policy and SHOULD update the entry as - * appropriate when the relevant ancestor is modified. - * - * Note that choosing the relevant ancestor is left to the Policy designers; - * an important part of Policy design is designing the right object level at - * which to namespace this status. - * - * Note also that implementations MUST ONLY populate ancestor status for - * the Ancestor resources they are responsible for. Implementations MUST - * use the ControllerName field to uniquely identify the entries in this list - * that they are responsible for. - * - * Note that to achieve this, the list of PolicyAncestorStatus structs - * MUST be treated as a map with a composite key, made up of the AncestorRef - * and ControllerName fields combined. - * - * A maximum of 16 ancestors will be represented in this list. An empty list - * means the Policy is not relevant for any ancestors. - * - * If this slice is full, implementations MUST NOT add further entries. - * Instead they MUST consider the policy unimplementable and signal that - * on any related resources such as the ancestor that would be referenced - * here. For example, if this list was full on BackendTLSPolicy, no - * additional Gateways would be able to reference the Service targeted by - * the BackendTLSPolicy. - */ - ancestors: outputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestorsPatch[]; - } - - /** - * XListenerSet defines a set of additional listeners to attach to an existing Gateway. - * This resource provides a mechanism to merge multiple listeners into a single Gateway. - * - * The parent Gateway must explicitly allow ListenerSet attachment through its - * AllowedListeners configuration. By default, Gateways do not allow ListenerSet - * attachment. - * - * Routes can attach to a ListenerSet by specifying it as a parentRef, and can - * optionally target specific listeners using the sectionName field. - * - * Policy Attachment: - * - Policies that attach to a ListenerSet apply to all listeners defined in that resource - * - Policies do not impact listeners in the parent Gateway - * - Different ListenerSets attached to the same Gateway can have different policies - * - If an implementation cannot apply a policy to specific listeners, it should reject the policy - * - * ReferenceGrant Semantics: - * - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets - * - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners - * - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant - * - * Gateway Integration: - * - The parent Gateway's status will include an "AttachedListenerSets" condition - * - This condition will be: - * - True: when AllowedListeners is set and at least one child ListenerSet is attached - * - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false - * - Unknown: when no AllowedListeners config is present - */ - export interface XListenerSet { - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - apiVersion: "gateway.networking.x-k8s.io/v1alpha1"; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - kind: "XListenerSet"; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - metadata: outputs.meta.v1.ObjectMeta; - spec: outputs.gateway.v1alpha1.XListenerSetSpec; - status: outputs.gateway.v1alpha1.XListenerSetStatus; - } - - /** - * Spec defines the desired state of ListenerSet. - */ - export interface XListenerSetSpec { - /** - * Listeners associated with this ListenerSet. Listeners define - * logical endpoints that are bound on this referenced parent Gateway's addresses. - * - * Listeners in a `Gateway` and their attached `ListenerSets` are concatenated - * as a list when programming the underlying infrastructure. Each listener - * name does not need to be unique across the Gateway and ListenerSets. - * See ListenerEntry.Name for more details. - * - * Implementations MUST treat the parent Gateway as having the merged - * list of all listeners from itself and attached ListenerSets using - * the following precedence: - * - * 1. "parent" Gateway - * 2. ListenerSet ordered by creation time (oldest first) - * 3. ListenerSet ordered alphabetically by "{namespace}/{name}". - * - * An implementation MAY reject listeners by setting the ListenerEntryStatus - * `Accepted` condition to False with the Reason `TooManyListeners` - * - * If a listener has a conflict, this will be reported in the - * Status.ListenerEntryStatus setting the `Conflicted` condition to True. - * - * Implementations SHOULD be cautious about what information from the - * parent or siblings are reported to avoid accidentally leaking - * sensitive information that the child would not otherwise have access - * to. This can include contents of secrets etc. - */ - listeners: outputs.gateway.v1alpha1.XListenerSetSpecListeners[]; - parentRef: outputs.gateway.v1alpha1.XListenerSetSpecParentRef; - } - - export interface XListenerSetSpecListeners { - allowedRoutes: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutes; - /** - * Hostname specifies the virtual hostname to match for protocol types that - * define this concept. When unspecified, all hostnames are matched. This - * field is ignored for protocols that don't require hostname based - * matching. - * - * Implementations MUST apply Hostname matching appropriately for each of - * the following protocols: - * - * * TLS: The Listener Hostname MUST match the SNI. - * * HTTP: The Listener Hostname MUST match the Host header of the request. - * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP - * protocol layers as described above. If an implementation does not - * ensure that both the SNI and Host header match the Listener hostname, - * it MUST clearly document that. - * - * For HTTPRoute and TLSRoute resources, there is an interaction with the - * `spec.hostnames` array. When both listener and route specify hostnames, - * there MUST be an intersection between the values for a Route to be - * accepted. For more information, refer to the Route specific Hostnames - * documentation. - * - * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted - * as a suffix match. That means that a match for `*.example.com` would match - * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - */ - hostname: string; - /** - * Name is the name of the Listener. This name MUST be unique within a - * ListenerSet. - * - * Name is not required to be unique across a Gateway and ListenerSets. - * Routes can attach to a Listener by having a ListenerSet as a parentRef - * and setting the SectionName - */ - name: string; - /** - * Port is the network port. Multiple listeners may use the - * same port, subject to the Listener compatibility rules. - * - * If the port is not set or specified as zero, the implementation will assign - * a unique port. If the implementation does not support dynamic port - * assignment, it MUST set `Accepted` condition to `False` with the - * `UnsupportedPort` reason. - */ - port: number; - /** - * Protocol specifies the network protocol this listener expects to receive. - */ - protocol: string; - tls: outputs.gateway.v1alpha1.XListenerSetSpecListenersTls; - } - - /** - * AllowedRoutes defines the types of routes that MAY be attached to a - * Listener and the trusted namespaces where those Route resources MAY be - * present. - * - * Although a client request may match multiple route rules, only one rule - * may ultimately receive the request. Matching precedence MUST be - * determined in order of the following criteria: - * - * * The most specific match as defined by the Route type. - * * The oldest Route based on creation timestamp. For example, a Route with - * a creation timestamp of "2020-09-08 01:02:03" is given precedence over - * a Route with a creation timestamp of "2020-09-08 01:02:04". - * * If everything else is equivalent, the Route appearing first in - * alphabetical order (namespace/name) should be given precedence. For - * example, foo/bar is given precedence over foo/baz. - * - * All valid rules within a Route attached to this Listener should be - * implemented. Invalid Route rules can be ignored (sometimes that will mean - * the full Route). If a Route rule transitions from valid to invalid, - * support for that Route rule should be dropped to ensure consistency. For - * example, even if a filter specified by a Route rule is invalid, the rest - * of the rules within that Route should still be supported. - */ - export interface XListenerSetSpecListenersAllowedRoutes { - /** - * Kinds specifies the groups and kinds of Routes that are allowed to bind - * to this Gateway Listener. When unspecified or empty, the kinds of Routes - * selected are determined using the Listener protocol. - * - * A RouteGroupKind MUST correspond to kinds of Routes that are compatible - * with the application protocol specified in the Listener's Protocol field. - * If an implementation does not support or recognize this resource type, it - * MUST set the "ResolvedRefs" condition to False for this Listener with the - * "InvalidRouteKinds" reason. - * - * Support: Core - */ - kinds: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesKinds[]; - namespaces: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespaces; - } - - /** - * RouteGroupKind indicates the group and kind of a Route resource. - */ - export interface XListenerSetSpecListenersAllowedRoutesKinds { - /** - * Group is the group of the Route. - */ - group: string; - /** - * Kind is the kind of the Route. - */ - kind: string; - } - - /** - * RouteGroupKind indicates the group and kind of a Route resource. - */ - export interface XListenerSetSpecListenersAllowedRoutesKindsPatch { - /** - * Group is the group of the Route. - */ - group: string; - /** - * Kind is the kind of the Route. - */ - kind: string; - } - - /** - * Namespaces indicates namespaces from which Routes may be attached to this - * Listener. This is restricted to the namespace of this Gateway by default. - * - * Support: Core - */ - export interface XListenerSetSpecListenersAllowedRoutesNamespaces { - /** - * From indicates where Routes will be selected for this Gateway. Possible - * values are: - * - * * All: Routes in all namespaces may be used by this Gateway. - * * Selector: Routes in namespaces selected by the selector may be used by - * this Gateway. - * * Same: Only Routes in the same namespace may be used by this Gateway. - * - * Support: Core - */ - from: string; - selector: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesSelector; - } - - /** - * Namespaces indicates namespaces from which Routes may be attached to this - * Listener. This is restricted to the namespace of this Gateway by default. - * - * Support: Core - */ - export interface XListenerSetSpecListenersAllowedRoutesNamespacesPatch { - /** - * From indicates where Routes will be selected for this Gateway. Possible - * values are: - * - * * All: Routes in all namespaces may be used by this Gateway. - * * Selector: Routes in namespaces selected by the selector may be used by - * this Gateway. - * * Same: Only Routes in the same namespace may be used by this Gateway. - * - * Support: Core - */ - from: string; - selector: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesSelectorPatch; - } - - /** - * Selector must be specified when From is set to "Selector". In that case, - * only Routes in Namespaces matching this Selector will be selected by this - * Gateway. This field is ignored for other values of "From". - * - * Support: Core - */ - export interface XListenerSetSpecListenersAllowedRoutesNamespacesSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface XListenerSetSpecListenersAllowedRoutesNamespacesSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface XListenerSetSpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * Selector must be specified when From is set to "Selector". In that case, - * only Routes in Namespaces matching this Selector will be selected by this - * Gateway. This field is ignored for other values of "From". - * - * Support: Core - */ - export interface XListenerSetSpecListenersAllowedRoutesNamespacesSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * AllowedRoutes defines the types of routes that MAY be attached to a - * Listener and the trusted namespaces where those Route resources MAY be - * present. - * - * Although a client request may match multiple route rules, only one rule - * may ultimately receive the request. Matching precedence MUST be - * determined in order of the following criteria: - * - * * The most specific match as defined by the Route type. - * * The oldest Route based on creation timestamp. For example, a Route with - * a creation timestamp of "2020-09-08 01:02:03" is given precedence over - * a Route with a creation timestamp of "2020-09-08 01:02:04". - * * If everything else is equivalent, the Route appearing first in - * alphabetical order (namespace/name) should be given precedence. For - * example, foo/bar is given precedence over foo/baz. - * - * All valid rules within a Route attached to this Listener should be - * implemented. Invalid Route rules can be ignored (sometimes that will mean - * the full Route). If a Route rule transitions from valid to invalid, - * support for that Route rule should be dropped to ensure consistency. For - * example, even if a filter specified by a Route rule is invalid, the rest - * of the rules within that Route should still be supported. - */ - export interface XListenerSetSpecListenersAllowedRoutesPatch { - /** - * Kinds specifies the groups and kinds of Routes that are allowed to bind - * to this Gateway Listener. When unspecified or empty, the kinds of Routes - * selected are determined using the Listener protocol. - * - * A RouteGroupKind MUST correspond to kinds of Routes that are compatible - * with the application protocol specified in the Listener's Protocol field. - * If an implementation does not support or recognize this resource type, it - * MUST set the "ResolvedRefs" condition to False for this Listener with the - * "InvalidRouteKinds" reason. - * - * Support: Core - */ - kinds: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesKindsPatch[]; - namespaces: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesPatch; - } - - export interface XListenerSetSpecListenersPatch { - allowedRoutes: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesPatch; - /** - * Hostname specifies the virtual hostname to match for protocol types that - * define this concept. When unspecified, all hostnames are matched. This - * field is ignored for protocols that don't require hostname based - * matching. - * - * Implementations MUST apply Hostname matching appropriately for each of - * the following protocols: - * - * * TLS: The Listener Hostname MUST match the SNI. - * * HTTP: The Listener Hostname MUST match the Host header of the request. - * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP - * protocol layers as described above. If an implementation does not - * ensure that both the SNI and Host header match the Listener hostname, - * it MUST clearly document that. - * - * For HTTPRoute and TLSRoute resources, there is an interaction with the - * `spec.hostnames` array. When both listener and route specify hostnames, - * there MUST be an intersection between the values for a Route to be - * accepted. For more information, refer to the Route specific Hostnames - * documentation. - * - * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted - * as a suffix match. That means that a match for `*.example.com` would match - * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - */ - hostname: string; - /** - * Name is the name of the Listener. This name MUST be unique within a - * ListenerSet. - * - * Name is not required to be unique across a Gateway and ListenerSets. - * Routes can attach to a Listener by having a ListenerSet as a parentRef - * and setting the SectionName - */ - name: string; - /** - * Port is the network port. Multiple listeners may use the - * same port, subject to the Listener compatibility rules. - * - * If the port is not set or specified as zero, the implementation will assign - * a unique port. If the implementation does not support dynamic port - * assignment, it MUST set `Accepted` condition to `False` with the - * `UnsupportedPort` reason. - */ - port: number; - /** - * Protocol specifies the network protocol this listener expects to receive. - */ - protocol: string; - tls: outputs.gateway.v1alpha1.XListenerSetSpecListenersTlsPatch; - } - - /** - * TLS is the TLS configuration for the Listener. This field is required if - * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field - * if the Protocol field is "HTTP", "TCP", or "UDP". - * - * The association of SNIs to Certificate defined in ListenerTLSConfig is - * defined based on the Hostname field for this listener. - * - * The GatewayClass MUST use the longest matching SNI out of all - * available certificates for any TLS handshake. - */ - export interface XListenerSetSpecListenersTls { - /** - * CertificateRefs contains a series of references to Kubernetes objects that - * contains TLS certificates and private keys. These certificates are used to - * establish a TLS handshake for requests that match the hostname of the - * associated listener. - * - * A single CertificateRef to a Kubernetes Secret has "Core" support. - * Implementations MAY choose to support attaching multiple certificates to - * a Listener, but this behavior is implementation-specific. - * - * References to a resource in different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - * - * This field is required to have at least one element when the mode is set - * to "Terminate" (default) and is optional otherwise. - * - * CertificateRefs can reference to standard Kubernetes resources, i.e. - * Secret, or implementation-specific custom resources. - * - * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls - * - * Support: Implementation-specific (More than one reference or other resource types) - */ - certificateRefs: outputs.gateway.v1alpha1.XListenerSetSpecListenersTlsCertificateRefs[]; - /** - * Mode defines the TLS behavior for the TLS session initiated by the client. - * There are two possible modes: - * - * - Terminate: The TLS session between the downstream client and the - * Gateway is terminated at the Gateway. This mode requires certificates - * to be specified in some way, such as populating the certificateRefs - * field. - * - Passthrough: The TLS session is NOT terminated by the Gateway. This - * implies that the Gateway can't decipher the TLS stream except for - * the ClientHello message of the TLS protocol. The certificateRefs field - * is ignored in this mode. - * - * Support: Core - */ - mode: string; - /** - * Options are a list of key/value pairs to enable extended TLS - * configuration for each implementation. For example, configuring the - * minimum TLS version or supported cipher suites. - * - * A set of common keys MAY be defined by the API in the future. To avoid - * any ambiguity, implementation-specific definitions MUST use - * domain-prefixed names, such as `example.com/my-custom-option`. - * Un-prefixed names are reserved for key names defined by Gateway API. - * - * Support: Implementation-specific - */ - options: {[key: string]: string}; - } - - /** - * SecretObjectReference identifies an API object including its namespace, - * defaulting to Secret. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - export interface XListenerSetSpecListenersTlsCertificateRefs { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "Secret". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - } - - /** - * SecretObjectReference identifies an API object including its namespace, - * defaulting to Secret. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - export interface XListenerSetSpecListenersTlsCertificateRefsPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "Secret". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - } - - /** - * TLS is the TLS configuration for the Listener. This field is required if - * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field - * if the Protocol field is "HTTP", "TCP", or "UDP". - * - * The association of SNIs to Certificate defined in ListenerTLSConfig is - * defined based on the Hostname field for this listener. - * - * The GatewayClass MUST use the longest matching SNI out of all - * available certificates for any TLS handshake. - */ - export interface XListenerSetSpecListenersTlsPatch { - /** - * CertificateRefs contains a series of references to Kubernetes objects that - * contains TLS certificates and private keys. These certificates are used to - * establish a TLS handshake for requests that match the hostname of the - * associated listener. - * - * A single CertificateRef to a Kubernetes Secret has "Core" support. - * Implementations MAY choose to support attaching multiple certificates to - * a Listener, but this behavior is implementation-specific. - * - * References to a resource in different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - * - * This field is required to have at least one element when the mode is set - * to "Terminate" (default) and is optional otherwise. - * - * CertificateRefs can reference to standard Kubernetes resources, i.e. - * Secret, or implementation-specific custom resources. - * - * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls - * - * Support: Implementation-specific (More than one reference or other resource types) - */ - certificateRefs: outputs.gateway.v1alpha1.XListenerSetSpecListenersTlsCertificateRefsPatch[]; - /** - * Mode defines the TLS behavior for the TLS session initiated by the client. - * There are two possible modes: - * - * - Terminate: The TLS session between the downstream client and the - * Gateway is terminated at the Gateway. This mode requires certificates - * to be specified in some way, such as populating the certificateRefs - * field. - * - Passthrough: The TLS session is NOT terminated by the Gateway. This - * implies that the Gateway can't decipher the TLS stream except for - * the ClientHello message of the TLS protocol. The certificateRefs field - * is ignored in this mode. - * - * Support: Core - */ - mode: string; - /** - * Options are a list of key/value pairs to enable extended TLS - * configuration for each implementation. For example, configuring the - * minimum TLS version or supported cipher suites. - * - * A set of common keys MAY be defined by the API in the future. To avoid - * any ambiguity, implementation-specific definitions MUST use - * domain-prefixed names, such as `example.com/my-custom-option`. - * Un-prefixed names are reserved for key names defined by Gateway API. - * - * Support: Implementation-specific - */ - options: {[key: string]: string}; - } - - /** - * ParentRef references the Gateway that the listeners are attached to. - */ - export interface XListenerSetSpecParentRef { - /** - * Group is the group of the referent. - */ - group: string; - /** - * Kind is kind of the referent. For example "Gateway". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referent. If not present, - * the namespace of the referent is assumed to be the same as - * the namespace of the referring object. - */ - namespace: string; - } - - /** - * ParentRef references the Gateway that the listeners are attached to. - */ - export interface XListenerSetSpecParentRefPatch { - /** - * Group is the group of the referent. - */ - group: string; - /** - * Kind is kind of the referent. For example "Gateway". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referent. If not present, - * the namespace of the referent is assumed to be the same as - * the namespace of the referring object. - */ - namespace: string; - } - - /** - * Spec defines the desired state of ListenerSet. - */ - export interface XListenerSetSpecPatch { - /** - * Listeners associated with this ListenerSet. Listeners define - * logical endpoints that are bound on this referenced parent Gateway's addresses. - * - * Listeners in a `Gateway` and their attached `ListenerSets` are concatenated - * as a list when programming the underlying infrastructure. Each listener - * name does not need to be unique across the Gateway and ListenerSets. - * See ListenerEntry.Name for more details. - * - * Implementations MUST treat the parent Gateway as having the merged - * list of all listeners from itself and attached ListenerSets using - * the following precedence: - * - * 1. "parent" Gateway - * 2. ListenerSet ordered by creation time (oldest first) - * 3. ListenerSet ordered alphabetically by "{namespace}/{name}". - * - * An implementation MAY reject listeners by setting the ListenerEntryStatus - * `Accepted` condition to False with the Reason `TooManyListeners` - * - * If a listener has a conflict, this will be reported in the - * Status.ListenerEntryStatus setting the `Conflicted` condition to True. - * - * Implementations SHOULD be cautious about what information from the - * parent or siblings are reported to avoid accidentally leaking - * sensitive information that the child would not otherwise have access - * to. This can include contents of secrets etc. - */ - listeners: outputs.gateway.v1alpha1.XListenerSetSpecListenersPatch[]; - parentRef: outputs.gateway.v1alpha1.XListenerSetSpecParentRefPatch; - } - - /** - * Status defines the current state of ListenerSet. - */ - export interface XListenerSetStatus { - /** - * Conditions describe the current conditions of the ListenerSet. - * - * Implementations MUST express ListenerSet conditions using the - * `ListenerSetConditionType` and `ListenerSetConditionReason` - * constants so that operators and tools can converge on a common - * vocabulary to describe ListenerSet state. - * - * Known condition types are: - * - * * "Accepted" - * * "Programmed" - */ - conditions: outputs.gateway.v1alpha1.XListenerSetStatusConditions[]; - /** - * Listeners provide status for each unique listener port defined in the Spec. - */ - listeners: outputs.gateway.v1alpha1.XListenerSetStatusListeners[]; - } - - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - export interface XListenerSetStatusConditions { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime: string; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message: string; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration: number; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason: string; - /** - * status of the condition, one of True, False, Unknown. - */ - status: string; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type: string; - } - - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - export interface XListenerSetStatusConditionsPatch { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime: string; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message: string; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration: number; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason: string; - /** - * status of the condition, one of True, False, Unknown. - */ - status: string; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type: string; - } - - /** - * ListenerStatus is the status associated with a Listener. - */ - export interface XListenerSetStatusListeners { - /** - * AttachedRoutes represents the total number of Routes that have been - * successfully attached to this Listener. - * - * Successful attachment of a Route to a Listener is based solely on the - * combination of the AllowedRoutes field on the corresponding Listener - * and the Route's ParentRefs field. A Route is successfully attached to - * a Listener when it is selected by the Listener's AllowedRoutes field - * AND the Route has a valid ParentRef selecting the whole Gateway - * resource or a specific Listener as a parent resource (more detail on - * attachment semantics can be found in the documentation on the various - * Route kinds ParentRefs fields). Listener or Route status does not impact - * successful attachment, i.e. the AttachedRoutes field count MUST be set - * for Listeners with condition Accepted: false and MUST count successfully - * attached Routes that may themselves have Accepted: false conditions. - * - * Uses for this field include troubleshooting Route attachment and - * measuring blast radius/impact of changes to a Listener. - */ - attachedRoutes: number; - /** - * Conditions describe the current condition of this listener. - */ - conditions: outputs.gateway.v1alpha1.XListenerSetStatusListenersConditions[]; - /** - * Name is the name of the Listener that this status corresponds to. - */ - name: string; - /** - * Port is the network port the listener is configured to listen on. - */ - port: number; - /** - * SupportedKinds is the list indicating the Kinds supported by this - * listener. This MUST represent the kinds an implementation supports for - * that Listener configuration. - * - * If kinds are specified in Spec that are not supported, they MUST NOT - * appear in this list and an implementation MUST set the "ResolvedRefs" - * condition to "False" with the "InvalidRouteKinds" reason. If both valid - * and invalid Route kinds are specified, the implementation MUST - * reference the valid Route kinds that have been specified. - */ - supportedKinds: outputs.gateway.v1alpha1.XListenerSetStatusListenersSupportedKinds[]; - } - - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - export interface XListenerSetStatusListenersConditions { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime: string; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message: string; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration: number; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason: string; - /** - * status of the condition, one of True, False, Unknown. - */ - status: string; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type: string; - } - - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - export interface XListenerSetStatusListenersConditionsPatch { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime: string; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message: string; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration: number; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason: string; - /** - * status of the condition, one of True, False, Unknown. - */ - status: string; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type: string; - } - - /** - * ListenerStatus is the status associated with a Listener. - */ - export interface XListenerSetStatusListenersPatch { - /** - * AttachedRoutes represents the total number of Routes that have been - * successfully attached to this Listener. - * - * Successful attachment of a Route to a Listener is based solely on the - * combination of the AllowedRoutes field on the corresponding Listener - * and the Route's ParentRefs field. A Route is successfully attached to - * a Listener when it is selected by the Listener's AllowedRoutes field - * AND the Route has a valid ParentRef selecting the whole Gateway - * resource or a specific Listener as a parent resource (more detail on - * attachment semantics can be found in the documentation on the various - * Route kinds ParentRefs fields). Listener or Route status does not impact - * successful attachment, i.e. the AttachedRoutes field count MUST be set - * for Listeners with condition Accepted: false and MUST count successfully - * attached Routes that may themselves have Accepted: false conditions. - * - * Uses for this field include troubleshooting Route attachment and - * measuring blast radius/impact of changes to a Listener. - */ - attachedRoutes: number; - /** - * Conditions describe the current condition of this listener. - */ - conditions: outputs.gateway.v1alpha1.XListenerSetStatusListenersConditionsPatch[]; - /** - * Name is the name of the Listener that this status corresponds to. - */ - name: string; - /** - * Port is the network port the listener is configured to listen on. - */ - port: number; - /** - * SupportedKinds is the list indicating the Kinds supported by this - * listener. This MUST represent the kinds an implementation supports for - * that Listener configuration. - * - * If kinds are specified in Spec that are not supported, they MUST NOT - * appear in this list and an implementation MUST set the "ResolvedRefs" - * condition to "False" with the "InvalidRouteKinds" reason. If both valid - * and invalid Route kinds are specified, the implementation MUST - * reference the valid Route kinds that have been specified. - */ - supportedKinds: outputs.gateway.v1alpha1.XListenerSetStatusListenersSupportedKindsPatch[]; - } - - /** - * RouteGroupKind indicates the group and kind of a Route resource. - */ - export interface XListenerSetStatusListenersSupportedKinds { - /** - * Group is the group of the Route. - */ - group: string; - /** - * Kind is the kind of the Route. - */ - kind: string; - } - - /** - * RouteGroupKind indicates the group and kind of a Route resource. - */ - export interface XListenerSetStatusListenersSupportedKindsPatch { - /** - * Group is the group of the Route. - */ - group: string; - /** - * Kind is the kind of the Route. - */ - kind: string; - } - - /** - * Status defines the current state of ListenerSet. - */ - export interface XListenerSetStatusPatch { - /** - * Conditions describe the current conditions of the ListenerSet. - * - * Implementations MUST express ListenerSet conditions using the - * `ListenerSetConditionType` and `ListenerSetConditionReason` - * constants so that operators and tools can converge on a common - * vocabulary to describe ListenerSet state. - * - * Known condition types are: - * - * * "Accepted" - * * "Programmed" - */ - conditions: outputs.gateway.v1alpha1.XListenerSetStatusConditionsPatch[]; - /** - * Listeners provide status for each unique listener port defined in the Spec. - */ - listeners: outputs.gateway.v1alpha1.XListenerSetStatusListenersPatch[]; - } - - /** - * XMesh defines mesh-wide characteristics of a GAMMA-compliant service mesh. - */ - export interface XMesh { - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - apiVersion: "gateway.networking.x-k8s.io/v1alpha1"; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - kind: "XMesh"; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - metadata: outputs.meta.v1.ObjectMeta; - spec: outputs.gateway.v1alpha1.XMeshSpec; - status: outputs.gateway.v1alpha1.XMeshStatus; - } - - /** - * Spec defines the desired state of XMesh. - */ - export interface XMeshSpec { - /** - * ControllerName is the name of a controller that is managing Gateway API - * resources for mesh traffic management. The value of this field MUST be a - * domain prefixed path. - * - * Example: "example.com/awesome-mesh". - * - * This field is not mutable and cannot be empty. - * - * Support: Core - */ - controllerName: string; - /** - * Description optionally provides a human-readable description of a Mesh. - */ - description: string; - parametersRef: outputs.gateway.v1alpha1.XMeshSpecParametersRef; - } - - /** - * ParametersRef is an optional reference to a resource that contains - * implementation-specific configuration for this Mesh. If no - * implementation-specific parameters are needed, this field MUST be - * omitted. - * - * ParametersRef can reference a standard Kubernetes resource, i.e. - * ConfigMap, or an implementation-specific custom resource. The resource - * can be cluster-scoped or namespace-scoped. - * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the Mesh MUST be rejected - * with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. - * - * Support: Implementation-specific - */ - export interface XMeshSpecParametersRef { - /** - * Group is the group of the referent. - */ - group: string; - /** - * Kind is kind of the referent. - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referent. - * This field is required when referring to a Namespace-scoped resource and - * MUST be unset when referring to a Cluster-scoped resource. - */ - namespace: string; - } - - /** - * ParametersRef is an optional reference to a resource that contains - * implementation-specific configuration for this Mesh. If no - * implementation-specific parameters are needed, this field MUST be - * omitted. - * - * ParametersRef can reference a standard Kubernetes resource, i.e. - * ConfigMap, or an implementation-specific custom resource. The resource - * can be cluster-scoped or namespace-scoped. - * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the Mesh MUST be rejected - * with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. - * - * Support: Implementation-specific - */ - export interface XMeshSpecParametersRefPatch { - /** - * Group is the group of the referent. - */ - group: string; - /** - * Kind is kind of the referent. - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referent. - * This field is required when referring to a Namespace-scoped resource and - * MUST be unset when referring to a Cluster-scoped resource. - */ - namespace: string; - } - - /** - * Spec defines the desired state of XMesh. - */ - export interface XMeshSpecPatch { - /** - * ControllerName is the name of a controller that is managing Gateway API - * resources for mesh traffic management. The value of this field MUST be a - * domain prefixed path. - * - * Example: "example.com/awesome-mesh". - * - * This field is not mutable and cannot be empty. - * - * Support: Core - */ - controllerName: string; - /** - * Description optionally provides a human-readable description of a Mesh. - */ - description: string; - parametersRef: outputs.gateway.v1alpha1.XMeshSpecParametersRefPatch; - } - - /** - * Status defines the current state of XMesh. - */ - export interface XMeshStatus { - /** - * Conditions is the current status from the controller for - * this Mesh. - * - * Controllers should prefer to publish conditions using values - * of MeshConditionType for the type of each Condition. - */ - conditions: outputs.gateway.v1alpha1.XMeshStatusConditions[]; - /** - * SupportedFeatures is the set of features the Mesh support. - * It MUST be sorted in ascending alphabetical order by the Name key. - */ - supportedFeatures: outputs.gateway.v1alpha1.XMeshStatusSupportedFeatures[]; - } - - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - export interface XMeshStatusConditions { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime: string; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message: string; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration: number; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason: string; - /** - * status of the condition, one of True, False, Unknown. - */ - status: string; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type: string; - } - - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - export interface XMeshStatusConditionsPatch { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime: string; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message: string; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration: number; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason: string; - /** - * status of the condition, one of True, False, Unknown. - */ - status: string; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type: string; - } - - /** - * Status defines the current state of XMesh. - */ - export interface XMeshStatusPatch { - /** - * Conditions is the current status from the controller for - * this Mesh. - * - * Controllers should prefer to publish conditions using values - * of MeshConditionType for the type of each Condition. - */ - conditions: outputs.gateway.v1alpha1.XMeshStatusConditionsPatch[]; - /** - * SupportedFeatures is the set of features the Mesh support. - * It MUST be sorted in ascending alphabetical order by the Name key. - */ - supportedFeatures: outputs.gateway.v1alpha1.XMeshStatusSupportedFeaturesPatch[]; - } - - export interface XMeshStatusSupportedFeatures { - /** - * FeatureName is used to describe distinct features that are covered by - * conformance tests. - */ - name: string; - } - - export interface XMeshStatusSupportedFeaturesPatch { - /** - * FeatureName is used to describe distinct features that are covered by - * conformance tests. - */ - name: string; - } - - } - export namespace v1alpha2 { + /** + * BackendLBPolicy provides a way to define load balancing rules + * for a backend. + */ + export interface BackendLBPolicy { + /** + * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + */ + apiVersion: "gateway.networking.k8s.io/v1alpha2"; + /** + * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + */ + kind: "BackendLBPolicy"; + /** + * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + */ + metadata: outputs.meta.v1.ObjectMeta; + spec: outputs.gateway.v1alpha2.BackendLBPolicySpec; + status: outputs.gateway.v1alpha2.BackendLBPolicyStatus; + } + + /** + * Spec defines the desired state of BackendLBPolicy. + */ + export interface BackendLBPolicySpec { + sessionPersistence: outputs.gateway.v1alpha2.BackendLBPolicySpecSessionPersistence; + /** + * TargetRef identifies an API object to apply policy to. + * Currently, Backends (i.e. Service, ServiceImport, or any + * implementation-specific backendRef) are the only valid API + * target references. + */ + targetRefs: outputs.gateway.v1alpha2.BackendLBPolicySpecTargetRefs[]; + } + + /** + * Spec defines the desired state of BackendLBPolicy. + */ + export interface BackendLBPolicySpecPatch { + sessionPersistence: outputs.gateway.v1alpha2.BackendLBPolicySpecSessionPersistencePatch; + /** + * TargetRef identifies an API object to apply policy to. + * Currently, Backends (i.e. Service, ServiceImport, or any + * implementation-specific backendRef) are the only valid API + * target references. + */ + targetRefs: outputs.gateway.v1alpha2.BackendLBPolicySpecTargetRefsPatch[]; + } + + /** + * SessionPersistence defines and configures session persistence + * for the backend. + * + * + * Support: Extended + */ + export interface BackendLBPolicySpecSessionPersistence { + /** + * AbsoluteTimeout defines the absolute timeout of the persistent + * session. Once the AbsoluteTimeout duration has elapsed, the + * session becomes invalid. + * + * + * Support: Extended + */ + absoluteTimeout: string; + cookieConfig: outputs.gateway.v1alpha2.BackendLBPolicySpecSessionPersistenceCookieConfig; + /** + * IdleTimeout defines the idle timeout of the persistent session. + * Once the session has been idle for more than the specified + * IdleTimeout duration, the session becomes invalid. + * + * + * Support: Extended + */ + idleTimeout: string; + /** + * SessionName defines the name of the persistent session token + * which may be reflected in the cookie or the header. Users + * should avoid reusing session names to prevent unintended + * consequences, such as rejection or unpredictable behavior. + * + * + * Support: Implementation-specific + */ + sessionName: string; + /** + * Type defines the type of session persistence such as through + * the use a header or cookie. Defaults to cookie based session + * persistence. + * + * + * Support: Core for "Cookie" type + * + * + * Support: Extended for "Header" type + */ + type: string; + } + + /** + * CookieConfig provides configuration settings that are specific + * to cookie-based session persistence. + * + * + * Support: Core + */ + export interface BackendLBPolicySpecSessionPersistenceCookieConfig { + /** + * LifetimeType specifies whether the cookie has a permanent or + * session-based lifetime. A permanent cookie persists until its + * specified expiry time, defined by the Expires or Max-Age cookie + * attributes, while a session cookie is deleted when the current + * session ends. + * + * + * When set to "Permanent", AbsoluteTimeout indicates the + * cookie's lifetime via the Expires or Max-Age cookie attributes + * and is required. + * + * + * When set to "Session", AbsoluteTimeout indicates the + * absolute lifetime of the cookie tracked by the gateway and + * is optional. + * + * + * Support: Core for "Session" type + * + * + * Support: Extended for "Permanent" type + */ + lifetimeType: string; + } + + /** + * CookieConfig provides configuration settings that are specific + * to cookie-based session persistence. + * + * + * Support: Core + */ + export interface BackendLBPolicySpecSessionPersistenceCookieConfigPatch { + /** + * LifetimeType specifies whether the cookie has a permanent or + * session-based lifetime. A permanent cookie persists until its + * specified expiry time, defined by the Expires or Max-Age cookie + * attributes, while a session cookie is deleted when the current + * session ends. + * + * + * When set to "Permanent", AbsoluteTimeout indicates the + * cookie's lifetime via the Expires or Max-Age cookie attributes + * and is required. + * + * + * When set to "Session", AbsoluteTimeout indicates the + * absolute lifetime of the cookie tracked by the gateway and + * is optional. + * + * + * Support: Core for "Session" type + * + * + * Support: Extended for "Permanent" type + */ + lifetimeType: string; + } + + /** + * SessionPersistence defines and configures session persistence + * for the backend. + * + * + * Support: Extended + */ + export interface BackendLBPolicySpecSessionPersistencePatch { + /** + * AbsoluteTimeout defines the absolute timeout of the persistent + * session. Once the AbsoluteTimeout duration has elapsed, the + * session becomes invalid. + * + * + * Support: Extended + */ + absoluteTimeout: string; + cookieConfig: outputs.gateway.v1alpha2.BackendLBPolicySpecSessionPersistenceCookieConfigPatch; + /** + * IdleTimeout defines the idle timeout of the persistent session. + * Once the session has been idle for more than the specified + * IdleTimeout duration, the session becomes invalid. + * + * + * Support: Extended + */ + idleTimeout: string; + /** + * SessionName defines the name of the persistent session token + * which may be reflected in the cookie or the header. Users + * should avoid reusing session names to prevent unintended + * consequences, such as rejection or unpredictable behavior. + * + * + * Support: Implementation-specific + */ + sessionName: string; + /** + * Type defines the type of session persistence such as through + * the use a header or cookie. Defaults to cookie based session + * persistence. + * + * + * Support: Core for "Cookie" type + * + * + * Support: Extended for "Header" type + */ + type: string; + } + + /** + * LocalPolicyTargetReference identifies an API object to apply a direct or + * inherited policy to. This should be used as part of Policy resources + * that can target Gateway API resources. For more information on how this + * policy attachment model works, and a sample Policy resource, refer to + * the policy attachment documentation for Gateway API. + */ + export interface BackendLBPolicySpecTargetRefs { + /** + * Group is the group of the target resource. + */ + group: string; + /** + * Kind is kind of the target resource. + */ + kind: string; + /** + * Name is the name of the target resource. + */ + name: string; + } + + /** + * LocalPolicyTargetReference identifies an API object to apply a direct or + * inherited policy to. This should be used as part of Policy resources + * that can target Gateway API resources. For more information on how this + * policy attachment model works, and a sample Policy resource, refer to + * the policy attachment documentation for Gateway API. + */ + export interface BackendLBPolicySpecTargetRefsPatch { + /** + * Group is the group of the target resource. + */ + group: string; + /** + * Kind is kind of the target resource. + */ + kind: string; + /** + * Name is the name of the target resource. + */ + name: string; + } + + /** + * Status defines the current state of BackendLBPolicy. + */ + export interface BackendLBPolicyStatus { + /** + * Ancestors is a list of ancestor resources (usually Gateways) that are + * associated with the policy, and the status of the policy with respect to + * each ancestor. When this policy attaches to a parent, the controller that + * manages the parent and the ancestors MUST add an entry to this list when + * the controller first sees the policy and SHOULD update the entry as + * appropriate when the relevant ancestor is modified. + * + * + * Note that choosing the relevant ancestor is left to the Policy designers; + * an important part of Policy design is designing the right object level at + * which to namespace this status. + * + * + * Note also that implementations MUST ONLY populate ancestor status for + * the Ancestor resources they are responsible for. Implementations MUST + * use the ControllerName field to uniquely identify the entries in this list + * that they are responsible for. + * + * + * Note that to achieve this, the list of PolicyAncestorStatus structs + * MUST be treated as a map with a composite key, made up of the AncestorRef + * and ControllerName fields combined. + * + * + * A maximum of 16 ancestors will be represented in this list. An empty list + * means the Policy is not relevant for any ancestors. + * + * + * If this slice is full, implementations MUST NOT add further entries. + * Instead they MUST consider the policy unimplementable and signal that + * on any related resources such as the ancestor that would be referenced + * here. For example, if this list was full on BackendTLSPolicy, no + * additional Gateways would be able to reference the Service targeted by + * the BackendTLSPolicy. + */ + ancestors: outputs.gateway.v1alpha2.BackendLBPolicyStatusAncestors[]; + } + + /** + * PolicyAncestorStatus describes the status of a route with respect to an + * associated Ancestor. + * + * + * Ancestors refer to objects that are either the Target of a policy or above it + * in terms of object hierarchy. For example, if a policy targets a Service, the + * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and + * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most + * useful object to place Policy status on, so we recommend that implementations + * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers + * have a _very_ good reason otherwise. + * + * + * In the context of policy attachment, the Ancestor is used to distinguish which + * resource results in a distinct application of this policy. For example, if a policy + * targets a Service, it may have a distinct result per attached Gateway. + * + * + * Policies targeting the same resource may have different effects depending on the + * ancestors of those resources. For example, different Gateways targeting the same + * Service may have different capabilities, especially if they have different underlying + * implementations. + * + * + * For example, in BackendTLSPolicy, the Policy attaches to a Service that is + * used as a backend in a HTTPRoute that is itself attached to a Gateway. + * In this case, the relevant object for status is the Gateway, and that is the + * ancestor object referred to in this status. + * + * + * Note that a parent is also an ancestor, so for objects where the parent is the + * relevant object for status, this struct SHOULD still be used. + * + * + * This struct is intended to be used in a slice that's effectively a map, + * with a composite key made up of the AncestorRef and the ControllerName. + */ + export interface BackendLBPolicyStatusAncestors { + ancestorRef: outputs.gateway.v1alpha2.BackendLBPolicyStatusAncestorsAncestorRef; + /** + * Conditions describes the status of the Policy with respect to the given Ancestor. + */ + conditions: outputs.gateway.v1alpha2.BackendLBPolicyStatusAncestorsConditions[]; + /** + * ControllerName is a domain/path string that indicates the name of the + * controller that wrote this status. This corresponds with the + * controllerName field on GatewayClass. + * + * + * Example: "example.net/gateway-controller". + * + * + * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + * valid Kubernetes names + * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + * + * + * Controllers MUST populate this field when writing status. Controllers should ensure that + * entries to status populated with their ControllerName are cleaned up when they are no + * longer necessary. + */ + controllerName: string; + } + + /** + * AncestorRef corresponds with a ParentRef in the spec that this + * PolicyAncestorStatus struct describes the status of. + */ + export interface BackendLBPolicyStatusAncestorsAncestorRef { + /** + * Group is the group of the referent. + * When unspecified, "gateway.networking.k8s.io" is inferred. + * To set the core API group (such as for a "Service" kind referent), + * Group must be explicitly set to "" (empty string). + * + * + * Support: Core + */ + group: string; + /** + * Kind is kind of the referent. + * + * + * There are two kinds of parent resources with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * Support for other resources is Implementation-Specific. + */ + kind: string; + /** + * Name is the name of the referent. + * + * + * Support: Core + */ + name: string; + /** + * Namespace is the namespace of the referent. When unspecified, this refers + * to the local namespace of the Route. + * + * + * Note that there are specific rules for ParentRefs which cross namespace + * boundaries. Cross-namespace references are only valid if they are explicitly + * allowed by something in the namespace they are referring to. For example: + * Gateway has the AllowedRoutes field, and ReferenceGrant provides a + * generic way to enable any other kind of cross-namespace reference. + * + * + * + * ParentRefs from a Route to a Service in the same namespace are "producer" + * routes, which apply default routing rules to inbound connections from + * any namespace to the Service. + * + * + * ParentRefs from a Route to a Service in a different namespace are + * "consumer" routes, and these routing rules are only applied to outbound + * connections originating from the same namespace as the Route, for which + * the intended destination of the connections are a Service targeted as a + * ParentRef of the Route. + * + * + * + * Support: Core + */ + namespace: string; + /** + * Port is the network port this Route targets. It can be interpreted + * differently based on the type of parent resource. + * + * + * When the parent resource is a Gateway, this targets all listeners + * listening on the specified port that also support this kind of Route(and + * select this Route). It's not recommended to set `Port` unless the + * networking behaviors specified in a Route must apply to a specific port + * as opposed to a listener(s) whose port(s) may be changed. When both Port + * and SectionName are specified, the name and port of the selected listener + * must match both specified values. + * + * + * + * When the parent resource is a Service, this targets a specific port in the + * Service spec. When both Port (experimental) and SectionName are specified, + * the name and port of the selected port must match both specified values. + * + * + * + * Implementations MAY choose to support other parent resources. + * Implementations supporting other types of parent resources MUST clearly + * document how/if Port is interpreted. + * + * + * For the purpose of status, an attachment is considered successful as + * long as the parent resource accepts it partially. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + * from the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, + * the Route MUST be considered detached from the Gateway. + * + * + * Support: Extended + */ + port: number; + /** + * SectionName is the name of a section within the target resource. In the + * following resources, SectionName is interpreted as the following: + * + * + * * Gateway: Listener name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * * Service: Port name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * + * + * Implementations MAY choose to support attaching Routes to other resources. + * If that is the case, they MUST clearly document how SectionName is + * interpreted. + * + * + * When unspecified (empty string), this will reference the entire resource. + * For the purpose of status, an attachment is considered successful if at + * least one section in the parent resource accepts it. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + * the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, the + * Route MUST be considered detached from the Gateway. + * + * + * Support: Core + */ + sectionName: string; + } + + /** + * AncestorRef corresponds with a ParentRef in the spec that this + * PolicyAncestorStatus struct describes the status of. + */ + export interface BackendLBPolicyStatusAncestorsAncestorRefPatch { + /** + * Group is the group of the referent. + * When unspecified, "gateway.networking.k8s.io" is inferred. + * To set the core API group (such as for a "Service" kind referent), + * Group must be explicitly set to "" (empty string). + * + * + * Support: Core + */ + group: string; + /** + * Kind is kind of the referent. + * + * + * There are two kinds of parent resources with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * Support for other resources is Implementation-Specific. + */ + kind: string; + /** + * Name is the name of the referent. + * + * + * Support: Core + */ + name: string; + /** + * Namespace is the namespace of the referent. When unspecified, this refers + * to the local namespace of the Route. + * + * + * Note that there are specific rules for ParentRefs which cross namespace + * boundaries. Cross-namespace references are only valid if they are explicitly + * allowed by something in the namespace they are referring to. For example: + * Gateway has the AllowedRoutes field, and ReferenceGrant provides a + * generic way to enable any other kind of cross-namespace reference. + * + * + * + * ParentRefs from a Route to a Service in the same namespace are "producer" + * routes, which apply default routing rules to inbound connections from + * any namespace to the Service. + * + * + * ParentRefs from a Route to a Service in a different namespace are + * "consumer" routes, and these routing rules are only applied to outbound + * connections originating from the same namespace as the Route, for which + * the intended destination of the connections are a Service targeted as a + * ParentRef of the Route. + * + * + * + * Support: Core + */ + namespace: string; + /** + * Port is the network port this Route targets. It can be interpreted + * differently based on the type of parent resource. + * + * + * When the parent resource is a Gateway, this targets all listeners + * listening on the specified port that also support this kind of Route(and + * select this Route). It's not recommended to set `Port` unless the + * networking behaviors specified in a Route must apply to a specific port + * as opposed to a listener(s) whose port(s) may be changed. When both Port + * and SectionName are specified, the name and port of the selected listener + * must match both specified values. + * + * + * + * When the parent resource is a Service, this targets a specific port in the + * Service spec. When both Port (experimental) and SectionName are specified, + * the name and port of the selected port must match both specified values. + * + * + * + * Implementations MAY choose to support other parent resources. + * Implementations supporting other types of parent resources MUST clearly + * document how/if Port is interpreted. + * + * + * For the purpose of status, an attachment is considered successful as + * long as the parent resource accepts it partially. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + * from the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, + * the Route MUST be considered detached from the Gateway. + * + * + * Support: Extended + */ + port: number; + /** + * SectionName is the name of a section within the target resource. In the + * following resources, SectionName is interpreted as the following: + * + * + * * Gateway: Listener name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * * Service: Port name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * + * + * Implementations MAY choose to support attaching Routes to other resources. + * If that is the case, they MUST clearly document how SectionName is + * interpreted. + * + * + * When unspecified (empty string), this will reference the entire resource. + * For the purpose of status, an attachment is considered successful if at + * least one section in the parent resource accepts it. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + * the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, the + * Route MUST be considered detached from the Gateway. + * + * + * Support: Core + */ + sectionName: string; + } + + /** + * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } + */ + export interface BackendLBPolicyStatusAncestorsConditions { + /** + * lastTransitionTime is the last time the condition transitioned from one status to another. + * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + */ + lastTransitionTime: string; + /** + * message is a human readable message indicating details about the transition. + * This may be an empty string. + */ + message: string; + /** + * observedGeneration represents the .metadata.generation that the condition was set based upon. + * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + * with respect to the current state of the instance. + */ + observedGeneration: number; + /** + * reason contains a programmatic identifier indicating the reason for the condition's last transition. + * Producers of specific condition types may define expected values and meanings for this field, + * and whether the values are considered a guaranteed API. + * The value should be a CamelCase string. + * This field may not be empty. + */ + reason: string; + /** + * status of the condition, one of True, False, Unknown. + */ + status: string; + /** + * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + */ + type: string; + } + + /** + * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } + */ + export interface BackendLBPolicyStatusAncestorsConditionsPatch { + /** + * lastTransitionTime is the last time the condition transitioned from one status to another. + * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + */ + lastTransitionTime: string; + /** + * message is a human readable message indicating details about the transition. + * This may be an empty string. + */ + message: string; + /** + * observedGeneration represents the .metadata.generation that the condition was set based upon. + * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + * with respect to the current state of the instance. + */ + observedGeneration: number; + /** + * reason contains a programmatic identifier indicating the reason for the condition's last transition. + * Producers of specific condition types may define expected values and meanings for this field, + * and whether the values are considered a guaranteed API. + * The value should be a CamelCase string. + * This field may not be empty. + */ + reason: string; + /** + * status of the condition, one of True, False, Unknown. + */ + status: string; + /** + * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + */ + type: string; + } + + /** + * PolicyAncestorStatus describes the status of a route with respect to an + * associated Ancestor. + * + * + * Ancestors refer to objects that are either the Target of a policy or above it + * in terms of object hierarchy. For example, if a policy targets a Service, the + * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and + * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most + * useful object to place Policy status on, so we recommend that implementations + * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers + * have a _very_ good reason otherwise. + * + * + * In the context of policy attachment, the Ancestor is used to distinguish which + * resource results in a distinct application of this policy. For example, if a policy + * targets a Service, it may have a distinct result per attached Gateway. + * + * + * Policies targeting the same resource may have different effects depending on the + * ancestors of those resources. For example, different Gateways targeting the same + * Service may have different capabilities, especially if they have different underlying + * implementations. + * + * + * For example, in BackendTLSPolicy, the Policy attaches to a Service that is + * used as a backend in a HTTPRoute that is itself attached to a Gateway. + * In this case, the relevant object for status is the Gateway, and that is the + * ancestor object referred to in this status. + * + * + * Note that a parent is also an ancestor, so for objects where the parent is the + * relevant object for status, this struct SHOULD still be used. + * + * + * This struct is intended to be used in a slice that's effectively a map, + * with a composite key made up of the AncestorRef and the ControllerName. + */ + export interface BackendLBPolicyStatusAncestorsPatch { + ancestorRef: outputs.gateway.v1alpha2.BackendLBPolicyStatusAncestorsAncestorRefPatch; + /** + * Conditions describes the status of the Policy with respect to the given Ancestor. + */ + conditions: outputs.gateway.v1alpha2.BackendLBPolicyStatusAncestorsConditionsPatch[]; + /** + * ControllerName is a domain/path string that indicates the name of the + * controller that wrote this status. This corresponds with the + * controllerName field on GatewayClass. + * + * + * Example: "example.net/gateway-controller". + * + * + * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + * valid Kubernetes names + * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + * + * + * Controllers MUST populate this field when writing status. Controllers should ensure that + * entries to status populated with their ControllerName are cleaned up when they are no + * longer necessary. + */ + controllerName: string; + } + + /** + * Status defines the current state of BackendLBPolicy. + */ + export interface BackendLBPolicyStatusPatch { + /** + * Ancestors is a list of ancestor resources (usually Gateways) that are + * associated with the policy, and the status of the policy with respect to + * each ancestor. When this policy attaches to a parent, the controller that + * manages the parent and the ancestors MUST add an entry to this list when + * the controller first sees the policy and SHOULD update the entry as + * appropriate when the relevant ancestor is modified. + * + * + * Note that choosing the relevant ancestor is left to the Policy designers; + * an important part of Policy design is designing the right object level at + * which to namespace this status. + * + * + * Note also that implementations MUST ONLY populate ancestor status for + * the Ancestor resources they are responsible for. Implementations MUST + * use the ControllerName field to uniquely identify the entries in this list + * that they are responsible for. + * + * + * Note that to achieve this, the list of PolicyAncestorStatus structs + * MUST be treated as a map with a composite key, made up of the AncestorRef + * and ControllerName fields combined. + * + * + * A maximum of 16 ancestors will be represented in this list. An empty list + * means the Policy is not relevant for any ancestors. + * + * + * If this slice is full, implementations MUST NOT add further entries. + * Instead they MUST consider the policy unimplementable and signal that + * on any related resources such as the ancestor that would be referenced + * here. For example, if this list was full on BackendTLSPolicy, no + * additional Gateways would be able to reference the Service targeted by + * the BackendTLSPolicy. + */ + ancestors: outputs.gateway.v1alpha2.BackendLBPolicyStatusAncestorsPatch[]; + } + + /** + * GRPCRoute provides a way to route gRPC requests. This includes the capability + * to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. + * Filters can be used to specify additional processing steps. Backends specify + * where matching requests will be routed. + * + * + * GRPCRoute falls under extended support within the Gateway API. Within the + * following specification, the word "MUST" indicates that an implementation + * supporting GRPCRoute must conform to the indicated requirement, but an + * implementation not supporting this route type need not follow the requirement + * unless explicitly indicated. + * + * + * Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST + * accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via + * ALPN. If the implementation does not support this, then it MUST set the + * "Accepted" condition to "False" for the affected listener with a reason of + * "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections + * with an upgrade from HTTP/1. + * + * + * Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST + * support HTTP/2 over cleartext TCP (h2c, + * https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial + * upgrade from HTTP/1.1, i.e. with prior knowledge + * (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation + * does not support this, then it MUST set the "Accepted" condition to "False" + * for the affected listener with a reason of "UnsupportedProtocol". + * Implementations MAY also accept HTTP/2 connections with an upgrade from + * HTTP/1, i.e. without prior knowledge. + */ + export interface GRPCRoute { + /** + * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + */ + apiVersion: "gateway.networking.k8s.io/v1alpha2"; + /** + * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + */ + kind: "GRPCRoute"; + /** + * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + */ + metadata: outputs.meta.v1.ObjectMeta; + spec: outputs.gateway.v1alpha2.GRPCRouteSpec; + status: outputs.gateway.v1alpha2.GRPCRouteStatus; + } + + /** + * Spec defines the desired state of GRPCRoute. + */ + export interface GRPCRouteSpec { + /** + * Hostnames defines a set of hostnames to match against the GRPC + * Host header to select a GRPCRoute to process the request. This matches + * the RFC 1123 definition of a hostname with 2 notable exceptions: + * + * + * 1. IPs are not allowed. + * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + * label MUST appear by itself as the first label. + * + * + * If a hostname is specified by both the Listener and GRPCRoute, there + * MUST be at least one intersecting hostname for the GRPCRoute to be + * attached to the Listener. For example: + * + * + * * A Listener with `test.example.com` as the hostname matches GRPCRoutes + * that have either not specified any hostnames, or have specified at + * least one of `test.example.com` or `*.example.com`. + * * A Listener with `*.example.com` as the hostname matches GRPCRoutes + * that have either not specified any hostnames or have specified at least + * one hostname that matches the Listener hostname. For example, + * `test.example.com` and `*.example.com` would both match. On the other + * hand, `example.com` and `test.example.net` would not match. + * + * + * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + * as a suffix match. That means that a match for `*.example.com` would match + * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + * + * + * If both the Listener and GRPCRoute have specified hostnames, any + * GRPCRoute hostnames that do not match the Listener hostname MUST be + * ignored. For example, if a Listener specified `*.example.com`, and the + * GRPCRoute specified `test.example.com` and `test.example.net`, + * `test.example.net` MUST NOT be considered for a match. + * + * + * If both the Listener and GRPCRoute have specified hostnames, and none + * match with the criteria above, then the GRPCRoute MUST NOT be accepted by + * the implementation. The implementation MUST raise an 'Accepted' Condition + * with a status of `False` in the corresponding RouteParentStatus. + * + * + * If a Route (A) of type HTTPRoute or GRPCRoute is attached to a + * Listener and that listener already has another Route (B) of the other + * type attached and the intersection of the hostnames of A and B is + * non-empty, then the implementation MUST accept exactly one of these two + * routes, determined by the following criteria, in order: + * + * + * * The oldest Route based on creation timestamp. + * * The Route appearing first in alphabetical order by + * "{namespace}/{name}". + * + * + * The rejected Route MUST raise an 'Accepted' condition with a status of + * 'False' in the corresponding RouteParentStatus. + * + * + * Support: Core + */ + hostnames: string[]; + /** + * ParentRefs references the resources (usually Gateways) that a Route wants + * to be attached to. Note that the referenced parent resource needs to + * allow this for the attachment to be complete. For Gateways, that means + * the Gateway needs to allow attachment from Routes of this kind and + * namespace. For Services, that means the Service must either be in the same + * namespace for a "producer" route, or the mesh implementation must support + * and allow "consumer" routes for the referenced Service. ReferenceGrant is + * not applicable for governing ParentRefs to Services - it is not possible to + * create a "producer" route for a Service in a different namespace from the + * Route. + * + * + * There are two kinds of parent resources with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * This API may be extended in the future to support additional kinds of parent + * resources. + * + * + * ParentRefs must be _distinct_. This means either that: + * + * + * * They select different objects. If this is the case, then parentRef + * entries are distinct. In terms of fields, this means that the + * multi-part key defined by `group`, `kind`, `namespace`, and `name` must + * be unique across all parentRef entries in the Route. + * * They do not select different objects, but for each optional field used, + * each ParentRef that selects the same object must set the same set of + * optional fields to different values. If one ParentRef sets a + * combination of optional fields, all must set the same combination. + * + * + * Some examples: + * + * + * * If one ParentRef sets `sectionName`, all ParentRefs referencing the + * same object must also set `sectionName`. + * * If one ParentRef sets `port`, all ParentRefs referencing the same + * object must also set `port`. + * * If one ParentRef sets `sectionName` and `port`, all ParentRefs + * referencing the same object must also set `sectionName` and `port`. + * + * + * It is possible to separately reference multiple distinct objects that may + * be collapsed by an implementation. For example, some implementations may + * choose to merge compatible Gateway Listeners together. If that is the + * case, the list of routes attached to those resources should also be + * merged. + * + * + * Note that for ParentRefs that cross namespace boundaries, there are specific + * rules. Cross-namespace references are only valid if they are explicitly + * allowed by something in the namespace they are referring to. For example, + * Gateway has the AllowedRoutes field, and ReferenceGrant provides a + * generic way to enable other kinds of cross-namespace reference. + * + * + * + * ParentRefs from a Route to a Service in the same namespace are "producer" + * routes, which apply default routing rules to inbound connections from + * any namespace to the Service. + * + * + * ParentRefs from a Route to a Service in a different namespace are + * "consumer" routes, and these routing rules are only applied to outbound + * connections originating from the same namespace as the Route, for which + * the intended destination of the connections are a Service targeted as a + * ParentRef of the Route. + */ + parentRefs: outputs.gateway.v1alpha2.GRPCRouteSpecParentRefs[]; + /** + * Rules are a list of GRPC matchers, filters and actions. + */ + rules: outputs.gateway.v1alpha2.GRPCRouteSpecRules[]; + } + + /** + * ParentReference identifies an API object (usually a Gateway) that can be considered + * a parent of this resource (usually a route). There are two kinds of parent resources + * with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * This API may be extended in the future to support additional kinds of parent + * resources. + * + * + * The API object must be valid in the cluster; the Group and Kind must + * be registered in the cluster for this reference to be valid. + */ + export interface GRPCRouteSpecParentRefs { + /** + * Group is the group of the referent. + * When unspecified, "gateway.networking.k8s.io" is inferred. + * To set the core API group (such as for a "Service" kind referent), + * Group must be explicitly set to "" (empty string). + * + * + * Support: Core + */ + group: string; + /** + * Kind is kind of the referent. + * + * + * There are two kinds of parent resources with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * Support for other resources is Implementation-Specific. + */ + kind: string; + /** + * Name is the name of the referent. + * + * + * Support: Core + */ + name: string; + /** + * Namespace is the namespace of the referent. When unspecified, this refers + * to the local namespace of the Route. + * + * + * Note that there are specific rules for ParentRefs which cross namespace + * boundaries. Cross-namespace references are only valid if they are explicitly + * allowed by something in the namespace they are referring to. For example: + * Gateway has the AllowedRoutes field, and ReferenceGrant provides a + * generic way to enable any other kind of cross-namespace reference. + * + * + * + * ParentRefs from a Route to a Service in the same namespace are "producer" + * routes, which apply default routing rules to inbound connections from + * any namespace to the Service. + * + * + * ParentRefs from a Route to a Service in a different namespace are + * "consumer" routes, and these routing rules are only applied to outbound + * connections originating from the same namespace as the Route, for which + * the intended destination of the connections are a Service targeted as a + * ParentRef of the Route. + * + * + * + * Support: Core + */ + namespace: string; + /** + * Port is the network port this Route targets. It can be interpreted + * differently based on the type of parent resource. + * + * + * When the parent resource is a Gateway, this targets all listeners + * listening on the specified port that also support this kind of Route(and + * select this Route). It's not recommended to set `Port` unless the + * networking behaviors specified in a Route must apply to a specific port + * as opposed to a listener(s) whose port(s) may be changed. When both Port + * and SectionName are specified, the name and port of the selected listener + * must match both specified values. + * + * + * + * When the parent resource is a Service, this targets a specific port in the + * Service spec. When both Port (experimental) and SectionName are specified, + * the name and port of the selected port must match both specified values. + * + * + * + * Implementations MAY choose to support other parent resources. + * Implementations supporting other types of parent resources MUST clearly + * document how/if Port is interpreted. + * + * + * For the purpose of status, an attachment is considered successful as + * long as the parent resource accepts it partially. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + * from the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, + * the Route MUST be considered detached from the Gateway. + * + * + * Support: Extended + */ + port: number; + /** + * SectionName is the name of a section within the target resource. In the + * following resources, SectionName is interpreted as the following: + * + * + * * Gateway: Listener name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * * Service: Port name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * + * + * Implementations MAY choose to support attaching Routes to other resources. + * If that is the case, they MUST clearly document how SectionName is + * interpreted. + * + * + * When unspecified (empty string), this will reference the entire resource. + * For the purpose of status, an attachment is considered successful if at + * least one section in the parent resource accepts it. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + * the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, the + * Route MUST be considered detached from the Gateway. + * + * + * Support: Core + */ + sectionName: string; + } + + /** + * ParentReference identifies an API object (usually a Gateway) that can be considered + * a parent of this resource (usually a route). There are two kinds of parent resources + * with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * This API may be extended in the future to support additional kinds of parent + * resources. + * + * + * The API object must be valid in the cluster; the Group and Kind must + * be registered in the cluster for this reference to be valid. + */ + export interface GRPCRouteSpecParentRefsPatch { + /** + * Group is the group of the referent. + * When unspecified, "gateway.networking.k8s.io" is inferred. + * To set the core API group (such as for a "Service" kind referent), + * Group must be explicitly set to "" (empty string). + * + * + * Support: Core + */ + group: string; + /** + * Kind is kind of the referent. + * + * + * There are two kinds of parent resources with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * Support for other resources is Implementation-Specific. + */ + kind: string; + /** + * Name is the name of the referent. + * + * + * Support: Core + */ + name: string; + /** + * Namespace is the namespace of the referent. When unspecified, this refers + * to the local namespace of the Route. + * + * + * Note that there are specific rules for ParentRefs which cross namespace + * boundaries. Cross-namespace references are only valid if they are explicitly + * allowed by something in the namespace they are referring to. For example: + * Gateway has the AllowedRoutes field, and ReferenceGrant provides a + * generic way to enable any other kind of cross-namespace reference. + * + * + * + * ParentRefs from a Route to a Service in the same namespace are "producer" + * routes, which apply default routing rules to inbound connections from + * any namespace to the Service. + * + * + * ParentRefs from a Route to a Service in a different namespace are + * "consumer" routes, and these routing rules are only applied to outbound + * connections originating from the same namespace as the Route, for which + * the intended destination of the connections are a Service targeted as a + * ParentRef of the Route. + * + * + * + * Support: Core + */ + namespace: string; + /** + * Port is the network port this Route targets. It can be interpreted + * differently based on the type of parent resource. + * + * + * When the parent resource is a Gateway, this targets all listeners + * listening on the specified port that also support this kind of Route(and + * select this Route). It's not recommended to set `Port` unless the + * networking behaviors specified in a Route must apply to a specific port + * as opposed to a listener(s) whose port(s) may be changed. When both Port + * and SectionName are specified, the name and port of the selected listener + * must match both specified values. + * + * + * + * When the parent resource is a Service, this targets a specific port in the + * Service spec. When both Port (experimental) and SectionName are specified, + * the name and port of the selected port must match both specified values. + * + * + * + * Implementations MAY choose to support other parent resources. + * Implementations supporting other types of parent resources MUST clearly + * document how/if Port is interpreted. + * + * + * For the purpose of status, an attachment is considered successful as + * long as the parent resource accepts it partially. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + * from the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, + * the Route MUST be considered detached from the Gateway. + * + * + * Support: Extended + */ + port: number; + /** + * SectionName is the name of a section within the target resource. In the + * following resources, SectionName is interpreted as the following: + * + * + * * Gateway: Listener name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * * Service: Port name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * + * + * Implementations MAY choose to support attaching Routes to other resources. + * If that is the case, they MUST clearly document how SectionName is + * interpreted. + * + * + * When unspecified (empty string), this will reference the entire resource. + * For the purpose of status, an attachment is considered successful if at + * least one section in the parent resource accepts it. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + * the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, the + * Route MUST be considered detached from the Gateway. + * + * + * Support: Core + */ + sectionName: string; + } + + /** + * Spec defines the desired state of GRPCRoute. + */ + export interface GRPCRouteSpecPatch { + /** + * Hostnames defines a set of hostnames to match against the GRPC + * Host header to select a GRPCRoute to process the request. This matches + * the RFC 1123 definition of a hostname with 2 notable exceptions: + * + * + * 1. IPs are not allowed. + * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + * label MUST appear by itself as the first label. + * + * + * If a hostname is specified by both the Listener and GRPCRoute, there + * MUST be at least one intersecting hostname for the GRPCRoute to be + * attached to the Listener. For example: + * + * + * * A Listener with `test.example.com` as the hostname matches GRPCRoutes + * that have either not specified any hostnames, or have specified at + * least one of `test.example.com` or `*.example.com`. + * * A Listener with `*.example.com` as the hostname matches GRPCRoutes + * that have either not specified any hostnames or have specified at least + * one hostname that matches the Listener hostname. For example, + * `test.example.com` and `*.example.com` would both match. On the other + * hand, `example.com` and `test.example.net` would not match. + * + * + * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + * as a suffix match. That means that a match for `*.example.com` would match + * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + * + * + * If both the Listener and GRPCRoute have specified hostnames, any + * GRPCRoute hostnames that do not match the Listener hostname MUST be + * ignored. For example, if a Listener specified `*.example.com`, and the + * GRPCRoute specified `test.example.com` and `test.example.net`, + * `test.example.net` MUST NOT be considered for a match. + * + * + * If both the Listener and GRPCRoute have specified hostnames, and none + * match with the criteria above, then the GRPCRoute MUST NOT be accepted by + * the implementation. The implementation MUST raise an 'Accepted' Condition + * with a status of `False` in the corresponding RouteParentStatus. + * + * + * If a Route (A) of type HTTPRoute or GRPCRoute is attached to a + * Listener and that listener already has another Route (B) of the other + * type attached and the intersection of the hostnames of A and B is + * non-empty, then the implementation MUST accept exactly one of these two + * routes, determined by the following criteria, in order: + * + * + * * The oldest Route based on creation timestamp. + * * The Route appearing first in alphabetical order by + * "{namespace}/{name}". + * + * + * The rejected Route MUST raise an 'Accepted' condition with a status of + * 'False' in the corresponding RouteParentStatus. + * + * + * Support: Core + */ + hostnames: string[]; + /** + * ParentRefs references the resources (usually Gateways) that a Route wants + * to be attached to. Note that the referenced parent resource needs to + * allow this for the attachment to be complete. For Gateways, that means + * the Gateway needs to allow attachment from Routes of this kind and + * namespace. For Services, that means the Service must either be in the same + * namespace for a "producer" route, or the mesh implementation must support + * and allow "consumer" routes for the referenced Service. ReferenceGrant is + * not applicable for governing ParentRefs to Services - it is not possible to + * create a "producer" route for a Service in a different namespace from the + * Route. + * + * + * There are two kinds of parent resources with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * This API may be extended in the future to support additional kinds of parent + * resources. + * + * + * ParentRefs must be _distinct_. This means either that: + * + * + * * They select different objects. If this is the case, then parentRef + * entries are distinct. In terms of fields, this means that the + * multi-part key defined by `group`, `kind`, `namespace`, and `name` must + * be unique across all parentRef entries in the Route. + * * They do not select different objects, but for each optional field used, + * each ParentRef that selects the same object must set the same set of + * optional fields to different values. If one ParentRef sets a + * combination of optional fields, all must set the same combination. + * + * + * Some examples: + * + * + * * If one ParentRef sets `sectionName`, all ParentRefs referencing the + * same object must also set `sectionName`. + * * If one ParentRef sets `port`, all ParentRefs referencing the same + * object must also set `port`. + * * If one ParentRef sets `sectionName` and `port`, all ParentRefs + * referencing the same object must also set `sectionName` and `port`. + * + * + * It is possible to separately reference multiple distinct objects that may + * be collapsed by an implementation. For example, some implementations may + * choose to merge compatible Gateway Listeners together. If that is the + * case, the list of routes attached to those resources should also be + * merged. + * + * + * Note that for ParentRefs that cross namespace boundaries, there are specific + * rules. Cross-namespace references are only valid if they are explicitly + * allowed by something in the namespace they are referring to. For example, + * Gateway has the AllowedRoutes field, and ReferenceGrant provides a + * generic way to enable other kinds of cross-namespace reference. + * + * + * + * ParentRefs from a Route to a Service in the same namespace are "producer" + * routes, which apply default routing rules to inbound connections from + * any namespace to the Service. + * + * + * ParentRefs from a Route to a Service in a different namespace are + * "consumer" routes, and these routing rules are only applied to outbound + * connections originating from the same namespace as the Route, for which + * the intended destination of the connections are a Service targeted as a + * ParentRef of the Route. + */ + parentRefs: outputs.gateway.v1alpha2.GRPCRouteSpecParentRefsPatch[]; + /** + * Rules are a list of GRPC matchers, filters and actions. + */ + rules: outputs.gateway.v1alpha2.GRPCRouteSpecRulesPatch[]; + } + + /** + * GRPCRouteRule defines the semantics for matching a gRPC request based on + * conditions (matches), processing it (filters), and forwarding the request to + * an API object (backendRefs). + */ + export interface GRPCRouteSpecRules { + /** + * BackendRefs defines the backend(s) where matching requests should be + * sent. + * + * + * Failure behavior here depends on how many BackendRefs are specified and + * how many are invalid. + * + * + * If *all* entries in BackendRefs are invalid, and there are also no filters + * specified in this route rule, *all* traffic which matches this rule MUST + * receive an `UNAVAILABLE` status. + * + * + * See the GRPCBackendRef definition for the rules about what makes a single + * GRPCBackendRef invalid. + * + * + * When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for + * requests that would have otherwise been routed to an invalid backend. If + * multiple backends are specified, and some are invalid, the proportion of + * requests that would otherwise have been routed to an invalid backend + * MUST receive an `UNAVAILABLE` status. + * + * + * For example, if two backends are specified with equal weights, and one is + * invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. + * Implementations may choose how that 50 percent is determined. + * + * + * Support: Core for Kubernetes Service + * + * + * Support: Implementation-specific for any other resource + * + * + * Support for weight: Core + */ + backendRefs: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefs[]; + /** + * Filters define the filters that are applied to requests that match + * this rule. + * + * + * The effects of ordering of multiple behaviors are currently unspecified. + * This can change in the future based on feedback during the alpha stage. + * + * + * Conformance-levels at this level are defined based on the type of filter: + * + * + * - ALL core filters MUST be supported by all implementations that support + * GRPCRoute. + * - Implementers are encouraged to support extended filters. + * - Implementation-specific custom filters have no API guarantees across + * implementations. + * + * + * Specifying the same filter multiple times is not supported unless explicitly + * indicated in the filter. + * + * + * If an implementation can not support a combination of filters, it must clearly + * document that limitation. In cases where incompatible or unsupported + * filters are specified and cause the `Accepted` condition to be set to status + * `False`, implementations may use the `IncompatibleFilters` reason to specify + * this configuration error. + * + * + * Support: Core + */ + filters: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFilters[]; + /** + * Matches define conditions used for matching the rule against incoming + * gRPC requests. Each match is independent, i.e. this rule will be matched + * if **any** one of the matches is satisfied. + * + * + * For example, take the following matches configuration: + * + * + * ``` + * matches: + * - method: + * service: foo.bar + * headers: + * values: + * version: 2 + * - method: + * service: foo.bar.v2 + * ``` + * + * + * For a request to match against this rule, it MUST satisfy + * EITHER of the two conditions: + * + * + * - service of foo.bar AND contains the header `version: 2` + * - service of foo.bar.v2 + * + * + * See the documentation for GRPCRouteMatch on how to specify multiple + * match conditions to be ANDed together. + * + * + * If no matches are specified, the implementation MUST match every gRPC request. + * + * + * Proxy or Load Balancer routing configuration generated from GRPCRoutes + * MUST prioritize rules based on the following criteria, continuing on + * ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. + * Precedence MUST be given to the rule with the largest number of: + * + * + * * Characters in a matching non-wildcard hostname. + * * Characters in a matching hostname. + * * Characters in a matching service. + * * Characters in a matching method. + * * Header matches. + * + * + * If ties still exist across multiple Routes, matching precedence MUST be + * determined in order of the following criteria, continuing on ties: + * + * + * * The oldest Route based on creation timestamp. + * * The Route appearing first in alphabetical order by + * "{namespace}/{name}". + * + * + * If ties still exist within the Route that has been given precedence, + * matching precedence MUST be granted to the first matching rule meeting + * the above criteria. + */ + matches: outputs.gateway.v1alpha2.GRPCRouteSpecRulesMatches[]; + sessionPersistence: outputs.gateway.v1alpha2.GRPCRouteSpecRulesSessionPersistence; + } + + /** + * GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. + * + * + * Note that when a namespace different than the local namespace is specified, a + * ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * + * + * + * When the BackendRef points to a Kubernetes Service, implementations SHOULD + * honor the appProtocol field if it is set for the target Service Port. + * + * + * Implementations supporting appProtocol SHOULD recognize the Kubernetes + * Standard Application Protocols defined in KEP-3726. + * + * + * If a Service appProtocol isn't specified, an implementation MAY infer the + * backend protocol through its own means. Implementations MAY infer the + * protocol from the Route type referring to the backend Service. + * + * + * If a Route is not able to send traffic to the backend using the specified + * protocol then the backend is considered invalid. Implementations MUST set the + * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * + */ + export interface GRPCRouteSpecRulesBackendRefs { + /** + * Filters defined at this level MUST be executed if and only if the + * request is being forwarded to the backend defined here. + * + * + * Support: Implementation-specific (For broader support of filters, use the + * Filters field in GRPCRouteRule.) + */ + filters: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFilters[]; + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group: string; + /** + * Kind is the Kubernetes resource kind of the referent. For example + * "Service". + * + * + * Defaults to "Service" when not specified. + * + * + * ExternalName services can refer to CNAME DNS records that may live + * outside of the cluster and as such are difficult to reason about in + * terms of conformance. They also may not be safe to forward to (see + * CVE-2021-25740 for more information). Implementations SHOULD NOT + * support ExternalName Services. + * + * + * Support: Core (Services with a type other than ExternalName) + * + * + * Support: Implementation-specific (Services with type ExternalName) + */ + kind: string; + /** + * Name is the name of the referent. + */ + name: string; + /** + * Namespace is the namespace of the backend. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace: string; + /** + * Port specifies the destination port number to use for this resource. + * Port is required when the referent is a Kubernetes Service. In this + * case, the port number is the service port number, not the target port. + * For other resources, destination port might be derived from the referent + * resource or this field. + */ + port: number; + /** + * Weight specifies the proportion of requests forwarded to the referenced + * backend. This is computed as weight/(sum of all weights in this + * BackendRefs list). For non-zero values, there may be some epsilon from + * the exact proportion defined here depending on the precision an + * implementation supports. Weight is not a percentage and the sum of + * weights does not need to equal 100. + * + * + * If only one backend is specified and it has a weight greater than 0, 100% + * of the traffic is forwarded to that backend. If weight is set to 0, no + * traffic should be forwarded for this entry. If unspecified, weight + * defaults to 1. + * + * + * Support for this field varies based on the context where used. + */ + weight: number; + } + + /** + * GRPCRouteFilter defines processing steps that must be completed during the + * request or response lifecycle. GRPCRouteFilters are meant as an extension + * point to express processing that may be done in Gateway implementations. Some + * examples include request or response modification, implementing + * authentication strategies, rate-limiting, and traffic shaping. API + * guarantee/conformance is defined based on the type of the filter. + */ + export interface GRPCRouteSpecRulesBackendRefsFilters { + extensionRef: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersExtensionRef; + requestHeaderModifier: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifier; + requestMirror: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersRequestMirror; + responseHeaderModifier: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifier; + /** + * Type identifies the type of filter to apply. As with other API fields, + * types are classified into three conformance levels: + * + * + * - Core: Filter types and their corresponding configuration defined by + * "Support: Core" in this package, e.g. "RequestHeaderModifier". All + * implementations supporting GRPCRoute MUST support core filters. + * + * + * - Extended: Filter types and their corresponding configuration defined by + * "Support: Extended" in this package, e.g. "RequestMirror". Implementers + * are encouraged to support extended filters. + * + * + * - Implementation-specific: Filters that are defined and supported by specific vendors. + * In the future, filters showing convergence in behavior across multiple + * implementations will be considered for inclusion in extended or core + * conformance levels. Filter-specific configuration for such filters + * is specified using the ExtensionRef field. `Type` MUST be set to + * "ExtensionRef" for custom filters. + * + * + * Implementers are encouraged to define custom implementation types to + * extend the core API with implementation-specific behavior. + * + * + * If a reference to a custom filter type cannot be resolved, the filter + * MUST NOT be skipped. Instead, requests that would have been processed by + * that filter MUST receive a HTTP error response. + */ + type: string; + } + + /** + * ExtensionRef is an optional, implementation-specific extension to the + * "filter" behavior. For example, resource "myroutefilter" in group + * "networking.example.net"). ExtensionRef MUST NOT be used for core and + * extended filters. + * + * + * Support: Implementation-specific + * + * + * This filter can be used multiple times within the same rule. + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersExtensionRef { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group: string; + /** + * Kind is kind of the referent. For example "HTTPRoute" or "Service". + */ + kind: string; + /** + * Name is the name of the referent. + */ + name: string; + } + + /** + * ExtensionRef is an optional, implementation-specific extension to the + * "filter" behavior. For example, resource "myroutefilter" in group + * "networking.example.net"). ExtensionRef MUST NOT be used for core and + * extended filters. + * + * + * Support: Implementation-specific + * + * + * This filter can be used multiple times within the same rule. + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersExtensionRefPatch { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group: string; + /** + * Kind is kind of the referent. For example "HTTPRoute" or "Service". + */ + kind: string; + /** + * Name is the name of the referent. + */ + name: string; + } + + /** + * GRPCRouteFilter defines processing steps that must be completed during the + * request or response lifecycle. GRPCRouteFilters are meant as an extension + * point to express processing that may be done in Gateway implementations. Some + * examples include request or response modification, implementing + * authentication strategies, rate-limiting, and traffic shaping. API + * guarantee/conformance is defined based on the type of the filter. + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersPatch { + extensionRef: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersExtensionRefPatch; + requestHeaderModifier: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch; + requestMirror: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorPatch; + responseHeaderModifier: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch; + /** + * Type identifies the type of filter to apply. As with other API fields, + * types are classified into three conformance levels: + * + * + * - Core: Filter types and their corresponding configuration defined by + * "Support: Core" in this package, e.g. "RequestHeaderModifier". All + * implementations supporting GRPCRoute MUST support core filters. + * + * + * - Extended: Filter types and their corresponding configuration defined by + * "Support: Extended" in this package, e.g. "RequestMirror". Implementers + * are encouraged to support extended filters. + * + * + * - Implementation-specific: Filters that are defined and supported by specific vendors. + * In the future, filters showing convergence in behavior across multiple + * implementations will be considered for inclusion in extended or core + * conformance levels. Filter-specific configuration for such filters + * is specified using the ExtensionRef field. `Type` MUST be set to + * "ExtensionRef" for custom filters. + * + * + * Implementers are encouraged to define custom implementation types to + * extend the core API with implementation-specific behavior. + * + * + * If a reference to a custom filter type cannot be resolved, the filter + * MUST NOT be skipped. Instead, requests that would have been processed by + * that filter MUST receive a HTTP error response. + */ + type: string; + } + + /** + * RequestHeaderModifier defines a schema for a filter that modifies request + * headers. + * + * + * Support: Core + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifier { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd[]; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove: string[]; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet[]; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + + /** + * RequestHeaderModifier defines a schema for a filter that modifies request + * headers. + * + * + * Support: Core + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch[]; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove: string[]; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch[]; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + + /** + * RequestMirror defines a schema for a filter that mirrors requests. + * Requests are sent to the specified destination, but responses from + * that destination are ignored. + * + * + * This filter can be used multiple times within the same rule. Note that + * not all implementations will be able to support mirroring to multiple + * backends. + * + * + * Support: Extended + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirror { + backendRef: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef; + } + + /** + * BackendRef references a resource where mirrored requests are sent. + * + * + * Mirrored requests must be sent only to a single destination endpoint + * within this BackendRef, irrespective of how many endpoints are present + * within this BackendRef. + * + * + * If the referent cannot be found, this BackendRef is invalid and must be + * dropped from the Gateway. The controller must ensure the "ResolvedRefs" + * condition on the Route status is set to `status: False` and not configure + * this backend in the underlying implementation. + * + * + * If there is a cross-namespace reference to an *existing* object + * that is not allowed by a ReferenceGrant, the controller must ensure the + * "ResolvedRefs" condition on the Route is set to `status: False`, + * with the "RefNotPermitted" reason and not configure this backend in the + * underlying implementation. + * + * + * In either error case, the Message of the `ResolvedRefs` Condition + * should be used to provide more detail about the problem. + * + * + * Support: Extended for Kubernetes Service + * + * + * Support: Implementation-specific for any other resource + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group: string; + /** + * Kind is the Kubernetes resource kind of the referent. For example + * "Service". + * + * + * Defaults to "Service" when not specified. + * + * + * ExternalName services can refer to CNAME DNS records that may live + * outside of the cluster and as such are difficult to reason about in + * terms of conformance. They also may not be safe to forward to (see + * CVE-2021-25740 for more information). Implementations SHOULD NOT + * support ExternalName Services. + * + * + * Support: Core (Services with a type other than ExternalName) + * + * + * Support: Implementation-specific (Services with type ExternalName) + */ + kind: string; + /** + * Name is the name of the referent. + */ + name: string; + /** + * Namespace is the namespace of the backend. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace: string; + /** + * Port specifies the destination port number to use for this resource. + * Port is required when the referent is a Kubernetes Service. In this + * case, the port number is the service port number, not the target port. + * For other resources, destination port might be derived from the referent + * resource or this field. + */ + port: number; + } + + /** + * BackendRef references a resource where mirrored requests are sent. + * + * + * Mirrored requests must be sent only to a single destination endpoint + * within this BackendRef, irrespective of how many endpoints are present + * within this BackendRef. + * + * + * If the referent cannot be found, this BackendRef is invalid and must be + * dropped from the Gateway. The controller must ensure the "ResolvedRefs" + * condition on the Route status is set to `status: False` and not configure + * this backend in the underlying implementation. + * + * + * If there is a cross-namespace reference to an *existing* object + * that is not allowed by a ReferenceGrant, the controller must ensure the + * "ResolvedRefs" condition on the Route is set to `status: False`, + * with the "RefNotPermitted" reason and not configure this backend in the + * underlying implementation. + * + * + * In either error case, the Message of the `ResolvedRefs` Condition + * should be used to provide more detail about the problem. + * + * + * Support: Extended for Kubernetes Service + * + * + * Support: Implementation-specific for any other resource + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group: string; + /** + * Kind is the Kubernetes resource kind of the referent. For example + * "Service". + * + * + * Defaults to "Service" when not specified. + * + * + * ExternalName services can refer to CNAME DNS records that may live + * outside of the cluster and as such are difficult to reason about in + * terms of conformance. They also may not be safe to forward to (see + * CVE-2021-25740 for more information). Implementations SHOULD NOT + * support ExternalName Services. + * + * + * Support: Core (Services with a type other than ExternalName) + * + * + * Support: Implementation-specific (Services with type ExternalName) + */ + kind: string; + /** + * Name is the name of the referent. + */ + name: string; + /** + * Namespace is the namespace of the backend. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace: string; + /** + * Port specifies the destination port number to use for this resource. + * Port is required when the referent is a Kubernetes Service. In this + * case, the port number is the service port number, not the target port. + * For other resources, destination port might be derived from the referent + * resource or this field. + */ + port: number; + } + + /** + * RequestMirror defines a schema for a filter that mirrors requests. + * Requests are sent to the specified destination, but responses from + * that destination are ignored. + * + * + * This filter can be used multiple times within the same rule. Note that + * not all implementations will be able to support mirroring to multiple + * backends. + * + * + * Support: Extended + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorPatch { + backendRef: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch; + } + + /** + * ResponseHeaderModifier defines a schema for a filter that modifies response + * headers. + * + * + * Support: Extended + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifier { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd[]; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove: string[]; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet[]; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + + /** + * ResponseHeaderModifier defines a schema for a filter that modifies response + * headers. + * + * + * Support: Extended + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch[]; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove: string[]; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch[]; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + + /** + * GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. + * + * + * Note that when a namespace different than the local namespace is specified, a + * ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * + * + * + * When the BackendRef points to a Kubernetes Service, implementations SHOULD + * honor the appProtocol field if it is set for the target Service Port. + * + * + * Implementations supporting appProtocol SHOULD recognize the Kubernetes + * Standard Application Protocols defined in KEP-3726. + * + * + * If a Service appProtocol isn't specified, an implementation MAY infer the + * backend protocol through its own means. Implementations MAY infer the + * protocol from the Route type referring to the backend Service. + * + * + * If a Route is not able to send traffic to the backend using the specified + * protocol then the backend is considered invalid. Implementations MUST set the + * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * + */ + export interface GRPCRouteSpecRulesBackendRefsPatch { + /** + * Filters defined at this level MUST be executed if and only if the + * request is being forwarded to the backend defined here. + * + * + * Support: Implementation-specific (For broader support of filters, use the + * Filters field in GRPCRouteRule.) + */ + filters: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsFiltersPatch[]; + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group: string; + /** + * Kind is the Kubernetes resource kind of the referent. For example + * "Service". + * + * + * Defaults to "Service" when not specified. + * + * + * ExternalName services can refer to CNAME DNS records that may live + * outside of the cluster and as such are difficult to reason about in + * terms of conformance. They also may not be safe to forward to (see + * CVE-2021-25740 for more information). Implementations SHOULD NOT + * support ExternalName Services. + * + * + * Support: Core (Services with a type other than ExternalName) + * + * + * Support: Implementation-specific (Services with type ExternalName) + */ + kind: string; + /** + * Name is the name of the referent. + */ + name: string; + /** + * Namespace is the namespace of the backend. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace: string; + /** + * Port specifies the destination port number to use for this resource. + * Port is required when the referent is a Kubernetes Service. In this + * case, the port number is the service port number, not the target port. + * For other resources, destination port might be derived from the referent + * resource or this field. + */ + port: number; + /** + * Weight specifies the proportion of requests forwarded to the referenced + * backend. This is computed as weight/(sum of all weights in this + * BackendRefs list). For non-zero values, there may be some epsilon from + * the exact proportion defined here depending on the precision an + * implementation supports. Weight is not a percentage and the sum of + * weights does not need to equal 100. + * + * + * If only one backend is specified and it has a weight greater than 0, 100% + * of the traffic is forwarded to that backend. If weight is set to 0, no + * traffic should be forwarded for this entry. If unspecified, weight + * defaults to 1. + * + * + * Support for this field varies based on the context where used. + */ + weight: number; + } + + /** + * GRPCRouteFilter defines processing steps that must be completed during the + * request or response lifecycle. GRPCRouteFilters are meant as an extension + * point to express processing that may be done in Gateway implementations. Some + * examples include request or response modification, implementing + * authentication strategies, rate-limiting, and traffic shaping. API + * guarantee/conformance is defined based on the type of the filter. + */ + export interface GRPCRouteSpecRulesFilters { + extensionRef: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersExtensionRef; + requestHeaderModifier: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersRequestHeaderModifier; + requestMirror: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersRequestMirror; + responseHeaderModifier: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersResponseHeaderModifier; + /** + * Type identifies the type of filter to apply. As with other API fields, + * types are classified into three conformance levels: + * + * + * - Core: Filter types and their corresponding configuration defined by + * "Support: Core" in this package, e.g. "RequestHeaderModifier". All + * implementations supporting GRPCRoute MUST support core filters. + * + * + * - Extended: Filter types and their corresponding configuration defined by + * "Support: Extended" in this package, e.g. "RequestMirror". Implementers + * are encouraged to support extended filters. + * + * + * - Implementation-specific: Filters that are defined and supported by specific vendors. + * In the future, filters showing convergence in behavior across multiple + * implementations will be considered for inclusion in extended or core + * conformance levels. Filter-specific configuration for such filters + * is specified using the ExtensionRef field. `Type` MUST be set to + * "ExtensionRef" for custom filters. + * + * + * Implementers are encouraged to define custom implementation types to + * extend the core API with implementation-specific behavior. + * + * + * If a reference to a custom filter type cannot be resolved, the filter + * MUST NOT be skipped. Instead, requests that would have been processed by + * that filter MUST receive a HTTP error response. + */ + type: string; + } + + /** + * ExtensionRef is an optional, implementation-specific extension to the + * "filter" behavior. For example, resource "myroutefilter" in group + * "networking.example.net"). ExtensionRef MUST NOT be used for core and + * extended filters. + * + * + * Support: Implementation-specific + * + * + * This filter can be used multiple times within the same rule. + */ + export interface GRPCRouteSpecRulesFiltersExtensionRef { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group: string; + /** + * Kind is kind of the referent. For example "HTTPRoute" or "Service". + */ + kind: string; + /** + * Name is the name of the referent. + */ + name: string; + } + + /** + * ExtensionRef is an optional, implementation-specific extension to the + * "filter" behavior. For example, resource "myroutefilter" in group + * "networking.example.net"). ExtensionRef MUST NOT be used for core and + * extended filters. + * + * + * Support: Implementation-specific + * + * + * This filter can be used multiple times within the same rule. + */ + export interface GRPCRouteSpecRulesFiltersExtensionRefPatch { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group: string; + /** + * Kind is kind of the referent. For example "HTTPRoute" or "Service". + */ + kind: string; + /** + * Name is the name of the referent. + */ + name: string; + } + + /** + * GRPCRouteFilter defines processing steps that must be completed during the + * request or response lifecycle. GRPCRouteFilters are meant as an extension + * point to express processing that may be done in Gateway implementations. Some + * examples include request or response modification, implementing + * authentication strategies, rate-limiting, and traffic shaping. API + * guarantee/conformance is defined based on the type of the filter. + */ + export interface GRPCRouteSpecRulesFiltersPatch { + extensionRef: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersExtensionRefPatch; + requestHeaderModifier: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersRequestHeaderModifierPatch; + requestMirror: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersRequestMirrorPatch; + responseHeaderModifier: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersResponseHeaderModifierPatch; + /** + * Type identifies the type of filter to apply. As with other API fields, + * types are classified into three conformance levels: + * + * + * - Core: Filter types and their corresponding configuration defined by + * "Support: Core" in this package, e.g. "RequestHeaderModifier". All + * implementations supporting GRPCRoute MUST support core filters. + * + * + * - Extended: Filter types and their corresponding configuration defined by + * "Support: Extended" in this package, e.g. "RequestMirror". Implementers + * are encouraged to support extended filters. + * + * + * - Implementation-specific: Filters that are defined and supported by specific vendors. + * In the future, filters showing convergence in behavior across multiple + * implementations will be considered for inclusion in extended or core + * conformance levels. Filter-specific configuration for such filters + * is specified using the ExtensionRef field. `Type` MUST be set to + * "ExtensionRef" for custom filters. + * + * + * Implementers are encouraged to define custom implementation types to + * extend the core API with implementation-specific behavior. + * + * + * If a reference to a custom filter type cannot be resolved, the filter + * MUST NOT be skipped. Instead, requests that would have been processed by + * that filter MUST receive a HTTP error response. + */ + type: string; + } + + /** + * RequestHeaderModifier defines a schema for a filter that modifies request + * headers. + * + * + * Support: Core + */ + export interface GRPCRouteSpecRulesFiltersRequestHeaderModifier { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersRequestHeaderModifierAdd[]; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove: string[]; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersRequestHeaderModifierSet[]; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierAdd { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierAddPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + + /** + * RequestHeaderModifier defines a schema for a filter that modifies request + * headers. + * + * + * Support: Core + */ + export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierPatch { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersRequestHeaderModifierAddPatch[]; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove: string[]; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersRequestHeaderModifierSetPatch[]; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierSet { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierSetPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + + /** + * RequestMirror defines a schema for a filter that mirrors requests. + * Requests are sent to the specified destination, but responses from + * that destination are ignored. + * + * + * This filter can be used multiple times within the same rule. Note that + * not all implementations will be able to support mirroring to multiple + * backends. + * + * + * Support: Extended + */ + export interface GRPCRouteSpecRulesFiltersRequestMirror { + backendRef: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersRequestMirrorBackendRef; + } + + /** + * BackendRef references a resource where mirrored requests are sent. + * + * + * Mirrored requests must be sent only to a single destination endpoint + * within this BackendRef, irrespective of how many endpoints are present + * within this BackendRef. + * + * + * If the referent cannot be found, this BackendRef is invalid and must be + * dropped from the Gateway. The controller must ensure the "ResolvedRefs" + * condition on the Route status is set to `status: False` and not configure + * this backend in the underlying implementation. + * + * + * If there is a cross-namespace reference to an *existing* object + * that is not allowed by a ReferenceGrant, the controller must ensure the + * "ResolvedRefs" condition on the Route is set to `status: False`, + * with the "RefNotPermitted" reason and not configure this backend in the + * underlying implementation. + * + * + * In either error case, the Message of the `ResolvedRefs` Condition + * should be used to provide more detail about the problem. + * + * + * Support: Extended for Kubernetes Service + * + * + * Support: Implementation-specific for any other resource + */ + export interface GRPCRouteSpecRulesFiltersRequestMirrorBackendRef { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group: string; + /** + * Kind is the Kubernetes resource kind of the referent. For example + * "Service". + * + * + * Defaults to "Service" when not specified. + * + * + * ExternalName services can refer to CNAME DNS records that may live + * outside of the cluster and as such are difficult to reason about in + * terms of conformance. They also may not be safe to forward to (see + * CVE-2021-25740 for more information). Implementations SHOULD NOT + * support ExternalName Services. + * + * + * Support: Core (Services with a type other than ExternalName) + * + * + * Support: Implementation-specific (Services with type ExternalName) + */ + kind: string; + /** + * Name is the name of the referent. + */ + name: string; + /** + * Namespace is the namespace of the backend. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace: string; + /** + * Port specifies the destination port number to use for this resource. + * Port is required when the referent is a Kubernetes Service. In this + * case, the port number is the service port number, not the target port. + * For other resources, destination port might be derived from the referent + * resource or this field. + */ + port: number; + } + + /** + * BackendRef references a resource where mirrored requests are sent. + * + * + * Mirrored requests must be sent only to a single destination endpoint + * within this BackendRef, irrespective of how many endpoints are present + * within this BackendRef. + * + * + * If the referent cannot be found, this BackendRef is invalid and must be + * dropped from the Gateway. The controller must ensure the "ResolvedRefs" + * condition on the Route status is set to `status: False` and not configure + * this backend in the underlying implementation. + * + * + * If there is a cross-namespace reference to an *existing* object + * that is not allowed by a ReferenceGrant, the controller must ensure the + * "ResolvedRefs" condition on the Route is set to `status: False`, + * with the "RefNotPermitted" reason and not configure this backend in the + * underlying implementation. + * + * + * In either error case, the Message of the `ResolvedRefs` Condition + * should be used to provide more detail about the problem. + * + * + * Support: Extended for Kubernetes Service + * + * + * Support: Implementation-specific for any other resource + */ + export interface GRPCRouteSpecRulesFiltersRequestMirrorBackendRefPatch { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group: string; + /** + * Kind is the Kubernetes resource kind of the referent. For example + * "Service". + * + * + * Defaults to "Service" when not specified. + * + * + * ExternalName services can refer to CNAME DNS records that may live + * outside of the cluster and as such are difficult to reason about in + * terms of conformance. They also may not be safe to forward to (see + * CVE-2021-25740 for more information). Implementations SHOULD NOT + * support ExternalName Services. + * + * + * Support: Core (Services with a type other than ExternalName) + * + * + * Support: Implementation-specific (Services with type ExternalName) + */ + kind: string; + /** + * Name is the name of the referent. + */ + name: string; + /** + * Namespace is the namespace of the backend. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace: string; + /** + * Port specifies the destination port number to use for this resource. + * Port is required when the referent is a Kubernetes Service. In this + * case, the port number is the service port number, not the target port. + * For other resources, destination port might be derived from the referent + * resource or this field. + */ + port: number; + } + + /** + * RequestMirror defines a schema for a filter that mirrors requests. + * Requests are sent to the specified destination, but responses from + * that destination are ignored. + * + * + * This filter can be used multiple times within the same rule. Note that + * not all implementations will be able to support mirroring to multiple + * backends. + * + * + * Support: Extended + */ + export interface GRPCRouteSpecRulesFiltersRequestMirrorPatch { + backendRef: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersRequestMirrorBackendRefPatch; + } + + /** + * ResponseHeaderModifier defines a schema for a filter that modifies response + * headers. + * + * + * Support: Extended + */ + export interface GRPCRouteSpecRulesFiltersResponseHeaderModifier { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersResponseHeaderModifierAdd[]; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove: string[]; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersResponseHeaderModifierSet[]; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierAdd { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierAddPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + + /** + * ResponseHeaderModifier defines a schema for a filter that modifies response + * headers. + * + * + * Support: Extended + */ + export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierPatch { + /** + * Add adds the given header(s) (name, value) to the request + * before the action. It appends to any existing values associated + * with the header name. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * add: + * - name: "my-header" + * value: "bar,baz" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: foo,bar,baz + */ + add: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersResponseHeaderModifierAddPatch[]; + /** + * Remove the given header(s) from the HTTP request before the action. The + * value of Remove is a list of HTTP header names. Note that the header + * names are case-insensitive (see + * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header1: foo + * my-header2: bar + * my-header3: baz + * + * + * Config: + * remove: ["my-header1", "my-header3"] + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header2: bar + */ + remove: string[]; + /** + * Set overwrites the request with the given header (name, value) + * before the action. + * + * + * Input: + * GET /foo HTTP/1.1 + * my-header: foo + * + * + * Config: + * set: + * - name: "my-header" + * value: "bar" + * + * + * Output: + * GET /foo HTTP/1.1 + * my-header: bar + */ + set: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersResponseHeaderModifierSetPatch[]; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierSet { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + + /** + * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + */ + export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierSetPatch { + /** + * Name is the name of the HTTP Header to be matched. Name matching MUST be + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * + * + * If multiple entries specify equivalent header names, the first entry with + * an equivalent name MUST be considered for a match. Subsequent entries + * with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Value is the value of HTTP Header to be matched. + */ + value: string; + } + + /** + * GRPCRouteMatch defines the predicate used to match requests to a given + * action. Multiple match types are ANDed together, i.e. the match will + * evaluate to true only if all conditions are satisfied. + * + * + * For example, the match below will match a gRPC request only if its service + * is `foo` AND it contains the `version: v1` header: + * + * + * ``` + * matches: + * - method: + * type: Exact + * service: "foo" + * headers: + * - name: "version" + * value "v1" + * + * + * ``` + */ + export interface GRPCRouteSpecRulesMatches { + /** + * Headers specifies gRPC request header matchers. Multiple match values are + * ANDed together, meaning, a request MUST match all the specified headers + * to select the route. + */ + headers: outputs.gateway.v1alpha2.GRPCRouteSpecRulesMatchesHeaders[]; + method: outputs.gateway.v1alpha2.GRPCRouteSpecRulesMatchesMethod; + } + + /** + * GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request + * headers. + */ + export interface GRPCRouteSpecRulesMatchesHeaders { + /** + * Name is the name of the gRPC Header to be matched. + * + * + * If multiple entries specify equivalent header names, only the first + * entry with an equivalent name MUST be considered for a match. Subsequent + * entries with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Type specifies how to match against the value of the header. + */ + type: string; + /** + * Value is the value of the gRPC Header to be matched. + */ + value: string; + } + + /** + * GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request + * headers. + */ + export interface GRPCRouteSpecRulesMatchesHeadersPatch { + /** + * Name is the name of the gRPC Header to be matched. + * + * + * If multiple entries specify equivalent header names, only the first + * entry with an equivalent name MUST be considered for a match. Subsequent + * entries with an equivalent header name MUST be ignored. Due to the + * case-insensitivity of header names, "foo" and "Foo" are considered + * equivalent. + */ + name: string; + /** + * Type specifies how to match against the value of the header. + */ + type: string; + /** + * Value is the value of the gRPC Header to be matched. + */ + value: string; + } + + /** + * Method specifies a gRPC request service/method matcher. If this field is + * not specified, all services and methods will match. + */ + export interface GRPCRouteSpecRulesMatchesMethod { + /** + * Value of the method to match against. If left empty or omitted, will + * match all services. + * + * + * At least one of Service and Method MUST be a non-empty string. + */ + method: string; + /** + * Value of the service to match against. If left empty or omitted, will + * match any service. + * + * + * At least one of Service and Method MUST be a non-empty string. + */ + service: string; + /** + * Type specifies how to match against the service and/or method. + * Support: Core (Exact with service and method specified) + * + * + * Support: Implementation-specific (Exact with method specified but no service specified) + * + * + * Support: Implementation-specific (RegularExpression) + */ + type: string; + } + + /** + * Method specifies a gRPC request service/method matcher. If this field is + * not specified, all services and methods will match. + */ + export interface GRPCRouteSpecRulesMatchesMethodPatch { + /** + * Value of the method to match against. If left empty or omitted, will + * match all services. + * + * + * At least one of Service and Method MUST be a non-empty string. + */ + method: string; + /** + * Value of the service to match against. If left empty or omitted, will + * match any service. + * + * + * At least one of Service and Method MUST be a non-empty string. + */ + service: string; + /** + * Type specifies how to match against the service and/or method. + * Support: Core (Exact with service and method specified) + * + * + * Support: Implementation-specific (Exact with method specified but no service specified) + * + * + * Support: Implementation-specific (RegularExpression) + */ + type: string; + } + + /** + * GRPCRouteMatch defines the predicate used to match requests to a given + * action. Multiple match types are ANDed together, i.e. the match will + * evaluate to true only if all conditions are satisfied. + * + * + * For example, the match below will match a gRPC request only if its service + * is `foo` AND it contains the `version: v1` header: + * + * + * ``` + * matches: + * - method: + * type: Exact + * service: "foo" + * headers: + * - name: "version" + * value "v1" + * + * + * ``` + */ + export interface GRPCRouteSpecRulesMatchesPatch { + /** + * Headers specifies gRPC request header matchers. Multiple match values are + * ANDed together, meaning, a request MUST match all the specified headers + * to select the route. + */ + headers: outputs.gateway.v1alpha2.GRPCRouteSpecRulesMatchesHeadersPatch[]; + method: outputs.gateway.v1alpha2.GRPCRouteSpecRulesMatchesMethodPatch; + } + + /** + * GRPCRouteRule defines the semantics for matching a gRPC request based on + * conditions (matches), processing it (filters), and forwarding the request to + * an API object (backendRefs). + */ + export interface GRPCRouteSpecRulesPatch { + /** + * BackendRefs defines the backend(s) where matching requests should be + * sent. + * + * + * Failure behavior here depends on how many BackendRefs are specified and + * how many are invalid. + * + * + * If *all* entries in BackendRefs are invalid, and there are also no filters + * specified in this route rule, *all* traffic which matches this rule MUST + * receive an `UNAVAILABLE` status. + * + * + * See the GRPCBackendRef definition for the rules about what makes a single + * GRPCBackendRef invalid. + * + * + * When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for + * requests that would have otherwise been routed to an invalid backend. If + * multiple backends are specified, and some are invalid, the proportion of + * requests that would otherwise have been routed to an invalid backend + * MUST receive an `UNAVAILABLE` status. + * + * + * For example, if two backends are specified with equal weights, and one is + * invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. + * Implementations may choose how that 50 percent is determined. + * + * + * Support: Core for Kubernetes Service + * + * + * Support: Implementation-specific for any other resource + * + * + * Support for weight: Core + */ + backendRefs: outputs.gateway.v1alpha2.GRPCRouteSpecRulesBackendRefsPatch[]; + /** + * Filters define the filters that are applied to requests that match + * this rule. + * + * + * The effects of ordering of multiple behaviors are currently unspecified. + * This can change in the future based on feedback during the alpha stage. + * + * + * Conformance-levels at this level are defined based on the type of filter: + * + * + * - ALL core filters MUST be supported by all implementations that support + * GRPCRoute. + * - Implementers are encouraged to support extended filters. + * - Implementation-specific custom filters have no API guarantees across + * implementations. + * + * + * Specifying the same filter multiple times is not supported unless explicitly + * indicated in the filter. + * + * + * If an implementation can not support a combination of filters, it must clearly + * document that limitation. In cases where incompatible or unsupported + * filters are specified and cause the `Accepted` condition to be set to status + * `False`, implementations may use the `IncompatibleFilters` reason to specify + * this configuration error. + * + * + * Support: Core + */ + filters: outputs.gateway.v1alpha2.GRPCRouteSpecRulesFiltersPatch[]; + /** + * Matches define conditions used for matching the rule against incoming + * gRPC requests. Each match is independent, i.e. this rule will be matched + * if **any** one of the matches is satisfied. + * + * + * For example, take the following matches configuration: + * + * + * ``` + * matches: + * - method: + * service: foo.bar + * headers: + * values: + * version: 2 + * - method: + * service: foo.bar.v2 + * ``` + * + * + * For a request to match against this rule, it MUST satisfy + * EITHER of the two conditions: + * + * + * - service of foo.bar AND contains the header `version: 2` + * - service of foo.bar.v2 + * + * + * See the documentation for GRPCRouteMatch on how to specify multiple + * match conditions to be ANDed together. + * + * + * If no matches are specified, the implementation MUST match every gRPC request. + * + * + * Proxy or Load Balancer routing configuration generated from GRPCRoutes + * MUST prioritize rules based on the following criteria, continuing on + * ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. + * Precedence MUST be given to the rule with the largest number of: + * + * + * * Characters in a matching non-wildcard hostname. + * * Characters in a matching hostname. + * * Characters in a matching service. + * * Characters in a matching method. + * * Header matches. + * + * + * If ties still exist across multiple Routes, matching precedence MUST be + * determined in order of the following criteria, continuing on ties: + * + * + * * The oldest Route based on creation timestamp. + * * The Route appearing first in alphabetical order by + * "{namespace}/{name}". + * + * + * If ties still exist within the Route that has been given precedence, + * matching precedence MUST be granted to the first matching rule meeting + * the above criteria. + */ + matches: outputs.gateway.v1alpha2.GRPCRouteSpecRulesMatchesPatch[]; + sessionPersistence: outputs.gateway.v1alpha2.GRPCRouteSpecRulesSessionPersistencePatch; + } + + /** + * SessionPersistence defines and configures session persistence + * for the route rule. + * + * + * Support: Extended + */ + export interface GRPCRouteSpecRulesSessionPersistence { + /** + * AbsoluteTimeout defines the absolute timeout of the persistent + * session. Once the AbsoluteTimeout duration has elapsed, the + * session becomes invalid. + * + * + * Support: Extended + */ + absoluteTimeout: string; + cookieConfig: outputs.gateway.v1alpha2.GRPCRouteSpecRulesSessionPersistenceCookieConfig; + /** + * IdleTimeout defines the idle timeout of the persistent session. + * Once the session has been idle for more than the specified + * IdleTimeout duration, the session becomes invalid. + * + * + * Support: Extended + */ + idleTimeout: string; + /** + * SessionName defines the name of the persistent session token + * which may be reflected in the cookie or the header. Users + * should avoid reusing session names to prevent unintended + * consequences, such as rejection or unpredictable behavior. + * + * + * Support: Implementation-specific + */ + sessionName: string; + /** + * Type defines the type of session persistence such as through + * the use a header or cookie. Defaults to cookie based session + * persistence. + * + * + * Support: Core for "Cookie" type + * + * + * Support: Extended for "Header" type + */ + type: string; + } + + /** + * CookieConfig provides configuration settings that are specific + * to cookie-based session persistence. + * + * + * Support: Core + */ + export interface GRPCRouteSpecRulesSessionPersistenceCookieConfig { + /** + * LifetimeType specifies whether the cookie has a permanent or + * session-based lifetime. A permanent cookie persists until its + * specified expiry time, defined by the Expires or Max-Age cookie + * attributes, while a session cookie is deleted when the current + * session ends. + * + * + * When set to "Permanent", AbsoluteTimeout indicates the + * cookie's lifetime via the Expires or Max-Age cookie attributes + * and is required. + * + * + * When set to "Session", AbsoluteTimeout indicates the + * absolute lifetime of the cookie tracked by the gateway and + * is optional. + * + * + * Support: Core for "Session" type + * + * + * Support: Extended for "Permanent" type + */ + lifetimeType: string; + } + + /** + * CookieConfig provides configuration settings that are specific + * to cookie-based session persistence. + * + * + * Support: Core + */ + export interface GRPCRouteSpecRulesSessionPersistenceCookieConfigPatch { + /** + * LifetimeType specifies whether the cookie has a permanent or + * session-based lifetime. A permanent cookie persists until its + * specified expiry time, defined by the Expires or Max-Age cookie + * attributes, while a session cookie is deleted when the current + * session ends. + * + * + * When set to "Permanent", AbsoluteTimeout indicates the + * cookie's lifetime via the Expires or Max-Age cookie attributes + * and is required. + * + * + * When set to "Session", AbsoluteTimeout indicates the + * absolute lifetime of the cookie tracked by the gateway and + * is optional. + * + * + * Support: Core for "Session" type + * + * + * Support: Extended for "Permanent" type + */ + lifetimeType: string; + } + + /** + * SessionPersistence defines and configures session persistence + * for the route rule. + * + * + * Support: Extended + */ + export interface GRPCRouteSpecRulesSessionPersistencePatch { + /** + * AbsoluteTimeout defines the absolute timeout of the persistent + * session. Once the AbsoluteTimeout duration has elapsed, the + * session becomes invalid. + * + * + * Support: Extended + */ + absoluteTimeout: string; + cookieConfig: outputs.gateway.v1alpha2.GRPCRouteSpecRulesSessionPersistenceCookieConfigPatch; + /** + * IdleTimeout defines the idle timeout of the persistent session. + * Once the session has been idle for more than the specified + * IdleTimeout duration, the session becomes invalid. + * + * + * Support: Extended + */ + idleTimeout: string; + /** + * SessionName defines the name of the persistent session token + * which may be reflected in the cookie or the header. Users + * should avoid reusing session names to prevent unintended + * consequences, such as rejection or unpredictable behavior. + * + * + * Support: Implementation-specific + */ + sessionName: string; + /** + * Type defines the type of session persistence such as through + * the use a header or cookie. Defaults to cookie based session + * persistence. + * + * + * Support: Core for "Cookie" type + * + * + * Support: Extended for "Header" type + */ + type: string; + } + + /** + * Status defines the current state of GRPCRoute. + */ + export interface GRPCRouteStatus { + /** + * Parents is a list of parent resources (usually Gateways) that are + * associated with the route, and the status of the route with respect to + * each parent. When this route attaches to a parent, the controller that + * manages the parent must add an entry to this list when the controller + * first sees the route and should update the entry as appropriate when the + * route or gateway is modified. + * + * + * Note that parent references that cannot be resolved by an implementation + * of this API will not be added to this list. Implementations of this API + * can only populate Route status for the Gateways/parent resources they are + * responsible for. + * + * + * A maximum of 32 Gateways will be represented in this list. An empty list + * means the route has not been attached to any Gateway. + */ + parents: outputs.gateway.v1alpha2.GRPCRouteStatusParents[]; + } + + /** + * RouteParentStatus describes the status of a route with respect to an + * associated Parent. + */ + export interface GRPCRouteStatusParents { + /** + * Conditions describes the status of the route with respect to the Gateway. + * Note that the route's availability is also subject to the Gateway's own + * status conditions and listener status. + * + * + * If the Route's ParentRef specifies an existing Gateway that supports + * Routes of this kind AND that Gateway's controller has sufficient access, + * then that Gateway's controller MUST set the "Accepted" condition on the + * Route, to indicate whether the route has been accepted or rejected by the + * Gateway, and why. + * + * + * A Route MUST be considered "Accepted" if at least one of the Route's + * rules is implemented by the Gateway. + * + * + * There are a number of cases where the "Accepted" condition may not be set + * due to lack of controller visibility, that includes when: + * + * + * * The Route refers to a non-existent parent. + * * The Route is of a type that the controller does not support. + * * The Route is in a namespace the controller does not have access to. + */ + conditions: outputs.gateway.v1alpha2.GRPCRouteStatusParentsConditions[]; + /** + * ControllerName is a domain/path string that indicates the name of the + * controller that wrote this status. This corresponds with the + * controllerName field on GatewayClass. + * + * + * Example: "example.net/gateway-controller". + * + * + * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + * valid Kubernetes names + * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + * + * + * Controllers MUST populate this field when writing status. Controllers should ensure that + * entries to status populated with their ControllerName are cleaned up when they are no + * longer necessary. + */ + controllerName: string; + parentRef: outputs.gateway.v1alpha2.GRPCRouteStatusParentsParentRef; + } + + /** + * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } + */ + export interface GRPCRouteStatusParentsConditions { + /** + * lastTransitionTime is the last time the condition transitioned from one status to another. + * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + */ + lastTransitionTime: string; + /** + * message is a human readable message indicating details about the transition. + * This may be an empty string. + */ + message: string; + /** + * observedGeneration represents the .metadata.generation that the condition was set based upon. + * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + * with respect to the current state of the instance. + */ + observedGeneration: number; + /** + * reason contains a programmatic identifier indicating the reason for the condition's last transition. + * Producers of specific condition types may define expected values and meanings for this field, + * and whether the values are considered a guaranteed API. + * The value should be a CamelCase string. + * This field may not be empty. + */ + reason: string; + /** + * status of the condition, one of True, False, Unknown. + */ + status: string; + /** + * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + */ + type: string; + } + + /** + * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } + */ + export interface GRPCRouteStatusParentsConditionsPatch { + /** + * lastTransitionTime is the last time the condition transitioned from one status to another. + * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + */ + lastTransitionTime: string; + /** + * message is a human readable message indicating details about the transition. + * This may be an empty string. + */ + message: string; + /** + * observedGeneration represents the .metadata.generation that the condition was set based upon. + * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + * with respect to the current state of the instance. + */ + observedGeneration: number; + /** + * reason contains a programmatic identifier indicating the reason for the condition's last transition. + * Producers of specific condition types may define expected values and meanings for this field, + * and whether the values are considered a guaranteed API. + * The value should be a CamelCase string. + * This field may not be empty. + */ + reason: string; + /** + * status of the condition, one of True, False, Unknown. + */ + status: string; + /** + * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + */ + type: string; + } + + /** + * ParentRef corresponds with a ParentRef in the spec that this + * RouteParentStatus struct describes the status of. + */ + export interface GRPCRouteStatusParentsParentRef { + /** + * Group is the group of the referent. + * When unspecified, "gateway.networking.k8s.io" is inferred. + * To set the core API group (such as for a "Service" kind referent), + * Group must be explicitly set to "" (empty string). + * + * + * Support: Core + */ + group: string; + /** + * Kind is kind of the referent. + * + * + * There are two kinds of parent resources with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * Support for other resources is Implementation-Specific. + */ + kind: string; + /** + * Name is the name of the referent. + * + * + * Support: Core + */ + name: string; + /** + * Namespace is the namespace of the referent. When unspecified, this refers + * to the local namespace of the Route. + * + * + * Note that there are specific rules for ParentRefs which cross namespace + * boundaries. Cross-namespace references are only valid if they are explicitly + * allowed by something in the namespace they are referring to. For example: + * Gateway has the AllowedRoutes field, and ReferenceGrant provides a + * generic way to enable any other kind of cross-namespace reference. + * + * + * + * ParentRefs from a Route to a Service in the same namespace are "producer" + * routes, which apply default routing rules to inbound connections from + * any namespace to the Service. + * + * + * ParentRefs from a Route to a Service in a different namespace are + * "consumer" routes, and these routing rules are only applied to outbound + * connections originating from the same namespace as the Route, for which + * the intended destination of the connections are a Service targeted as a + * ParentRef of the Route. + * + * + * + * Support: Core + */ + namespace: string; + /** + * Port is the network port this Route targets. It can be interpreted + * differently based on the type of parent resource. + * + * + * When the parent resource is a Gateway, this targets all listeners + * listening on the specified port that also support this kind of Route(and + * select this Route). It's not recommended to set `Port` unless the + * networking behaviors specified in a Route must apply to a specific port + * as opposed to a listener(s) whose port(s) may be changed. When both Port + * and SectionName are specified, the name and port of the selected listener + * must match both specified values. + * + * + * + * When the parent resource is a Service, this targets a specific port in the + * Service spec. When both Port (experimental) and SectionName are specified, + * the name and port of the selected port must match both specified values. + * + * + * + * Implementations MAY choose to support other parent resources. + * Implementations supporting other types of parent resources MUST clearly + * document how/if Port is interpreted. + * + * + * For the purpose of status, an attachment is considered successful as + * long as the parent resource accepts it partially. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + * from the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, + * the Route MUST be considered detached from the Gateway. + * + * + * Support: Extended + */ + port: number; + /** + * SectionName is the name of a section within the target resource. In the + * following resources, SectionName is interpreted as the following: + * + * + * * Gateway: Listener name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * * Service: Port name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * + * + * Implementations MAY choose to support attaching Routes to other resources. + * If that is the case, they MUST clearly document how SectionName is + * interpreted. + * + * + * When unspecified (empty string), this will reference the entire resource. + * For the purpose of status, an attachment is considered successful if at + * least one section in the parent resource accepts it. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + * the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, the + * Route MUST be considered detached from the Gateway. + * + * + * Support: Core + */ + sectionName: string; + } + + /** + * ParentRef corresponds with a ParentRef in the spec that this + * RouteParentStatus struct describes the status of. + */ + export interface GRPCRouteStatusParentsParentRefPatch { + /** + * Group is the group of the referent. + * When unspecified, "gateway.networking.k8s.io" is inferred. + * To set the core API group (such as for a "Service" kind referent), + * Group must be explicitly set to "" (empty string). + * + * + * Support: Core + */ + group: string; + /** + * Kind is kind of the referent. + * + * + * There are two kinds of parent resources with "Core" support: + * + * + * * Gateway (Gateway conformance profile) + * * Service (Mesh conformance profile, ClusterIP Services only) + * + * + * Support for other resources is Implementation-Specific. + */ + kind: string; + /** + * Name is the name of the referent. + * + * + * Support: Core + */ + name: string; + /** + * Namespace is the namespace of the referent. When unspecified, this refers + * to the local namespace of the Route. + * + * + * Note that there are specific rules for ParentRefs which cross namespace + * boundaries. Cross-namespace references are only valid if they are explicitly + * allowed by something in the namespace they are referring to. For example: + * Gateway has the AllowedRoutes field, and ReferenceGrant provides a + * generic way to enable any other kind of cross-namespace reference. + * + * + * + * ParentRefs from a Route to a Service in the same namespace are "producer" + * routes, which apply default routing rules to inbound connections from + * any namespace to the Service. + * + * + * ParentRefs from a Route to a Service in a different namespace are + * "consumer" routes, and these routing rules are only applied to outbound + * connections originating from the same namespace as the Route, for which + * the intended destination of the connections are a Service targeted as a + * ParentRef of the Route. + * + * + * + * Support: Core + */ + namespace: string; + /** + * Port is the network port this Route targets. It can be interpreted + * differently based on the type of parent resource. + * + * + * When the parent resource is a Gateway, this targets all listeners + * listening on the specified port that also support this kind of Route(and + * select this Route). It's not recommended to set `Port` unless the + * networking behaviors specified in a Route must apply to a specific port + * as opposed to a listener(s) whose port(s) may be changed. When both Port + * and SectionName are specified, the name and port of the selected listener + * must match both specified values. + * + * + * + * When the parent resource is a Service, this targets a specific port in the + * Service spec. When both Port (experimental) and SectionName are specified, + * the name and port of the selected port must match both specified values. + * + * + * + * Implementations MAY choose to support other parent resources. + * Implementations supporting other types of parent resources MUST clearly + * document how/if Port is interpreted. + * + * + * For the purpose of status, an attachment is considered successful as + * long as the parent resource accepts it partially. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + * from the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, + * the Route MUST be considered detached from the Gateway. + * + * + * Support: Extended + */ + port: number; + /** + * SectionName is the name of a section within the target resource. In the + * following resources, SectionName is interpreted as the following: + * + * + * * Gateway: Listener name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * * Service: Port name. When both Port (experimental) and SectionName + * are specified, the name and port of the selected listener must match + * both specified values. + * + * + * Implementations MAY choose to support attaching Routes to other resources. + * If that is the case, they MUST clearly document how SectionName is + * interpreted. + * + * + * When unspecified (empty string), this will reference the entire resource. + * For the purpose of status, an attachment is considered successful if at + * least one section in the parent resource accepts it. For example, Gateway + * listeners can restrict which Routes can attach to them by Route kind, + * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + * the referencing Route, the Route MUST be considered successfully + * attached. If no Gateway listeners accept attachment from this Route, the + * Route MUST be considered detached from the Gateway. + * + * + * Support: Core + */ + sectionName: string; + } + + /** + * RouteParentStatus describes the status of a route with respect to an + * associated Parent. + */ + export interface GRPCRouteStatusParentsPatch { + /** + * Conditions describes the status of the route with respect to the Gateway. + * Note that the route's availability is also subject to the Gateway's own + * status conditions and listener status. + * + * + * If the Route's ParentRef specifies an existing Gateway that supports + * Routes of this kind AND that Gateway's controller has sufficient access, + * then that Gateway's controller MUST set the "Accepted" condition on the + * Route, to indicate whether the route has been accepted or rejected by the + * Gateway, and why. + * + * + * A Route MUST be considered "Accepted" if at least one of the Route's + * rules is implemented by the Gateway. + * + * + * There are a number of cases where the "Accepted" condition may not be set + * due to lack of controller visibility, that includes when: + * + * + * * The Route refers to a non-existent parent. + * * The Route is of a type that the controller does not support. + * * The Route is in a namespace the controller does not have access to. + */ + conditions: outputs.gateway.v1alpha2.GRPCRouteStatusParentsConditionsPatch[]; + /** + * ControllerName is a domain/path string that indicates the name of the + * controller that wrote this status. This corresponds with the + * controllerName field on GatewayClass. + * + * + * Example: "example.net/gateway-controller". + * + * + * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + * valid Kubernetes names + * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + * + * + * Controllers MUST populate this field when writing status. Controllers should ensure that + * entries to status populated with their ControllerName are cleaned up when they are no + * longer necessary. + */ + controllerName: string; + parentRef: outputs.gateway.v1alpha2.GRPCRouteStatusParentsParentRefPatch; + } + + /** + * Status defines the current state of GRPCRoute. + */ + export interface GRPCRouteStatusPatch { + /** + * Parents is a list of parent resources (usually Gateways) that are + * associated with the route, and the status of the route with respect to + * each parent. When this route attaches to a parent, the controller that + * manages the parent must add an entry to this list when the controller + * first sees the route and should update the entry as appropriate when the + * route or gateway is modified. + * + * + * Note that parent references that cannot be resolved by an implementation + * of this API will not be added to this list. Implementations of this API + * can only populate Route status for the Gateways/parent resources they are + * responsible for. + * + * + * A maximum of 32 Gateways will be represented in this list. An empty list + * means the route has not been attached to any Gateway. + */ + parents: outputs.gateway.v1alpha2.GRPCRouteStatusParentsPatch[]; + } + + /** + * ReferenceGrant identifies kinds of resources in other namespaces that are + * trusted to reference the specified kinds of resources in the same namespace + * as the policy. + * + * + * Each ReferenceGrant can be used to represent a unique trust relationship. + * Additional Reference Grants can be used to add to the set of trusted + * sources of inbound references for the namespace they are defined within. + * + * + * A ReferenceGrant is required for all cross-namespace references in Gateway API + * (with the exception of cross-namespace Route-Gateway attachment, which is + * governed by the AllowedRoutes configuration on the Gateway, and cross-namespace + * Service ParentRefs on a "consumer" mesh Route, which defines routing rules + * applicable only to workloads in the Route namespace). ReferenceGrants allowing + * a reference from a Route to a Service are only applicable to BackendRefs. + * + * + * ReferenceGrant is a form of runtime verification allowing users to assert + * which cross-namespace object references are permitted. Implementations that + * support ReferenceGrant MUST NOT permit cross-namespace references which have + * no grant, and MUST respond to the removal of a grant by revoking the access + * that the grant allowed. + */ + export interface ReferenceGrant { + /** + * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + */ + apiVersion: "gateway.networking.k8s.io/v1alpha2"; + /** + * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + */ + kind: "ReferenceGrant"; + /** + * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + */ + metadata: outputs.meta.v1.ObjectMeta; + spec: outputs.gateway.v1alpha2.ReferenceGrantSpec; + } + + /** + * Spec defines the desired state of ReferenceGrant. + */ + export interface ReferenceGrantSpec { + /** + * From describes the trusted namespaces and kinds that can reference the + * resources described in "To". Each entry in this list MUST be considered + * to be an additional place that references can be valid from, or to put + * this another way, entries MUST be combined using OR. + * + * + * Support: Core + */ + from: outputs.gateway.v1alpha2.ReferenceGrantSpecFrom[]; + /** + * To describes the resources that may be referenced by the resources + * described in "From". Each entry in this list MUST be considered to be an + * additional place that references can be valid to, or to put this another + * way, entries MUST be combined using OR. + * + * + * Support: Core + */ + to: outputs.gateway.v1alpha2.ReferenceGrantSpecTo[]; + } + + /** + * ReferenceGrantFrom describes trusted namespaces and kinds. + */ + export interface ReferenceGrantSpecFrom { + /** + * Group is the group of the referent. + * When empty, the Kubernetes core API group is inferred. + * + * + * Support: Core + */ + group: string; + /** + * Kind is the kind of the referent. Although implementations may support + * additional resources, the following types are part of the "Core" + * support level for this field. + * + * + * When used to permit a SecretObjectReference: + * + * + * * Gateway + * + * + * When used to permit a BackendObjectReference: + * + * + * * GRPCRoute + * * HTTPRoute + * * TCPRoute + * * TLSRoute + * * UDPRoute + */ + kind: string; + /** + * Namespace is the namespace of the referent. + * + * + * Support: Core + */ + namespace: string; + } + + /** + * ReferenceGrantFrom describes trusted namespaces and kinds. + */ + export interface ReferenceGrantSpecFromPatch { + /** + * Group is the group of the referent. + * When empty, the Kubernetes core API group is inferred. + * + * + * Support: Core + */ + group: string; + /** + * Kind is the kind of the referent. Although implementations may support + * additional resources, the following types are part of the "Core" + * support level for this field. + * + * + * When used to permit a SecretObjectReference: + * + * + * * Gateway + * + * + * When used to permit a BackendObjectReference: + * + * + * * GRPCRoute + * * HTTPRoute + * * TCPRoute + * * TLSRoute + * * UDPRoute + */ + kind: string; + /** + * Namespace is the namespace of the referent. + * + * + * Support: Core + */ + namespace: string; + } + + /** + * Spec defines the desired state of ReferenceGrant. + */ + export interface ReferenceGrantSpecPatch { + /** + * From describes the trusted namespaces and kinds that can reference the + * resources described in "To". Each entry in this list MUST be considered + * to be an additional place that references can be valid from, or to put + * this another way, entries MUST be combined using OR. + * + * + * Support: Core + */ + from: outputs.gateway.v1alpha2.ReferenceGrantSpecFromPatch[]; + /** + * To describes the resources that may be referenced by the resources + * described in "From". Each entry in this list MUST be considered to be an + * additional place that references can be valid to, or to put this another + * way, entries MUST be combined using OR. + * + * + * Support: Core + */ + to: outputs.gateway.v1alpha2.ReferenceGrantSpecToPatch[]; + } + + /** + * ReferenceGrantTo describes what Kinds are allowed as targets of the + * references. + */ + export interface ReferenceGrantSpecTo { + /** + * Group is the group of the referent. + * When empty, the Kubernetes core API group is inferred. + * + * + * Support: Core + */ + group: string; + /** + * Kind is the kind of the referent. Although implementations may support + * additional resources, the following types are part of the "Core" + * support level for this field: + * + * + * * Secret when used to permit a SecretObjectReference + * * Service when used to permit a BackendObjectReference + */ + kind: string; + /** + * Name is the name of the referent. When unspecified, this policy + * refers to all resources of the specified Group and Kind in the local + * namespace. + */ + name: string; + } + + /** + * ReferenceGrantTo describes what Kinds are allowed as targets of the + * references. + */ + export interface ReferenceGrantSpecToPatch { + /** + * Group is the group of the referent. + * When empty, the Kubernetes core API group is inferred. + * + * + * Support: Core + */ + group: string; + /** + * Kind is the kind of the referent. Although implementations may support + * additional resources, the following types are part of the "Core" + * support level for this field: + * + * + * * Secret when used to permit a SecretObjectReference + * * Service when used to permit a BackendObjectReference + */ + kind: string; + /** + * Name is the name of the referent. When unspecified, this policy + * refers to all resources of the specified Group and Kind in the local + * namespace. + */ + name: string; + } + /** * TCPRoute provides a way to route TCP requests. When combined with a Gateway * listener, it can be used to forward connections on the port specified by the @@ -37629,16 +30326,21 @@ export namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -37648,8 +30350,10 @@ export namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -37657,12 +30361,14 @@ export namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -37670,10 +30376,12 @@ export namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -37685,21 +30393,6 @@ export namespace gateway { * Rules are a list of TCP matchers and actions. */ rules: outputs.gateway.v1alpha2.TCPRouteSpecRules[]; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways: string; } /** @@ -37707,12 +30400,15 @@ export namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -37723,23 +30419,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -37747,6 +30448,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -37754,10 +30456,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -37765,6 +30469,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -37772,6 +30477,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -37781,15 +30487,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -37798,6 +30507,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -37805,6 +30515,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -37812,10 +30523,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -37825,6 +30538,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -37835,12 +30549,15 @@ export namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -37851,23 +30568,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -37875,6 +30597,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -37882,10 +30605,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -37893,6 +30618,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -37900,6 +30626,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -37909,15 +30636,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -37926,6 +30656,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -37933,6 +30664,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -37940,10 +30672,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -37953,6 +30687,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -37974,16 +30709,21 @@ export namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -37993,8 +30733,10 @@ export namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -38002,12 +30744,14 @@ export namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -38015,10 +30759,12 @@ export namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -38030,21 +30776,6 @@ export namespace gateway { * Rules are a list of TCP matchers and actions. */ rules: outputs.gateway.v1alpha2.TCPRouteSpecRulesPatch[]; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways: string; } /** @@ -38053,54 +30784,62 @@ export namespace gateway { export interface TCPRouteSpecRules { /** * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or a + * sent. If unspecified or invalid (refers to a non-existent resource or a * Service with no endpoints), the underlying implementation MUST actively * reject connection attempts to this backend. Connection rejections must * respect weight; if an invalid backend is requested to have 80% of * connections, then 80% of connections must be rejected instead. * + * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Extended */ backendRefs: outputs.gateway.v1alpha2.TCPRouteSpecRulesBackendRefs[]; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name: string; } /** * BackendRef defines how a Route should forward a request to a Kubernetes * resource. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. * * + * + * + * * Note that when the BackendTLSPolicy object is enabled by the implementation, * there are some extra rules about validity to consider here. See the fields * where this struct is used for more information about the exact behavior. @@ -38115,16 +30854,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -38136,11 +30879,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -38160,11 +30905,13 @@ export namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight: number; @@ -38174,27 +30921,37 @@ export namespace gateway { * BackendRef defines how a Route should forward a request to a Kubernetes * resource. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. * * + * + * + * * Note that when the BackendTLSPolicy object is enabled by the implementation, * there are some extra rules about validity to consider here. See the fields * where this struct is used for more information about the exact behavior. @@ -38209,16 +30966,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -38230,11 +30991,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -38254,11 +31017,13 @@ export namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight: number; @@ -38270,27 +31035,25 @@ export namespace gateway { export interface TCPRouteSpecRulesPatch { /** * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or a + * sent. If unspecified or invalid (refers to a non-existent resource or a * Service with no endpoints), the underlying implementation MUST actively * reject connection attempts to this backend. Connection rejections must * respect weight; if an invalid backend is requested to have 80% of * connections, then 80% of connections must be rejected instead. * + * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Extended */ backendRefs: outputs.gateway.v1alpha2.TCPRouteSpecRulesBackendRefsPatch[]; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name: string; } /** @@ -38305,11 +31068,13 @@ export namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -38326,19 +31091,23 @@ export namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -38348,12 +31117,15 @@ export namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -38364,6 +31136,22 @@ export namespace gateway { /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface TCPRouteStatusParentsConditions { /** @@ -38396,12 +31184,32 @@ export namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface TCPRouteStatusParentsConditionsPatch { /** @@ -38434,6 +31242,10 @@ export namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } @@ -38449,23 +31261,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -38473,6 +31290,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -38480,10 +31298,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -38491,6 +31311,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -38498,6 +31319,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -38507,15 +31329,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -38524,6 +31349,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -38531,6 +31357,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -38538,10 +31365,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -38551,6 +31380,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -38567,23 +31397,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -38591,6 +31426,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -38598,10 +31434,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -38609,6 +31447,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -38616,6 +31455,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -38625,15 +31465,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -38642,6 +31485,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -38649,6 +31493,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -38656,10 +31501,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -38669,6 +31516,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -38684,19 +31532,23 @@ export namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -38706,12 +31558,15 @@ export namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -38732,11 +31587,13 @@ export namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -38748,6 +31605,7 @@ export namespace gateway { * to match against TLS-specific metadata. This allows more flexibility * in matching streams for a given TLS listener. * + * * If you need to forward traffic to a single target for a TLS listener, you * could choose to use a TCPRoute with a TLS listener. */ @@ -38777,14 +31635,17 @@ export namespace gateway { * SNI attribute of TLS ClientHello message in TLS handshake. This matches * the RFC 1123 definition of a hostname with 2 notable exceptions: * + * * 1. IPs are not allowed in SNI names per RFC 6066. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label must appear by itself as the first label. * + * * If a hostname is specified by both the Listener and TLSRoute, there * must be at least one intersecting hostname for the TLSRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches TLSRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -38794,17 +31655,20 @@ export namespace gateway { * `test.example.com` and `*.example.com` would both match. On the other * hand, `example.com` and `test.example.net` would not match. * + * * If both the Listener and TLSRoute have specified hostnames, any * TLSRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * TLSRoute specified `test.example.com` and `test.example.net`, * `test.example.net` must not be considered for a match. * + * * If both the Listener and TLSRoute have specified hostnames, and none * match with the criteria above, then the TLSRoute is not accepted. The * implementation must raise an 'Accepted' Condition with a status of * `False` in the corresponding RouteParentStatus. * + * * Support: Core */ hostnames: string[]; @@ -38820,16 +31684,21 @@ export namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -38839,8 +31708,10 @@ export namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -38848,12 +31719,14 @@ export namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -38861,10 +31734,12 @@ export namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -38876,21 +31751,6 @@ export namespace gateway { * Rules are a list of TLS matchers and actions. */ rules: outputs.gateway.v1alpha2.TLSRouteSpecRules[]; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways: string; } /** @@ -38898,12 +31758,15 @@ export namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -38914,23 +31777,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -38938,6 +31806,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -38945,10 +31814,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -38956,6 +31827,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -38963,6 +31835,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -38972,15 +31845,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -38989,6 +31865,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -38996,6 +31873,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -39003,10 +31881,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -39016,6 +31896,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -39026,12 +31907,15 @@ export namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -39042,23 +31926,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -39066,6 +31955,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -39073,10 +31963,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -39084,6 +31976,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -39091,6 +31984,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -39100,15 +31994,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -39117,6 +32014,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -39124,6 +32022,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -39131,10 +32030,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -39144,6 +32045,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -39158,14 +32060,17 @@ export namespace gateway { * SNI attribute of TLS ClientHello message in TLS handshake. This matches * the RFC 1123 definition of a hostname with 2 notable exceptions: * + * * 1. IPs are not allowed in SNI names per RFC 6066. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label must appear by itself as the first label. * + * * If a hostname is specified by both the Listener and TLSRoute, there * must be at least one intersecting hostname for the TLSRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches TLSRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -39175,17 +32080,20 @@ export namespace gateway { * `test.example.com` and `*.example.com` would both match. On the other * hand, `example.com` and `test.example.net` would not match. * + * * If both the Listener and TLSRoute have specified hostnames, any * TLSRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * TLSRoute specified `test.example.com` and `test.example.net`, * `test.example.net` must not be considered for a match. * + * * If both the Listener and TLSRoute have specified hostnames, and none * match with the criteria above, then the TLSRoute is not accepted. The * implementation must raise an 'Accepted' Condition with a status of * `False` in the corresponding RouteParentStatus. * + * * Support: Core */ hostnames: string[]; @@ -39201,16 +32109,21 @@ export namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -39220,8 +32133,10 @@ export namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -39229,12 +32144,14 @@ export namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -39242,10 +32159,12 @@ export namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -39257,21 +32176,6 @@ export namespace gateway { * Rules are a list of TLS matchers and actions. */ rules: outputs.gateway.v1alpha2.TLSRouteSpecRulesPatch[]; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways: string; } /** @@ -39280,7 +32184,7 @@ export namespace gateway { export interface TLSRouteSpecRules { /** * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or + * sent. If unspecified or invalid (refers to a non-existent resource or * a Service with no endpoints), the rule performs no forwarding; if no * filters are specified that would result in a response being sent, the * underlying implementation must actively reject request attempts to this @@ -39289,48 +32193,56 @@ export namespace gateway { * requested to have 80% of requests, then 80% of requests must be rejected * instead. * + * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Extended */ backendRefs: outputs.gateway.v1alpha2.TLSRouteSpecRulesBackendRefs[]; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name: string; } /** * BackendRef defines how a Route should forward a request to a Kubernetes * resource. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. * * + * + * + * * Note that when the BackendTLSPolicy object is enabled by the implementation, * there are some extra rules about validity to consider here. See the fields * where this struct is used for more information about the exact behavior. @@ -39345,16 +32257,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -39366,11 +32282,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -39390,11 +32308,13 @@ export namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight: number; @@ -39404,27 +32324,37 @@ export namespace gateway { * BackendRef defines how a Route should forward a request to a Kubernetes * resource. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. * * + * + * + * * Note that when the BackendTLSPolicy object is enabled by the implementation, * there are some extra rules about validity to consider here. See the fields * where this struct is used for more information about the exact behavior. @@ -39439,16 +32369,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -39460,11 +32394,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -39484,11 +32420,13 @@ export namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight: number; @@ -39500,7 +32438,7 @@ export namespace gateway { export interface TLSRouteSpecRulesPatch { /** * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or + * sent. If unspecified or invalid (refers to a non-existent resource or * a Service with no endpoints), the rule performs no forwarding; if no * filters are specified that would result in a response being sent, the * underlying implementation must actively reject request attempts to this @@ -39509,21 +32447,19 @@ export namespace gateway { * requested to have 80% of requests, then 80% of requests must be rejected * instead. * + * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Extended */ backendRefs: outputs.gateway.v1alpha2.TLSRouteSpecRulesBackendRefsPatch[]; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name: string; } /** @@ -39538,11 +32474,13 @@ export namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -39559,19 +32497,23 @@ export namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -39581,12 +32523,15 @@ export namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -39597,6 +32542,22 @@ export namespace gateway { /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface TLSRouteStatusParentsConditions { /** @@ -39629,12 +32590,32 @@ export namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface TLSRouteStatusParentsConditionsPatch { /** @@ -39667,6 +32648,10 @@ export namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } @@ -39682,23 +32667,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -39706,6 +32696,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -39713,10 +32704,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -39724,6 +32717,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -39731,6 +32725,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -39740,15 +32735,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -39757,6 +32755,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -39764,6 +32763,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -39771,10 +32771,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -39784,6 +32786,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -39800,23 +32803,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -39824,6 +32832,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -39831,10 +32840,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -39842,6 +32853,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -39849,6 +32861,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -39858,15 +32871,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -39875,6 +32891,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -39882,6 +32899,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -39889,10 +32907,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -39902,6 +32922,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -39917,19 +32938,23 @@ export namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -39939,12 +32964,15 @@ export namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -39965,11 +32993,13 @@ export namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -40014,16 +33044,21 @@ export namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -40033,8 +33068,10 @@ export namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -40042,12 +33079,14 @@ export namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -40055,10 +33094,12 @@ export namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -40070,21 +33111,6 @@ export namespace gateway { * Rules are a list of UDP matchers and actions. */ rules: outputs.gateway.v1alpha2.UDPRouteSpecRules[]; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways: string; } /** @@ -40092,12 +33118,15 @@ export namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -40108,23 +33137,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -40132,6 +33166,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -40139,10 +33174,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -40150,6 +33187,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -40157,6 +33195,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -40166,15 +33205,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -40183,6 +33225,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -40190,6 +33233,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -40197,10 +33241,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -40210,6 +33256,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -40220,12 +33267,15 @@ export namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -40236,23 +33286,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -40260,6 +33315,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -40267,10 +33323,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -40278,6 +33336,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -40285,6 +33344,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -40294,15 +33354,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -40311,6 +33374,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -40318,6 +33382,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -40325,10 +33390,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -40338,6 +33405,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -40359,16 +33427,21 @@ export namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -40378,8 +33451,10 @@ export namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -40387,12 +33462,14 @@ export namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -40400,10 +33477,12 @@ export namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -40415,21 +33494,6 @@ export namespace gateway { * Rules are a list of UDP matchers and actions. */ rules: outputs.gateway.v1alpha2.UDPRouteSpecRulesPatch[]; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways: string; } /** @@ -40438,54 +33502,62 @@ export namespace gateway { export interface UDPRouteSpecRules { /** * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or a + * sent. If unspecified or invalid (refers to a non-existent resource or a * Service with no endpoints), the underlying implementation MUST actively * reject connection attempts to this backend. Packet drops must * respect weight; if an invalid backend is requested to have 80% of * the packets, then 80% of packets must be dropped instead. * + * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Extended */ backendRefs: outputs.gateway.v1alpha2.UDPRouteSpecRulesBackendRefs[]; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name: string; } /** * BackendRef defines how a Route should forward a request to a Kubernetes * resource. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. * * + * + * + * * Note that when the BackendTLSPolicy object is enabled by the implementation, * there are some extra rules about validity to consider here. See the fields * where this struct is used for more information about the exact behavior. @@ -40500,16 +33572,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -40521,11 +33597,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -40545,11 +33623,13 @@ export namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight: number; @@ -40559,27 +33639,37 @@ export namespace gateway { * BackendRef defines how a Route should forward a request to a Kubernetes * resource. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. * * + * + * + * * Note that when the BackendTLSPolicy object is enabled by the implementation, * there are some extra rules about validity to consider here. See the fields * where this struct is used for more information about the exact behavior. @@ -40594,16 +33684,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -40615,11 +33709,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -40639,11 +33735,13 @@ export namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight: number; @@ -40655,27 +33753,25 @@ export namespace gateway { export interface UDPRouteSpecRulesPatch { /** * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or a + * sent. If unspecified or invalid (refers to a non-existent resource or a * Service with no endpoints), the underlying implementation MUST actively * reject connection attempts to this backend. Packet drops must * respect weight; if an invalid backend is requested to have 80% of * the packets, then 80% of packets must be dropped instead. * + * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Extended */ backendRefs: outputs.gateway.v1alpha2.UDPRouteSpecRulesBackendRefsPatch[]; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name: string; } /** @@ -40690,11 +33786,13 @@ export namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -40711,19 +33809,23 @@ export namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -40733,12 +33835,15 @@ export namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -40749,6 +33854,22 @@ export namespace gateway { /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface UDPRouteStatusParentsConditions { /** @@ -40781,12 +33902,32 @@ export namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface UDPRouteStatusParentsConditionsPatch { /** @@ -40819,6 +33960,10 @@ export namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } @@ -40834,23 +33979,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -40858,6 +34008,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -40865,10 +34016,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -40876,6 +34029,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -40883,6 +34037,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -40892,15 +34047,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -40909,6 +34067,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -40916,6 +34075,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -40923,10 +34083,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -40936,6 +34098,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -40952,23 +34115,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -40976,6 +34144,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -40983,10 +34152,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -40994,6 +34165,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -41001,6 +34173,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -41010,15 +34183,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -41027,6 +34203,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -41034,6 +34211,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -41041,10 +34219,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -41054,6 +34234,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -41069,19 +34250,23 @@ export namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -41091,12 +34276,15 @@ export namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -41117,11 +34305,13 @@ export namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -41156,19 +34346,6 @@ export namespace gateway { * Spec defines the desired state of BackendTLSPolicy. */ export interface BackendTLSPolicySpec { - /** - * Options are a list of key/value pairs to enable extended TLS - * configuration for each implementation. For example, configuring the - * minimum TLS version or supported cipher suites. - * - * A set of common keys MAY be defined by the API in the future. To avoid - * any ambiguity, implementation-specific definitions MUST use - * domain-prefixed names, such as `example.com/my-custom-option`. - * Un-prefixed names are reserved for key names defined by Gateway API. - * - * Support: Implementation-specific - */ - options: {[key: string]: string}; /** * TargetRefs identifies an API object to apply the policy to. * Only Services have Extended support. Implementations MAY support @@ -41177,32 +34354,10 @@ export namespace gateway { * by default, but this default may change in the future to provide * a more granular application of the policy. * - * TargetRefs must be _distinct_. This means either that: - * - * * They select different targets. If this is the case, then targetRef - * entries are distinct. In terms of fields, this means that the - * multi-part key defined by `group`, `kind`, and `name` must - * be unique across all targetRef entries in the BackendTLSPolicy. - * * They select different sectionNames in the same target. - * - * When more than one BackendTLSPolicy selects the same target and - * sectionName, implementations MUST determine precedence using the - * following criteria, continuing on ties: - * - * * The older policy by creation timestamp takes precedence. For - * example, a policy with a creation timestamp of "2021-07-15 - * 01:02:03" MUST be given precedence over a policy with a - * creation timestamp of "2021-07-15 01:02:04". - * * The policy appearing first in alphabetical order by {name}. - * For example, a policy named `bar` is given precedence over a - * policy named `baz`. - * - * For any BackendTLSPolicy that does not take precedence, the - * implementation MUST ensure the `Accepted` Condition is set to - * `status: False`, with Reason `Conflicted`. * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ targetRefs: outputs.gateway.v1alpha3.BackendTLSPolicySpecTargetRefs[]; @@ -41213,19 +34368,6 @@ export namespace gateway { * Spec defines the desired state of BackendTLSPolicy. */ export interface BackendTLSPolicySpecPatch { - /** - * Options are a list of key/value pairs to enable extended TLS - * configuration for each implementation. For example, configuring the - * minimum TLS version or supported cipher suites. - * - * A set of common keys MAY be defined by the API in the future. To avoid - * any ambiguity, implementation-specific definitions MUST use - * domain-prefixed names, such as `example.com/my-custom-option`. - * Un-prefixed names are reserved for key names defined by Gateway API. - * - * Support: Implementation-specific - */ - options: {[key: string]: string}; /** * TargetRefs identifies an API object to apply the policy to. * Only Services have Extended support. Implementations MAY support @@ -41234,32 +34376,10 @@ export namespace gateway { * by default, but this default may change in the future to provide * a more granular application of the policy. * - * TargetRefs must be _distinct_. This means either that: - * - * * They select different targets. If this is the case, then targetRef - * entries are distinct. In terms of fields, this means that the - * multi-part key defined by `group`, `kind`, and `name` must - * be unique across all targetRef entries in the BackendTLSPolicy. - * * They select different sectionNames in the same target. - * - * When more than one BackendTLSPolicy selects the same target and - * sectionName, implementations MUST determine precedence using the - * following criteria, continuing on ties: - * - * * The older policy by creation timestamp takes precedence. For - * example, a policy with a creation timestamp of "2021-07-15 - * 01:02:03" MUST be given precedence over a policy with a - * creation timestamp of "2021-07-15 01:02:04". - * * The policy appearing first in alphabetical order by {name}. - * For example, a policy named `bar` is given precedence over a - * policy named `baz`. - * - * For any BackendTLSPolicy that does not take precedence, the - * implementation MUST ensure the `Accepted` Condition is set to - * `status: False`, with Reason `Conflicted`. * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ targetRefs: outputs.gateway.v1alpha3.BackendTLSPolicySpecTargetRefsPatch[]; @@ -41273,6 +34393,7 @@ export namespace gateway { * mode works, and a sample Policy resource, refer to the policy attachment * documentation for Gateway API. * + * * Note: This should only be used for direct policy attachment when references * to SectionName are actually needed. In all other cases, * LocalPolicyTargetReference should be used. @@ -41295,10 +34416,12 @@ export namespace gateway { * unspecified, this targetRef targets the entire resource. In the following * resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name * * HTTPRoute: HTTPRouteRule name * * Service: Port name * + * * If a SectionName is specified, but does not exist on the targeted object, * the Policy must fail to attach, and the policy implementation should record * a `ResolvedRefs` or similar Condition in the Policy's status. @@ -41313,6 +34436,7 @@ export namespace gateway { * mode works, and a sample Policy resource, refer to the policy attachment * documentation for Gateway API. * + * * Note: This should only be used for direct policy attachment when references * to SectionName are actually needed. In all other cases, * LocalPolicyTargetReference should be used. @@ -41335,10 +34459,12 @@ export namespace gateway { * unspecified, this targetRef targets the entire resource. In the following * resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name * * HTTPRoute: HTTPRouteRule name * * Service: Port name * + * * If a SectionName is specified, but does not exist on the targeted object, * the Policy must fail to attach, and the policy implementation should record * a `ResolvedRefs` or similar Condition in the Policy's status. @@ -41355,81 +34481,55 @@ export namespace gateway { * contain a PEM-encoded TLS CA certificate bundle, which is used to * validate a TLS handshake between the Gateway and backend Pod. * + * * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, - * not both. If CACertificateRefs is empty or unspecified, the configuration for + * not both. If CACertifcateRefs is empty or unspecified, the configuration for * WellKnownCACertificates MUST be honored instead if supported by the implementation. * - * A CACertificateRef is invalid if: * - * * It refers to a resource that cannot be resolved (e.g., the referenced resource - * does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key - * named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef` - * and the Message of the Condition must indicate which reference is invalid and why. + * References to a resource in a different namespace are invalid for the + * moment, although we will revisit this in the future. * - * * It refers to an unknown or unsupported kind of resource. In this case, the Reason - * must be set to `InvalidKind` and the Message of the Condition must explain which - * kind of resource is unknown or unsupported. - * - * * It refers to a resource in another namespace. This may change in future - * spec updates. - * - * Implementations MAY choose to perform further validation of the certificate - * content (e.g., checking expiry or enforcing specific formats). In such cases, - * an implementation-specific Reason and Message must be set for the invalid reference. - * - * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on - * the BackendTLSPolicy is set to `status: False`, with a Reason and Message - * that indicate the cause of the error. Connections using an invalid - * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error - * response. If ALL CACertificateRefs are invalid, the implementation MUST also - * ensure the `Accepted` Condition on the BackendTLSPolicy is set to - * `status: False`, with a Reason `NoValidCACertificate`. * * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support. * Implementations MAY choose to support attaching multiple certificates to * a backend, but this behavior is implementation-specific. * + * * Support: Core - An optional single reference to a Kubernetes ConfigMap, * with the CA certificate in a key named `ca.crt`. * - * Support: Implementation-specific - More than one reference, other kinds - * of resources, or a single reference that includes multiple certificates. + * + * Support: Implementation-specific (More than one reference, or other kinds + * of resources). */ caCertificateRefs: outputs.gateway.v1alpha3.BackendTLSPolicySpecValidationCaCertificateRefs[]; /** * Hostname is used for two purposes in the connection between Gateways and * backends: * + * * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). * 2. Hostname MUST be used for authentication and MUST match the certificate - * served by the matching backend, unless SubjectAltNames is specified. - * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection - * but MUST NOT be used for authentication. If you want to use the value - * of the Hostname field for authentication, you MUST add it to the SubjectAltNames list. + * served by the matching backend. + * * * Support: Core */ hostname: string; - /** - * SubjectAltNames contains one or more Subject Alternative Names. - * When specified the certificate served from the backend MUST - * have at least one Subject Alternate Name matching one of the specified SubjectAltNames. - * - * Support: Extended - */ - subjectAltNames: outputs.gateway.v1alpha3.BackendTLSPolicySpecValidationSubjectAltNames[]; /** * WellKnownCACertificates specifies whether system CA certificates may be used in * the TLS handshake between the gateway and backend pod. * + * * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs * must be specified with at least one entry for a valid configuration. Only one of - * CACertificateRefs or WellKnownCACertificates may be specified, not both. - * If an implementation does not support the WellKnownCACertificates field, or - * the supplied value is not recognized, the implementation MUST ensure the - * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with - * a Reason `Invalid`. + * CACertificateRefs or WellKnownCACertificates may be specified, not both. If an + * implementation does not support the WellKnownCACertificates field or the value + * supplied is not supported, the Status Conditions on the Policy MUST be + * updated to include an Accepted: False Condition with Reason: Invalid. + * * * Support: Implementation-specific */ @@ -41442,6 +34542,7 @@ export namespace gateway { * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. * + * * References to objects with invalid Group and Kind are not valid, and must * be rejected by the implementation, with appropriate Conditions set * on the containing object. @@ -41468,6 +34569,7 @@ export namespace gateway { * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. * + * * References to objects with invalid Group and Kind are not valid, and must * be rejected by the implementation, with appropriate Conditions set * on the containing object. @@ -41497,143 +34599,61 @@ export namespace gateway { * contain a PEM-encoded TLS CA certificate bundle, which is used to * validate a TLS handshake between the Gateway and backend Pod. * + * * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, - * not both. If CACertificateRefs is empty or unspecified, the configuration for + * not both. If CACertifcateRefs is empty or unspecified, the configuration for * WellKnownCACertificates MUST be honored instead if supported by the implementation. * - * A CACertificateRef is invalid if: * - * * It refers to a resource that cannot be resolved (e.g., the referenced resource - * does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key - * named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef` - * and the Message of the Condition must indicate which reference is invalid and why. + * References to a resource in a different namespace are invalid for the + * moment, although we will revisit this in the future. * - * * It refers to an unknown or unsupported kind of resource. In this case, the Reason - * must be set to `InvalidKind` and the Message of the Condition must explain which - * kind of resource is unknown or unsupported. - * - * * It refers to a resource in another namespace. This may change in future - * spec updates. - * - * Implementations MAY choose to perform further validation of the certificate - * content (e.g., checking expiry or enforcing specific formats). In such cases, - * an implementation-specific Reason and Message must be set for the invalid reference. - * - * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on - * the BackendTLSPolicy is set to `status: False`, with a Reason and Message - * that indicate the cause of the error. Connections using an invalid - * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error - * response. If ALL CACertificateRefs are invalid, the implementation MUST also - * ensure the `Accepted` Condition on the BackendTLSPolicy is set to - * `status: False`, with a Reason `NoValidCACertificate`. * * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support. * Implementations MAY choose to support attaching multiple certificates to * a backend, but this behavior is implementation-specific. * + * * Support: Core - An optional single reference to a Kubernetes ConfigMap, * with the CA certificate in a key named `ca.crt`. * - * Support: Implementation-specific - More than one reference, other kinds - * of resources, or a single reference that includes multiple certificates. + * + * Support: Implementation-specific (More than one reference, or other kinds + * of resources). */ caCertificateRefs: outputs.gateway.v1alpha3.BackendTLSPolicySpecValidationCaCertificateRefsPatch[]; /** * Hostname is used for two purposes in the connection between Gateways and * backends: * + * * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). * 2. Hostname MUST be used for authentication and MUST match the certificate - * served by the matching backend, unless SubjectAltNames is specified. - * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection - * but MUST NOT be used for authentication. If you want to use the value - * of the Hostname field for authentication, you MUST add it to the SubjectAltNames list. + * served by the matching backend. + * * * Support: Core */ hostname: string; - /** - * SubjectAltNames contains one or more Subject Alternative Names. - * When specified the certificate served from the backend MUST - * have at least one Subject Alternate Name matching one of the specified SubjectAltNames. - * - * Support: Extended - */ - subjectAltNames: outputs.gateway.v1alpha3.BackendTLSPolicySpecValidationSubjectAltNamesPatch[]; /** * WellKnownCACertificates specifies whether system CA certificates may be used in * the TLS handshake between the gateway and backend pod. * + * * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs * must be specified with at least one entry for a valid configuration. Only one of - * CACertificateRefs or WellKnownCACertificates may be specified, not both. - * If an implementation does not support the WellKnownCACertificates field, or - * the supplied value is not recognized, the implementation MUST ensure the - * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with - * a Reason `Invalid`. + * CACertificateRefs or WellKnownCACertificates may be specified, not both. If an + * implementation does not support the WellKnownCACertificates field or the value + * supplied is not supported, the Status Conditions on the Policy MUST be + * updated to include an Accepted: False Condition with Reason: Invalid. + * * * Support: Implementation-specific */ wellKnownCACertificates: string; } - /** - * SubjectAltName represents Subject Alternative Name. - */ - export interface BackendTLSPolicySpecValidationSubjectAltNames { - /** - * Hostname contains Subject Alternative Name specified in DNS name format. - * Required when Type is set to Hostname, ignored otherwise. - * - * Support: Core - */ - hostname: string; - /** - * Type determines the format of the Subject Alternative Name. Always required. - * - * Support: Core - */ - type: string; - /** - * URI contains Subject Alternative Name specified in a full URI format. - * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. - * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa". - * Required when Type is set to URI, ignored otherwise. - * - * Support: Core - */ - uri: string; - } - - /** - * SubjectAltName represents Subject Alternative Name. - */ - export interface BackendTLSPolicySpecValidationSubjectAltNamesPatch { - /** - * Hostname contains Subject Alternative Name specified in DNS name format. - * Required when Type is set to Hostname, ignored otherwise. - * - * Support: Core - */ - hostname: string; - /** - * Type determines the format of the Subject Alternative Name. Always required. - * - * Support: Core - */ - type: string; - /** - * URI contains Subject Alternative Name specified in a full URI format. - * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. - * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa". - * Required when Type is set to URI, ignored otherwise. - * - * Support: Core - */ - uri: string; - } - /** * Status defines the current state of BackendTLSPolicy. */ @@ -41646,22 +34666,27 @@ export namespace gateway { * the controller first sees the policy and SHOULD update the entry as * appropriate when the relevant ancestor is modified. * + * * Note that choosing the relevant ancestor is left to the Policy designers; * an important part of Policy design is designing the right object level at * which to namespace this status. * + * * Note also that implementations MUST ONLY populate ancestor status for * the Ancestor resources they are responsible for. Implementations MUST * use the ControllerName field to uniquely identify the entries in this list * that they are responsible for. * + * * Note that to achieve this, the list of PolicyAncestorStatus structs * MUST be treated as a map with a composite key, made up of the AncestorRef * and ControllerName fields combined. * + * * A maximum of 16 ancestors will be represented in this list. An empty list * means the Policy is not relevant for any ancestors. * + * * If this slice is full, implementations MUST NOT add further entries. * Instead they MUST consider the policy unimplementable and signal that * on any related resources such as the ancestor that would be referenced @@ -41676,6 +34701,7 @@ export namespace gateway { * PolicyAncestorStatus describes the status of a route with respect to an * associated Ancestor. * + * * Ancestors refer to objects that are either the Target of a policy or above it * in terms of object hierarchy. For example, if a policy targets a Service, the * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and @@ -41684,23 +34710,28 @@ export namespace gateway { * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers * have a _very_ good reason otherwise. * + * * In the context of policy attachment, the Ancestor is used to distinguish which * resource results in a distinct application of this policy. For example, if a policy * targets a Service, it may have a distinct result per attached Gateway. * + * * Policies targeting the same resource may have different effects depending on the * ancestors of those resources. For example, different Gateways targeting the same * Service may have different capabilities, especially if they have different underlying * implementations. * + * * For example, in BackendTLSPolicy, the Policy attaches to a Service that is * used as a backend in a HTTPRoute that is itself attached to a Gateway. * In this case, the relevant object for status is the Gateway, and that is the * ancestor object referred to in this status. * + * * Note that a parent is also an ancestor, so for objects where the parent is the * relevant object for status, this struct SHOULD still be used. * + * * This struct is intended to be used in a slice that's effectively a map, * with a composite key made up of the AncestorRef and the ControllerName. */ @@ -41715,12 +34746,15 @@ export namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -41739,23 +34773,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -41763,6 +34802,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -41770,10 +34810,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -41781,6 +34823,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -41788,6 +34831,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -41797,15 +34841,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -41814,6 +34861,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -41821,6 +34869,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -41828,10 +34877,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -41841,6 +34892,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -41857,23 +34909,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -41881,6 +34938,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -41888,10 +34946,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -41899,6 +34959,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -41906,6 +34967,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -41915,15 +34977,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -41932,6 +34997,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -41939,6 +35005,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -41946,10 +35013,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -41959,6 +35028,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -41966,6 +35036,22 @@ export namespace gateway { /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface BackendTLSPolicyStatusAncestorsConditions { /** @@ -41998,12 +35084,32 @@ export namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface BackendTLSPolicyStatusAncestorsConditionsPatch { /** @@ -42036,6 +35142,10 @@ export namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } @@ -42044,6 +35154,7 @@ export namespace gateway { * PolicyAncestorStatus describes the status of a route with respect to an * associated Ancestor. * + * * Ancestors refer to objects that are either the Target of a policy or above it * in terms of object hierarchy. For example, if a policy targets a Service, the * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and @@ -42052,23 +35163,28 @@ export namespace gateway { * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers * have a _very_ good reason otherwise. * + * * In the context of policy attachment, the Ancestor is used to distinguish which * resource results in a distinct application of this policy. For example, if a policy * targets a Service, it may have a distinct result per attached Gateway. * + * * Policies targeting the same resource may have different effects depending on the * ancestors of those resources. For example, different Gateways targeting the same * Service may have different capabilities, especially if they have different underlying * implementations. * + * * For example, in BackendTLSPolicy, the Policy attaches to a Service that is * used as a backend in a HTTPRoute that is itself attached to a Gateway. * In this case, the relevant object for status is the Gateway, and that is the * ancestor object referred to in this status. * + * * Note that a parent is also an ancestor, so for objects where the parent is the * relevant object for status, this struct SHOULD still be used. * + * * This struct is intended to be used in a slice that's effectively a map, * with a composite key made up of the AncestorRef and the ControllerName. */ @@ -42083,12 +35199,15 @@ export namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -42108,22 +35227,27 @@ export namespace gateway { * the controller first sees the policy and SHOULD update the entry as * appropriate when the relevant ancestor is modified. * + * * Note that choosing the relevant ancestor is left to the Policy designers; * an important part of Policy design is designing the right object level at * which to namespace this status. * + * * Note also that implementations MUST ONLY populate ancestor status for * the Ancestor resources they are responsible for. Implementations MUST * use the ControllerName field to uniquely identify the entries in this list * that they are responsible for. * + * * Note that to achieve this, the list of PolicyAncestorStatus structs * MUST be treated as a map with a composite key, made up of the AncestorRef * and ControllerName fields combined. * + * * A maximum of 16 ancestors will be represented in this list. An empty list * means the Policy is not relevant for any ancestors. * + * * If this slice is full, implementations MUST NOT add further entries. * Instead they MUST consider the policy unimplementable and signal that * on any related resources such as the ancestor that would be referenced @@ -42134,1239 +35258,6 @@ export namespace gateway { ancestors: outputs.gateway.v1alpha3.BackendTLSPolicyStatusAncestorsPatch[]; } - /** - * The TLSRoute resource is similar to TCPRoute, but can be configured - * to match against TLS-specific metadata. This allows more flexibility - * in matching streams for a given TLS listener. - * - * If you need to forward traffic to a single target for a TLS listener, you - * could choose to use a TCPRoute with a TLS listener. - */ - export interface TLSRoute { - /** - * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - */ - apiVersion: "gateway.networking.k8s.io/v1alpha3"; - /** - * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - */ - kind: "TLSRoute"; - /** - * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - */ - metadata: outputs.meta.v1.ObjectMeta; - spec: outputs.gateway.v1alpha3.TLSRouteSpec; - status: outputs.gateway.v1alpha3.TLSRouteStatus; - } - - /** - * Spec defines the desired state of TLSRoute. - */ - export interface TLSRouteSpec { - /** - * Hostnames defines a set of SNI hostnames that should match against the - * SNI attribute of TLS ClientHello message in TLS handshake. This matches - * the RFC 1123 definition of a hostname with 2 notable exceptions: - * - * 1. IPs are not allowed in SNI hostnames per RFC 6066. - * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - * label must appear by itself as the first label. - * - * If a hostname is specified by both the Listener and TLSRoute, there - * must be at least one intersecting hostname for the TLSRoute to be - * attached to the Listener. For example: - * - * * A Listener with `test.example.com` as the hostname matches TLSRoutes - * that have specified at least one of `test.example.com` or - * `*.example.com`. - * * A Listener with `*.example.com` as the hostname matches TLSRoutes - * that have specified at least one hostname that matches the Listener - * hostname. For example, `test.example.com` and `*.example.com` would both - * match. On the other hand, `example.com` and `test.example.net` would not - * match. - * - * If both the Listener and TLSRoute have specified hostnames, any - * TLSRoute hostnames that do not match the Listener hostname MUST be - * ignored. For example, if a Listener specified `*.example.com`, and the - * TLSRoute specified `test.example.com` and `test.example.net`, - * `test.example.net` must not be considered for a match. - * - * If both the Listener and TLSRoute have specified hostnames, and none - * match with the criteria above, then the TLSRoute is not accepted. The - * implementation must raise an 'Accepted' Condition with a status of - * `False` in the corresponding RouteParentStatus. - * - * Support: Core - */ - hostnames: string[]; - /** - * ParentRefs references the resources (usually Gateways) that a Route wants - * to be attached to. Note that the referenced parent resource needs to - * allow this for the attachment to be complete. For Gateways, that means - * the Gateway needs to allow attachment from Routes of this kind and - * namespace. For Services, that means the Service must either be in the same - * namespace for a "producer" route, or the mesh implementation must support - * and allow "consumer" routes for the referenced Service. ReferenceGrant is - * not applicable for governing ParentRefs to Services - it is not possible to - * create a "producer" route for a Service in a different namespace from the - * Route. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * This API may be extended in the future to support additional kinds of parent - * resources. - * - * ParentRefs must be _distinct_. This means either that: - * - * * They select different objects. If this is the case, then parentRef - * entries are distinct. In terms of fields, this means that the - * multi-part key defined by `group`, `kind`, `namespace`, and `name` must - * be unique across all parentRef entries in the Route. - * * They do not select different objects, but for each optional field used, - * each ParentRef that selects the same object must set the same set of - * optional fields to different values. If one ParentRef sets a - * combination of optional fields, all must set the same combination. - * - * Some examples: - * - * * If one ParentRef sets `sectionName`, all ParentRefs referencing the - * same object must also set `sectionName`. - * * If one ParentRef sets `port`, all ParentRefs referencing the same - * object must also set `port`. - * * If one ParentRef sets `sectionName` and `port`, all ParentRefs - * referencing the same object must also set `sectionName` and `port`. - * - * It is possible to separately reference multiple distinct objects that may - * be collapsed by an implementation. For example, some implementations may - * choose to merge compatible Gateway Listeners together. If that is the - * case, the list of routes attached to those resources should also be - * merged. - * - * Note that for ParentRefs that cross namespace boundaries, there are specific - * rules. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example, - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable other kinds of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - */ - parentRefs: outputs.gateway.v1alpha3.TLSRouteSpecParentRefs[]; - /** - * Rules are a list of actions. - */ - rules: outputs.gateway.v1alpha3.TLSRouteSpecRules[]; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways: string; - } - - /** - * ParentReference identifies an API object (usually a Gateway) that can be considered - * a parent of this resource (usually a route). There are two kinds of parent resources - * with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * This API may be extended in the future to support additional kinds of parent - * resources. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - */ - export interface TLSRouteSpecParentRefs { - /** - * Group is the group of the referent. - * When unspecified, "gateway.networking.k8s.io" is inferred. - * To set the core API group (such as for a "Service" kind referent), - * Group must be explicitly set to "" (empty string). - * - * Support: Core - */ - group: string; - /** - * Kind is kind of the referent. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * Support for other resources is Implementation-Specific. - */ - kind: string; - /** - * Name is the name of the referent. - * - * Support: Core - */ - name: string; - /** - * Namespace is the namespace of the referent. When unspecified, this refers - * to the local namespace of the Route. - * - * Note that there are specific rules for ParentRefs which cross namespace - * boundaries. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example: - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable any other kind of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - * - * - * Support: Core - */ - namespace: string; - /** - * Port is the network port this Route targets. It can be interpreted - * differently based on the type of parent resource. - * - * When the parent resource is a Gateway, this targets all listeners - * listening on the specified port that also support this kind of Route(and - * select this Route). It's not recommended to set `Port` unless the - * networking behaviors specified in a Route must apply to a specific port - * as opposed to a listener(s) whose port(s) may be changed. When both Port - * and SectionName are specified, the name and port of the selected listener - * must match both specified values. - * - * - * When the parent resource is a Service, this targets a specific port in the - * Service spec. When both Port (experimental) and SectionName are specified, - * the name and port of the selected port must match both specified values. - * - * - * Implementations MAY choose to support other parent resources. - * Implementations supporting other types of parent resources MUST clearly - * document how/if Port is interpreted. - * - * For the purpose of status, an attachment is considered successful as - * long as the parent resource accepts it partially. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - * from the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, - * the Route MUST be considered detached from the Gateway. - * - * Support: Extended - */ - port: number; - /** - * SectionName is the name of a section within the target resource. In the - * following resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * * Service: Port name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * - * Implementations MAY choose to support attaching Routes to other resources. - * If that is the case, they MUST clearly document how SectionName is - * interpreted. - * - * When unspecified (empty string), this will reference the entire resource. - * For the purpose of status, an attachment is considered successful if at - * least one section in the parent resource accepts it. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - * the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, the - * Route MUST be considered detached from the Gateway. - * - * Support: Core - */ - sectionName: string; - } - - /** - * ParentReference identifies an API object (usually a Gateway) that can be considered - * a parent of this resource (usually a route). There are two kinds of parent resources - * with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * This API may be extended in the future to support additional kinds of parent - * resources. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - */ - export interface TLSRouteSpecParentRefsPatch { - /** - * Group is the group of the referent. - * When unspecified, "gateway.networking.k8s.io" is inferred. - * To set the core API group (such as for a "Service" kind referent), - * Group must be explicitly set to "" (empty string). - * - * Support: Core - */ - group: string; - /** - * Kind is kind of the referent. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * Support for other resources is Implementation-Specific. - */ - kind: string; - /** - * Name is the name of the referent. - * - * Support: Core - */ - name: string; - /** - * Namespace is the namespace of the referent. When unspecified, this refers - * to the local namespace of the Route. - * - * Note that there are specific rules for ParentRefs which cross namespace - * boundaries. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example: - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable any other kind of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - * - * - * Support: Core - */ - namespace: string; - /** - * Port is the network port this Route targets. It can be interpreted - * differently based on the type of parent resource. - * - * When the parent resource is a Gateway, this targets all listeners - * listening on the specified port that also support this kind of Route(and - * select this Route). It's not recommended to set `Port` unless the - * networking behaviors specified in a Route must apply to a specific port - * as opposed to a listener(s) whose port(s) may be changed. When both Port - * and SectionName are specified, the name and port of the selected listener - * must match both specified values. - * - * - * When the parent resource is a Service, this targets a specific port in the - * Service spec. When both Port (experimental) and SectionName are specified, - * the name and port of the selected port must match both specified values. - * - * - * Implementations MAY choose to support other parent resources. - * Implementations supporting other types of parent resources MUST clearly - * document how/if Port is interpreted. - * - * For the purpose of status, an attachment is considered successful as - * long as the parent resource accepts it partially. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - * from the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, - * the Route MUST be considered detached from the Gateway. - * - * Support: Extended - */ - port: number; - /** - * SectionName is the name of a section within the target resource. In the - * following resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * * Service: Port name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * - * Implementations MAY choose to support attaching Routes to other resources. - * If that is the case, they MUST clearly document how SectionName is - * interpreted. - * - * When unspecified (empty string), this will reference the entire resource. - * For the purpose of status, an attachment is considered successful if at - * least one section in the parent resource accepts it. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - * the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, the - * Route MUST be considered detached from the Gateway. - * - * Support: Core - */ - sectionName: string; - } - - /** - * Spec defines the desired state of TLSRoute. - */ - export interface TLSRouteSpecPatch { - /** - * Hostnames defines a set of SNI hostnames that should match against the - * SNI attribute of TLS ClientHello message in TLS handshake. This matches - * the RFC 1123 definition of a hostname with 2 notable exceptions: - * - * 1. IPs are not allowed in SNI hostnames per RFC 6066. - * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - * label must appear by itself as the first label. - * - * If a hostname is specified by both the Listener and TLSRoute, there - * must be at least one intersecting hostname for the TLSRoute to be - * attached to the Listener. For example: - * - * * A Listener with `test.example.com` as the hostname matches TLSRoutes - * that have specified at least one of `test.example.com` or - * `*.example.com`. - * * A Listener with `*.example.com` as the hostname matches TLSRoutes - * that have specified at least one hostname that matches the Listener - * hostname. For example, `test.example.com` and `*.example.com` would both - * match. On the other hand, `example.com` and `test.example.net` would not - * match. - * - * If both the Listener and TLSRoute have specified hostnames, any - * TLSRoute hostnames that do not match the Listener hostname MUST be - * ignored. For example, if a Listener specified `*.example.com`, and the - * TLSRoute specified `test.example.com` and `test.example.net`, - * `test.example.net` must not be considered for a match. - * - * If both the Listener and TLSRoute have specified hostnames, and none - * match with the criteria above, then the TLSRoute is not accepted. The - * implementation must raise an 'Accepted' Condition with a status of - * `False` in the corresponding RouteParentStatus. - * - * Support: Core - */ - hostnames: string[]; - /** - * ParentRefs references the resources (usually Gateways) that a Route wants - * to be attached to. Note that the referenced parent resource needs to - * allow this for the attachment to be complete. For Gateways, that means - * the Gateway needs to allow attachment from Routes of this kind and - * namespace. For Services, that means the Service must either be in the same - * namespace for a "producer" route, or the mesh implementation must support - * and allow "consumer" routes for the referenced Service. ReferenceGrant is - * not applicable for governing ParentRefs to Services - it is not possible to - * create a "producer" route for a Service in a different namespace from the - * Route. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * This API may be extended in the future to support additional kinds of parent - * resources. - * - * ParentRefs must be _distinct_. This means either that: - * - * * They select different objects. If this is the case, then parentRef - * entries are distinct. In terms of fields, this means that the - * multi-part key defined by `group`, `kind`, `namespace`, and `name` must - * be unique across all parentRef entries in the Route. - * * They do not select different objects, but for each optional field used, - * each ParentRef that selects the same object must set the same set of - * optional fields to different values. If one ParentRef sets a - * combination of optional fields, all must set the same combination. - * - * Some examples: - * - * * If one ParentRef sets `sectionName`, all ParentRefs referencing the - * same object must also set `sectionName`. - * * If one ParentRef sets `port`, all ParentRefs referencing the same - * object must also set `port`. - * * If one ParentRef sets `sectionName` and `port`, all ParentRefs - * referencing the same object must also set `sectionName` and `port`. - * - * It is possible to separately reference multiple distinct objects that may - * be collapsed by an implementation. For example, some implementations may - * choose to merge compatible Gateway Listeners together. If that is the - * case, the list of routes attached to those resources should also be - * merged. - * - * Note that for ParentRefs that cross namespace boundaries, there are specific - * rules. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example, - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable other kinds of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - */ - parentRefs: outputs.gateway.v1alpha3.TLSRouteSpecParentRefsPatch[]; - /** - * Rules are a list of actions. - */ - rules: outputs.gateway.v1alpha3.TLSRouteSpecRulesPatch[]; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways: string; - } - - /** - * TLSRouteRule is the configuration for a given rule. - */ - export interface TLSRouteSpecRules { - /** - * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or - * a Service with no endpoints), the rule performs no forwarding; if no - * filters are specified that would result in a response being sent, the - * underlying implementation must actively reject request attempts to this - * backend, by rejecting the connection or returning a 500 status code. - * Request rejections must respect weight; if an invalid backend is - * requested to have 80% of requests, then 80% of requests must be rejected - * instead. - * - * Support: Core for Kubernetes Service - * - * Support: Extended for Kubernetes ServiceImport - * - * Support: Implementation-specific for any other resource - * - * Support for weight: Extended - */ - backendRefs: outputs.gateway.v1alpha3.TLSRouteSpecRulesBackendRefs[]; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name: string; - } - - /** - * BackendRef defines how a Route should forward a request to a Kubernetes - * resource. - * - * Note that when a namespace different than the local namespace is specified, a - * ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * - * When the BackendRef points to a Kubernetes Service, implementations SHOULD - * honor the appProtocol field if it is set for the target Service Port. - * - * Implementations supporting appProtocol SHOULD recognize the Kubernetes - * Standard Application Protocols defined in KEP-3726. - * - * If a Service appProtocol isn't specified, an implementation MAY infer the - * backend protocol through its own means. Implementations MAY infer the - * protocol from the Route type referring to the backend Service. - * - * If a Route is not able to send traffic to the backend using the specified - * protocol then the backend is considered invalid. Implementations MUST set the - * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - * - * - * Note that when the BackendTLSPolicy object is enabled by the implementation, - * there are some extra rules about validity to consider here. See the fields - * where this struct is used for more information about the exact behavior. - */ - export interface TLSRouteSpecRulesBackendRefs { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port: number; - /** - * Weight specifies the proportion of requests forwarded to the referenced - * backend. This is computed as weight/(sum of all weights in this - * BackendRefs list). For non-zero values, there may be some epsilon from - * the exact proportion defined here depending on the precision an - * implementation supports. Weight is not a percentage and the sum of - * weights does not need to equal 100. - * - * If only one backend is specified and it has a weight greater than 0, 100% - * of the traffic is forwarded to that backend. If weight is set to 0, no - * traffic should be forwarded for this entry. If unspecified, weight - * defaults to 1. - * - * Support for this field varies based on the context where used. - */ - weight: number; - } - - /** - * BackendRef defines how a Route should forward a request to a Kubernetes - * resource. - * - * Note that when a namespace different than the local namespace is specified, a - * ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * - * When the BackendRef points to a Kubernetes Service, implementations SHOULD - * honor the appProtocol field if it is set for the target Service Port. - * - * Implementations supporting appProtocol SHOULD recognize the Kubernetes - * Standard Application Protocols defined in KEP-3726. - * - * If a Service appProtocol isn't specified, an implementation MAY infer the - * backend protocol through its own means. Implementations MAY infer the - * protocol from the Route type referring to the backend Service. - * - * If a Route is not able to send traffic to the backend using the specified - * protocol then the backend is considered invalid. Implementations MUST set the - * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - * - * - * Note that when the BackendTLSPolicy object is enabled by the implementation, - * there are some extra rules about validity to consider here. See the fields - * where this struct is used for more information about the exact behavior. - */ - export interface TLSRouteSpecRulesBackendRefsPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port: number; - /** - * Weight specifies the proportion of requests forwarded to the referenced - * backend. This is computed as weight/(sum of all weights in this - * BackendRefs list). For non-zero values, there may be some epsilon from - * the exact proportion defined here depending on the precision an - * implementation supports. Weight is not a percentage and the sum of - * weights does not need to equal 100. - * - * If only one backend is specified and it has a weight greater than 0, 100% - * of the traffic is forwarded to that backend. If weight is set to 0, no - * traffic should be forwarded for this entry. If unspecified, weight - * defaults to 1. - * - * Support for this field varies based on the context where used. - */ - weight: number; - } - - /** - * TLSRouteRule is the configuration for a given rule. - */ - export interface TLSRouteSpecRulesPatch { - /** - * BackendRefs defines the backend(s) where matching requests should be - * sent. If unspecified or invalid (refers to a nonexistent resource or - * a Service with no endpoints), the rule performs no forwarding; if no - * filters are specified that would result in a response being sent, the - * underlying implementation must actively reject request attempts to this - * backend, by rejecting the connection or returning a 500 status code. - * Request rejections must respect weight; if an invalid backend is - * requested to have 80% of requests, then 80% of requests must be rejected - * instead. - * - * Support: Core for Kubernetes Service - * - * Support: Extended for Kubernetes ServiceImport - * - * Support: Implementation-specific for any other resource - * - * Support for weight: Extended - */ - backendRefs: outputs.gateway.v1alpha3.TLSRouteSpecRulesBackendRefsPatch[]; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name: string; - } - - /** - * Status defines the current state of TLSRoute. - */ - export interface TLSRouteStatus { - /** - * Parents is a list of parent resources (usually Gateways) that are - * associated with the route, and the status of the route with respect to - * each parent. When this route attaches to a parent, the controller that - * manages the parent must add an entry to this list when the controller - * first sees the route and should update the entry as appropriate when the - * route or gateway is modified. - * - * Note that parent references that cannot be resolved by an implementation - * of this API will not be added to this list. Implementations of this API - * can only populate Route status for the Gateways/parent resources they are - * responsible for. - * - * A maximum of 32 Gateways will be represented in this list. An empty list - * means the route has not been attached to any Gateway. - */ - parents: outputs.gateway.v1alpha3.TLSRouteStatusParents[]; - } - - /** - * RouteParentStatus describes the status of a route with respect to an - * associated Parent. - */ - export interface TLSRouteStatusParents { - /** - * Conditions describes the status of the route with respect to the Gateway. - * Note that the route's availability is also subject to the Gateway's own - * status conditions and listener status. - * - * If the Route's ParentRef specifies an existing Gateway that supports - * Routes of this kind AND that Gateway's controller has sufficient access, - * then that Gateway's controller MUST set the "Accepted" condition on the - * Route, to indicate whether the route has been accepted or rejected by the - * Gateway, and why. - * - * A Route MUST be considered "Accepted" if at least one of the Route's - * rules is implemented by the Gateway. - * - * There are a number of cases where the "Accepted" condition may not be set - * due to lack of controller visibility, that includes when: - * - * * The Route refers to a nonexistent parent. - * * The Route is of a type that the controller does not support. - * * The Route is in a namespace the controller does not have access to. - */ - conditions: outputs.gateway.v1alpha3.TLSRouteStatusParentsConditions[]; - /** - * ControllerName is a domain/path string that indicates the name of the - * controller that wrote this status. This corresponds with the - * controllerName field on GatewayClass. - * - * Example: "example.net/gateway-controller". - * - * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - * valid Kubernetes names - * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - * - * Controllers MUST populate this field when writing status. Controllers should ensure that - * entries to status populated with their ControllerName are cleaned up when they are no - * longer necessary. - */ - controllerName: string; - parentRef: outputs.gateway.v1alpha3.TLSRouteStatusParentsParentRef; - } - - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - export interface TLSRouteStatusParentsConditions { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime: string; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message: string; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration: number; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason: string; - /** - * status of the condition, one of True, False, Unknown. - */ - status: string; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type: string; - } - - /** - * Condition contains details for one aspect of the current state of this API Resource. - */ - export interface TLSRouteStatusParentsConditionsPatch { - /** - * lastTransitionTime is the last time the condition transitioned from one status to another. - * This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - */ - lastTransitionTime: string; - /** - * message is a human readable message indicating details about the transition. - * This may be an empty string. - */ - message: string; - /** - * observedGeneration represents the .metadata.generation that the condition was set based upon. - * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - * with respect to the current state of the instance. - */ - observedGeneration: number; - /** - * reason contains a programmatic identifier indicating the reason for the condition's last transition. - * Producers of specific condition types may define expected values and meanings for this field, - * and whether the values are considered a guaranteed API. - * The value should be a CamelCase string. - * This field may not be empty. - */ - reason: string; - /** - * status of the condition, one of True, False, Unknown. - */ - status: string; - /** - * type of condition in CamelCase or in foo.example.com/CamelCase. - */ - type: string; - } - - /** - * ParentRef corresponds with a ParentRef in the spec that this - * RouteParentStatus struct describes the status of. - */ - export interface TLSRouteStatusParentsParentRef { - /** - * Group is the group of the referent. - * When unspecified, "gateway.networking.k8s.io" is inferred. - * To set the core API group (such as for a "Service" kind referent), - * Group must be explicitly set to "" (empty string). - * - * Support: Core - */ - group: string; - /** - * Kind is kind of the referent. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * Support for other resources is Implementation-Specific. - */ - kind: string; - /** - * Name is the name of the referent. - * - * Support: Core - */ - name: string; - /** - * Namespace is the namespace of the referent. When unspecified, this refers - * to the local namespace of the Route. - * - * Note that there are specific rules for ParentRefs which cross namespace - * boundaries. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example: - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable any other kind of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - * - * - * Support: Core - */ - namespace: string; - /** - * Port is the network port this Route targets. It can be interpreted - * differently based on the type of parent resource. - * - * When the parent resource is a Gateway, this targets all listeners - * listening on the specified port that also support this kind of Route(and - * select this Route). It's not recommended to set `Port` unless the - * networking behaviors specified in a Route must apply to a specific port - * as opposed to a listener(s) whose port(s) may be changed. When both Port - * and SectionName are specified, the name and port of the selected listener - * must match both specified values. - * - * - * When the parent resource is a Service, this targets a specific port in the - * Service spec. When both Port (experimental) and SectionName are specified, - * the name and port of the selected port must match both specified values. - * - * - * Implementations MAY choose to support other parent resources. - * Implementations supporting other types of parent resources MUST clearly - * document how/if Port is interpreted. - * - * For the purpose of status, an attachment is considered successful as - * long as the parent resource accepts it partially. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - * from the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, - * the Route MUST be considered detached from the Gateway. - * - * Support: Extended - */ - port: number; - /** - * SectionName is the name of a section within the target resource. In the - * following resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * * Service: Port name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * - * Implementations MAY choose to support attaching Routes to other resources. - * If that is the case, they MUST clearly document how SectionName is - * interpreted. - * - * When unspecified (empty string), this will reference the entire resource. - * For the purpose of status, an attachment is considered successful if at - * least one section in the parent resource accepts it. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - * the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, the - * Route MUST be considered detached from the Gateway. - * - * Support: Core - */ - sectionName: string; - } - - /** - * ParentRef corresponds with a ParentRef in the spec that this - * RouteParentStatus struct describes the status of. - */ - export interface TLSRouteStatusParentsParentRefPatch { - /** - * Group is the group of the referent. - * When unspecified, "gateway.networking.k8s.io" is inferred. - * To set the core API group (such as for a "Service" kind referent), - * Group must be explicitly set to "" (empty string). - * - * Support: Core - */ - group: string; - /** - * Kind is kind of the referent. - * - * There are two kinds of parent resources with "Core" support: - * - * * Gateway (Gateway conformance profile) - * * Service (Mesh conformance profile, ClusterIP Services only) - * - * Support for other resources is Implementation-Specific. - */ - kind: string; - /** - * Name is the name of the referent. - * - * Support: Core - */ - name: string; - /** - * Namespace is the namespace of the referent. When unspecified, this refers - * to the local namespace of the Route. - * - * Note that there are specific rules for ParentRefs which cross namespace - * boundaries. Cross-namespace references are only valid if they are explicitly - * allowed by something in the namespace they are referring to. For example: - * Gateway has the AllowedRoutes field, and ReferenceGrant provides a - * generic way to enable any other kind of cross-namespace reference. - * - * - * ParentRefs from a Route to a Service in the same namespace are "producer" - * routes, which apply default routing rules to inbound connections from - * any namespace to the Service. - * - * ParentRefs from a Route to a Service in a different namespace are - * "consumer" routes, and these routing rules are only applied to outbound - * connections originating from the same namespace as the Route, for which - * the intended destination of the connections are a Service targeted as a - * ParentRef of the Route. - * - * - * Support: Core - */ - namespace: string; - /** - * Port is the network port this Route targets. It can be interpreted - * differently based on the type of parent resource. - * - * When the parent resource is a Gateway, this targets all listeners - * listening on the specified port that also support this kind of Route(and - * select this Route). It's not recommended to set `Port` unless the - * networking behaviors specified in a Route must apply to a specific port - * as opposed to a listener(s) whose port(s) may be changed. When both Port - * and SectionName are specified, the name and port of the selected listener - * must match both specified values. - * - * - * When the parent resource is a Service, this targets a specific port in the - * Service spec. When both Port (experimental) and SectionName are specified, - * the name and port of the selected port must match both specified values. - * - * - * Implementations MAY choose to support other parent resources. - * Implementations supporting other types of parent resources MUST clearly - * document how/if Port is interpreted. - * - * For the purpose of status, an attachment is considered successful as - * long as the parent resource accepts it partially. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - * from the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, - * the Route MUST be considered detached from the Gateway. - * - * Support: Extended - */ - port: number; - /** - * SectionName is the name of a section within the target resource. In the - * following resources, SectionName is interpreted as the following: - * - * * Gateway: Listener name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * * Service: Port name. When both Port (experimental) and SectionName - * are specified, the name and port of the selected listener must match - * both specified values. - * - * Implementations MAY choose to support attaching Routes to other resources. - * If that is the case, they MUST clearly document how SectionName is - * interpreted. - * - * When unspecified (empty string), this will reference the entire resource. - * For the purpose of status, an attachment is considered successful if at - * least one section in the parent resource accepts it. For example, Gateway - * listeners can restrict which Routes can attach to them by Route kind, - * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - * the referencing Route, the Route MUST be considered successfully - * attached. If no Gateway listeners accept attachment from this Route, the - * Route MUST be considered detached from the Gateway. - * - * Support: Core - */ - sectionName: string; - } - - /** - * RouteParentStatus describes the status of a route with respect to an - * associated Parent. - */ - export interface TLSRouteStatusParentsPatch { - /** - * Conditions describes the status of the route with respect to the Gateway. - * Note that the route's availability is also subject to the Gateway's own - * status conditions and listener status. - * - * If the Route's ParentRef specifies an existing Gateway that supports - * Routes of this kind AND that Gateway's controller has sufficient access, - * then that Gateway's controller MUST set the "Accepted" condition on the - * Route, to indicate whether the route has been accepted or rejected by the - * Gateway, and why. - * - * A Route MUST be considered "Accepted" if at least one of the Route's - * rules is implemented by the Gateway. - * - * There are a number of cases where the "Accepted" condition may not be set - * due to lack of controller visibility, that includes when: - * - * * The Route refers to a nonexistent parent. - * * The Route is of a type that the controller does not support. - * * The Route is in a namespace the controller does not have access to. - */ - conditions: outputs.gateway.v1alpha3.TLSRouteStatusParentsConditionsPatch[]; - /** - * ControllerName is a domain/path string that indicates the name of the - * controller that wrote this status. This corresponds with the - * controllerName field on GatewayClass. - * - * Example: "example.net/gateway-controller". - * - * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - * valid Kubernetes names - * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - * - * Controllers MUST populate this field when writing status. Controllers should ensure that - * entries to status populated with their ControllerName are cleaned up when they are no - * longer necessary. - */ - controllerName: string; - parentRef: outputs.gateway.v1alpha3.TLSRouteStatusParentsParentRefPatch; - } - - /** - * Status defines the current state of TLSRoute. - */ - export interface TLSRouteStatusPatch { - /** - * Parents is a list of parent resources (usually Gateways) that are - * associated with the route, and the status of the route with respect to - * each parent. When this route attaches to a parent, the controller that - * manages the parent must add an entry to this list when the controller - * first sees the route and should update the entry as appropriate when the - * route or gateway is modified. - * - * Note that parent references that cannot be resolved by an implementation - * of this API will not be added to this list. Implementations of this API - * can only populate Route status for the Gateways/parent resources they are - * responsible for. - * - * A maximum of 32 Gateways will be represented in this list. An empty list - * means the route has not been attached to any Gateway. - */ - parents: outputs.gateway.v1alpha3.TLSRouteStatusParentsPatch[]; - } - } export namespace v1beta1 { @@ -43395,6 +35286,7 @@ export namespace gateway { * GatewayClass describes a class of Gateways available to the user for creating * Gateway resources. * + * * It is recommended that this resource be used as a template for Gateways. This * means that a Gateway is based on the state of the GatewayClass at the time it * was created and changes to the GatewayClass or associated parameters are not @@ -43403,11 +35295,13 @@ export namespace gateway { * If implementations choose to propagate GatewayClass changes to existing * Gateways, that MUST be clearly documented by the implementation. * + * * Whenever one or more Gateways are using a GatewayClass, implementations SHOULD * add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the * associated GatewayClass. This ensures that a GatewayClass associated with a * Gateway is not deleted while in use. * + * * GatewayClass is a Cluster level resource. */ export interface GatewayClass { @@ -43435,10 +35329,13 @@ export namespace gateway { * ControllerName is the name of the controller that is managing Gateways of * this class. The value of this field MUST be a domain prefixed path. * + * * Example: "example.net/gateway-controller". * + * * This field is not mutable and cannot be empty. * + * * Support: Core */ controllerName: string; @@ -43454,19 +35351,21 @@ export namespace gateway { * parameters corresponding to the GatewayClass. This is optional if the * controller does not require any additional configuration. * + * * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, * or an implementation-specific custom resource. The resource can be * cluster-scoped or namespace-scoped. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the GatewayClass SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. + * + * If the referent cannot be found, the GatewayClass's "InvalidParameters" + * status condition will be true. + * * * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * + * * Support: Implementation-specific */ export interface GatewayClassSpecParametersRef { @@ -43495,19 +35394,21 @@ export namespace gateway { * parameters corresponding to the GatewayClass. This is optional if the * controller does not require any additional configuration. * + * * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, * or an implementation-specific custom resource. The resource can be * cluster-scoped or namespace-scoped. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the GatewayClass SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. + * + * If the referent cannot be found, the GatewayClass's "InvalidParameters" + * status condition will be true. + * * * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * + * * Support: Implementation-specific */ export interface GatewayClassSpecParametersRefPatch { @@ -43539,10 +35440,13 @@ export namespace gateway { * ControllerName is the name of the controller that is managing Gateways of * this class. The value of this field MUST be a domain prefixed path. * + * * Example: "example.net/gateway-controller". * + * * This field is not mutable and cannot be empty. * + * * Support: Core */ controllerName: string; @@ -43556,6 +35460,7 @@ export namespace gateway { /** * Status defines the current state of GatewayClass. * + * * Implementations MUST populate status on all GatewayClass resources which * specify their controller name. */ @@ -43564,19 +35469,36 @@ export namespace gateway { * Conditions is the current status from the controller for * this GatewayClass. * + * * Controllers should prefer to publish conditions using values * of GatewayClassConditionType for the type of each Condition. */ conditions: outputs.gateway.v1beta1.GatewayClassStatusConditions[]; /** * SupportedFeatures is the set of features the GatewayClass support. - * It MUST be sorted in ascending alphabetical order by the Name key. + * It MUST be sorted in ascending alphabetical order. */ - supportedFeatures: outputs.gateway.v1beta1.GatewayClassStatusSupportedFeatures[]; + supportedFeatures: string[]; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface GatewayClassStatusConditions { /** @@ -43609,12 +35531,32 @@ export namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface GatewayClassStatusConditionsPatch { /** @@ -43647,6 +35589,10 @@ export namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } @@ -43654,6 +35600,7 @@ export namespace gateway { /** * Status defines the current state of GatewayClass. * + * * Implementations MUST populate status on all GatewayClass resources which * specify their controller name. */ @@ -43662,31 +35609,16 @@ export namespace gateway { * Conditions is the current status from the controller for * this GatewayClass. * + * * Controllers should prefer to publish conditions using values * of GatewayClassConditionType for the type of each Condition. */ conditions: outputs.gateway.v1beta1.GatewayClassStatusConditionsPatch[]; /** * SupportedFeatures is the set of features the GatewayClass support. - * It MUST be sorted in ascending alphabetical order by the Name key. + * It MUST be sorted in ascending alphabetical order. */ - supportedFeatures: outputs.gateway.v1beta1.GatewayClassStatusSupportedFeaturesPatch[]; - } - - export interface GatewayClassStatusSupportedFeatures { - /** - * FeatureName is used to describe distinct features that are covered by - * conformance tests. - */ - name: string; - } - - export interface GatewayClassStatusSupportedFeaturesPatch { - /** - * FeatureName is used to describe distinct features that are covered by - * conformance tests. - */ - name: string; + supportedFeatures: string[]; } /** @@ -43697,7 +35629,8 @@ export namespace gateway { * Addresses requested for this Gateway. This is optional and behavior can * depend on the implementation. If a value is set in the spec and the * requested address is invalid or unavailable, the implementation MUST - * indicate this in an associated entry in GatewayStatus.Conditions. + * indicate this in the associated entry in GatewayStatus.Addresses. + * * * The Addresses field represents a request for the address(es) on the * "outside of the Gateway", that traffic bound for this Gateway will use. @@ -43705,38 +35638,20 @@ export namespace gateway { * other networking infrastructure, or some other address that traffic will * be sent to. * + * * If no Addresses are specified, the implementation MAY schedule the * Gateway in an implementation-specific manner, assigning an appropriate * set of Addresses. * + * * The implementation MUST bind all Listeners to every GatewayAddress that * it assigns to the Gateway and add a corresponding entry in * GatewayStatus.Addresses. * + * * Support: Extended */ addresses: outputs.gateway.v1beta1.GatewaySpecAddresses[]; - allowedListeners: outputs.gateway.v1beta1.GatewaySpecAllowedListeners; - /** - * DefaultScope, when set, configures the Gateway as a default Gateway, - * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute) - * attached to it, according to the scope configured here. - * - * If unset (the default) or set to None, the Gateway will not act as a - * default Gateway; if set, the Gateway will claim any Route with a - * matching scope set in its UseDefaultGateway field, subject to the usual - * rules about which routes the Gateway can attach to. - * - * Think carefully before using this functionality! While the normal rules - * about which Route can apply are still enforced, it is simply easier for - * the wrong Route to be accidentally attached to this Gateway in this - * configuration. If the Gateway operator is not also the operator in - * control of the scope (e.g. namespace) with tight controls and checks on - * what kind of workloads and Routes get added in that scope, we strongly - * recommend not using this just because it seems convenient, and instead - * stick to direct Route attachment. - */ - defaultScope: string; /** * GatewayClassName used for this Gateway. This is the name of a * GatewayClass resource. @@ -43748,7 +35663,6 @@ export namespace gateway { * logical endpoints that are bound on this Gateway's addresses. * At least one Listener MUST be specified. * - * ## Distinct Listeners * * Each Listener in a set of Listeners (for example, in a single Gateway) * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to @@ -43757,107 +35671,97 @@ export namespace gateway { * from multiple Gateways onto a single data plane, and these rules _also_ * apply in that case). * + * * Practically, this means that each listener in a set MUST have a unique * combination of Port, Protocol, and, if supported by the protocol, Hostname. * - * Some combinations of port, protocol, and TLS settings are considered - * Core support and MUST be supported by implementations based on the objects - * they support: * - * HTTPRoute + * Some combinations of port, protocol, and TLS settings are considered + * Core support and MUST be supported by implementations based on their + * targeted conformance profile: + * + * + * HTTP Profile + * * * 1. HTTPRoute, Port: 80, Protocol: HTTP * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided * - * TLSRoute + * + * TLS Profile + * * * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough * + * * "Distinct" Listeners have the following property: * - * **The implementation can match inbound requests to a single distinct - * Listener**. * - * When multiple Listeners share values for fields (for + * The implementation can match inbound requests to a single distinct + * Listener. When multiple Listeners share values for fields (for * example, two Listeners with the same Port value), the implementation * can match requests to only one of the Listeners using other * Listener fields. * - * When multiple listeners have the same value for the Protocol field, then - * each of the Listeners with matching Protocol values MUST have different - * values for other fields. * - * The set of fields that MUST be different for a Listener differs per protocol. - * The following rules define the rules for what fields MUST be considered for - * Listeners to be distinct with each protocol currently defined in the - * Gateway API spec. + * For example, the following Listener scenarios are distinct: * - * The set of listeners that all share a protocol value MUST have _different_ - * values for _at least one_ of these fields to be distinct: * - * * **HTTP, HTTPS, TLS**: Port, Hostname - * * **TCP, UDP**: Port + * 1. Multiple Listeners with the same Port that all use the "HTTP" + * Protocol that all have unique Hostname values. + * 2. Multiple Listeners with the same Port that use either the "HTTPS" or + * "TLS" Protocol that all have unique Hostname values. + * 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener + * with the same Protocol has the same Port value. * - * One **very** important rule to call out involves what happens when an - * implementation: * - * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol - * Listeners, and - * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP - * Protocol. + * Some fields in the Listener struct have possible values that affect + * whether the Listener is distinct. Hostname is particularly relevant + * for HTTP or HTTPS protocols. * - * In this case all the Listeners that share a port with the - * TCP Listener are not distinct and so MUST NOT be accepted. * - * If an implementation does not support TCP Protocol Listeners, then the - * previous rule does not apply, and the TCP Listeners SHOULD NOT be - * accepted. + * When using the Hostname value to select between same-Port, same-Protocol + * Listeners, the Hostname value must be different on each Listener for the + * Listener to be distinct. * - * Note that the `tls` field is not used for determining if a listener is distinct, because - * Listeners that _only_ differ on TLS config will still conflict in all cases. * - * ### Listeners that are distinct only by Hostname - * - * When the Listeners are distinct based only on Hostname, inbound request + * When the Listeners are distinct based on Hostname, inbound request * hostnames MUST match from the most specific to least specific Hostname * values to choose the correct Listener and its associated set of Routes. * - * Exact matches MUST be processed before wildcard matches, and wildcard - * matches MUST be processed before fallback (empty Hostname value) + * + * Exact matches must be processed before wildcard matches, and wildcard + * matches must be processed before fallback (empty Hostname value) * matches. For example, `"foo.example.com"` takes precedence over * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. * + * * Additionally, if there are multiple wildcard entries, more specific * wildcard entries must be processed before less specific wildcard entries. * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. - * * The precise definition here is that the higher the number of dots in the * hostname to the right of the wildcard character, the higher the precedence. * + * * The wildcard character will match any number of characters _and dots_ to * the left, however, so `"*.example.com"` will match both * `"foo.bar.example.com"` _and_ `"bar.example.com"`. * - * ## Handling indistinct Listeners * * If a set of Listeners contains Listeners that are not distinct, then those - * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted" + * Listeners are Conflicted, and the implementation MUST set the "Conflicted" * condition in the Listener Status to "True". * - * The words "indistinct" and "conflicted" are considered equivalent for the - * purpose of this documentation. * * Implementations MAY choose to accept a Gateway with some Conflicted * Listeners only if they only accept the partial Listener set that contains - * no Conflicted Listeners. + * no Conflicted Listeners. To put this another way, implementations may + * accept a partial Listener set only if they throw out *all* the conflicting + * Listeners. No picking one of the conflicting listeners as the winner. + * This also means that the Gateway must have at least one non-conflicting + * Listener in this case, otherwise it violates the requirement that at + * least one Listener must be present. * - * Specifically, an implementation MAY accept a partial Listener set subject to - * the following rules: - * - * * The implementation MUST NOT pick one conflicting Listener as the winner. - * ALL indistinct Listeners must not be accepted for processing. - * * At least one distinct Listener MUST be present, or else the Gateway effectively - * contains _no_ Listeners, and must be rejected from processing as a whole. * * The implementation MUST set a "ListenersNotValid" condition on the * Gateway Status when the Gateway contains Conflicted Listeners whether or @@ -43866,52 +35770,45 @@ export namespace gateway { * Accepted. Additionally, the Listener status for those listeners SHOULD * indicate which Listeners are conflicted and not Accepted. * - * ## General Listener behavior * - * Note that, for all distinct Listeners, requests SHOULD match at most one Listener. - * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a - * request to "foo.example.com" SHOULD only be routed using routes attached - * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * A Gateway's Listeners are considered "compatible" if: * - * This concept is known as "Listener Isolation", and it is an Extended feature - * of Gateway API. Implementations that do not support Listener Isolation MUST - * clearly document this, and MUST NOT claim support for the - * `GatewayHTTPListenerIsolation` feature. - * - * Implementations that _do_ support Listener Isolation SHOULD claim support - * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated - * conformance tests. - * - * ## Compatible Listeners - * - * A Gateway's Listeners are considered _compatible_ if: * * 1. They are distinct. * 2. The implementation can serve them in compliance with the Addresses * requirement that all Listeners are available on all assigned * addresses. * + * * Compatible combinations in Extended support are expected to vary across * implementations. A combination that is compatible for one implementation * may not be compatible for another. * + * * For example, an implementation that cannot serve both TCP and UDP listeners * on the same address, or cannot mix HTTPS and generic TLS listens on the same port * would not consider those cases compatible, even though they are distinct. * + * + * Note that requests SHOULD match at most one Listener. For example, if + * Listeners are defined for "foo.example.com" and "*.example.com", a + * request to "foo.example.com" SHOULD only be routed using routes attached + * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * This concept is known as "Listener Isolation". Implementations that do + * not support Listener Isolation MUST clearly document this. + * + * * Implementations MAY merge separate Gateways onto a single set of * Addresses if all Listeners across all Gateways are compatible. * - * In a future release the MinItems=1 requirement MAY be dropped. * * Support: Core */ listeners: outputs.gateway.v1beta1.GatewaySpecListeners[]; - tls: outputs.gateway.v1beta1.GatewaySpecTls; } /** - * GatewaySpecAddress describes an address that can be bound to a Gateway. + * GatewayAddress describes an address that can be bound to a Gateway. */ export interface GatewaySpecAddresses { /** @@ -43919,11 +35816,9 @@ export namespace gateway { */ type: string; /** - * When a value is unspecified, an implementation SHOULD automatically - * assign an address matching the requested type if possible. + * Value of the address. The validity of the values will depend + * on the type and support by the controller. * - * If an implementation does not support an empty value, they MUST set the - * "Programmed" condition in status to False with a reason of "AddressNotAssigned". * * Examples: `1.2.3.4`, `128::1`, `my-ip-address`. */ @@ -43931,7 +35826,7 @@ export namespace gateway { } /** - * GatewaySpecAddress describes an address that can be bound to a Gateway. + * GatewayAddress describes an address that can be bound to a Gateway. */ export interface GatewaySpecAddressesPatch { /** @@ -43939,182 +35834,46 @@ export namespace gateway { */ type: string; /** - * When a value is unspecified, an implementation SHOULD automatically - * assign an address matching the requested type if possible. + * Value of the address. The validity of the values will depend + * on the type and support by the controller. * - * If an implementation does not support an empty value, they MUST set the - * "Programmed" condition in status to False with a reason of "AddressNotAssigned". * * Examples: `1.2.3.4`, `128::1`, `my-ip-address`. */ value: string; } - /** - * AllowedListeners defines which ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - export interface GatewaySpecAllowedListeners { - namespaces: outputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespaces; - } - - /** - * Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - export interface GatewaySpecAllowedListenersNamespaces { - /** - * From indicates where ListenerSets can attach to this Gateway. Possible - * values are: - * - * * Same: Only ListenerSets in the same namespace may be attached to this Gateway. - * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway. - * * All: ListenerSets in all namespaces may be attached to this Gateway. - * * None: Only listeners defined in the Gateway's spec are allowed - * - * While this feature is experimental, the default value None - */ - from: string; - selector: outputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesSelector; - } - - /** - * Namespaces defines which namespaces ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - export interface GatewaySpecAllowedListenersNamespacesPatch { - /** - * From indicates where ListenerSets can attach to this Gateway. Possible - * values are: - * - * * Same: Only ListenerSets in the same namespace may be attached to this Gateway. - * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway. - * * All: ListenerSets in all namespaces may be attached to this Gateway. - * * None: Only listeners defined in the Gateway's spec are allowed - * - * While this feature is experimental, the default value None - */ - from: string; - selector: outputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesSelectorPatch; - } - - /** - * Selector must be specified when From is set to "Selector". In that case, - * only ListenerSets in Namespaces matching this Selector will be selected by this - * Gateway. This field is ignored for other values of "From". - */ - export interface GatewaySpecAllowedListenersNamespacesSelector { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesSelectorMatchExpressions[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressions { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * A label selector requirement is a selector that contains values, a key, and an operator that - * relates the key and values. - */ - export interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressionsPatch { - /** - * key is the label key that the selector applies to. - */ - key: string; - /** - * operator represents a key's relationship to a set of values. - * Valid operators are In, NotIn, Exists and DoesNotExist. - */ - operator: string; - /** - * values is an array of string values. If the operator is In or NotIn, - * the values array must be non-empty. If the operator is Exists or DoesNotExist, - * the values array must be empty. This array is replaced during a strategic - * merge patch. - */ - values: string[]; - } - - /** - * Selector must be specified when From is set to "Selector". In that case, - * only ListenerSets in Namespaces matching this Selector will be selected by this - * Gateway. This field is ignored for other values of "From". - */ - export interface GatewaySpecAllowedListenersNamespacesSelectorPatch { - /** - * matchExpressions is a list of label selector requirements. The requirements are ANDed. - */ - matchExpressions: outputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesSelectorMatchExpressionsPatch[]; - /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - * map is equivalent to an element of matchExpressions, whose key field is "key", the - * operator is "In", and the values array contains only "value". The requirements are ANDed. - */ - matchLabels: {[key: string]: string}; - } - - /** - * AllowedListeners defines which ListenerSets can be attached to this Gateway. - * While this feature is experimental, the default value is to allow no ListenerSets. - */ - export interface GatewaySpecAllowedListenersPatch { - namespaces: outputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesPatch; - } - /** * Infrastructure defines infrastructure level attributes about this Gateway instance. * - * Support: Extended + * + * Support: Core */ export interface GatewaySpecInfrastructure { /** * Annotations that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. * + * * An implementation may chose to add additional implementation-specific annotations as they see fit. * + * * Support: Extended */ annotations: {[key: string]: string}; /** * Labels that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. * For other implementations, this refers to any relevant (implementation specific) "labels" concepts. * + * * An implementation may chose to add additional implementation-specific labels as they see fit. * - * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels - * change, it SHOULD clearly warn about this behavior in documentation. * * Support: Extended */ @@ -44127,16 +35886,14 @@ export namespace gateway { * parameters corresponding to the Gateway. This is optional if the * controller does not require any additional configuration. * + * * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis * + * * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the Gateway SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. * * Support: Implementation-specific */ @@ -44160,16 +35917,14 @@ export namespace gateway { * parameters corresponding to the Gateway. This is optional if the * controller does not require any additional configuration. * + * * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis * + * * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, * the merging behavior is implementation specific. * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. * - * If the referent cannot be found, refers to an unsupported kind, or when - * the data within that resource is malformed, the Gateway SHOULD be - * rejected with the "Accepted" status condition set to "False" and an - * "InvalidParameters" reason. * * Support: Implementation-specific */ @@ -44191,30 +35946,34 @@ export namespace gateway { /** * Infrastructure defines infrastructure level attributes about this Gateway instance. * - * Support: Extended + * + * Support: Core */ export interface GatewaySpecInfrastructurePatch { /** * Annotations that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. * + * * An implementation may chose to add additional implementation-specific annotations as they see fit. * + * * Support: Extended */ annotations: {[key: string]: string}; /** * Labels that SHOULD be applied to any resources created in response to this Gateway. * + * * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. * For other implementations, this refers to any relevant (implementation specific) "labels" concepts. * + * * An implementation may chose to add additional implementation-specific labels as they see fit. * - * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels - * change, it SHOULD clearly warn about this behavior in documentation. * * Support: Extended */ @@ -44234,36 +35993,18 @@ export namespace gateway { * field is ignored for protocols that don't require hostname based * matching. * + * * Implementations MUST apply Hostname matching appropriately for each of * the following protocols: * + * * * TLS: The Listener Hostname MUST match the SNI. * * HTTP: The Listener Hostname MUST match the Host header of the request. - * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header. - * Note that this does not require the SNI and Host header to be the same. - * The semantics of this are described in more detail below. + * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + * protocol layers as described above. If an implementation does not + * ensure that both the SNI and Host header match the Listener hostname, + * it MUST clearly document that. * - * To ensure security, Section 11.1 of RFC-6066 emphasizes that server - * implementations that rely on SNI hostname matching MUST also verify - * hostnames within the application protocol. - * - * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the - * reuse of a connection by responding with the HTTP 421 Misdirected Request - * status code. This indicates that the origin server has rejected the - * request because it appears to have been misdirected. - * - * To detect misdirected requests, Gateways SHOULD match the authority of - * the requests with all the SNI hostname(s) configured across all the - * Gateway Listeners on the same port and protocol: - * - * * If another Listener has an exact match or more specific wildcard entry, - * the Gateway SHOULD return a 421. - * * If the current Listener (selected by SNI matching during ClientHello) - * does not match the Host: - * * If another Listener does match the Host the Gateway SHOULD return a - * 421. - * * If no other Listener matches the Host, the Gateway MUST return a - * 404. * * For HTTPRoute and TLSRoute resources, there is an interaction with the * `spec.hostnames` array. When both listener and route specify hostnames, @@ -44271,10 +36012,12 @@ export namespace gateway { * accepted. For more information, refer to the Route specific Hostnames * documentation. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * Support: Core */ hostname: string; @@ -44282,6 +36025,7 @@ export namespace gateway { * Name is the name of the Listener. This name MUST be unique within a * Gateway. * + * * Support: Core */ name: string; @@ -44289,12 +36033,14 @@ export namespace gateway { * Port is the network port. Multiple listeners may use the * same port, subject to the Listener compatibility rules. * + * * Support: Core */ port: number; /** * Protocol specifies the network protocol this listener expects to receive. * + * * Support: Core */ protocol: string; @@ -44306,10 +36052,12 @@ export namespace gateway { * Listener and the trusted namespaces where those Route resources MAY be * present. * + * * Although a client request may match multiple route rules, only one rule * may ultimately receive the request. Matching precedence MUST be * determined in order of the following criteria: * + * * * The most specific match as defined by the Route type. * * The oldest Route based on creation timestamp. For example, a Route with * a creation timestamp of "2020-09-08 01:02:03" is given precedence over @@ -44318,6 +36066,7 @@ export namespace gateway { * alphabetical order (namespace/name) should be given precedence. For * example, foo/bar is given precedence over foo/baz. * + * * All valid rules within a Route attached to this Listener should be * implemented. Invalid Route rules can be ignored (sometimes that will mean * the full Route). If a Route rule transitions from valid to invalid, @@ -44325,6 +36074,7 @@ export namespace gateway { * example, even if a filter specified by a Route rule is invalid, the rest * of the rules within that Route should still be supported. * + * * Support: Core */ export interface GatewaySpecListenersAllowedRoutes { @@ -44333,12 +36083,14 @@ export namespace gateway { * to this Gateway Listener. When unspecified or empty, the kinds of Routes * selected are determined using the Listener protocol. * + * * A RouteGroupKind MUST correspond to kinds of Routes that are compatible * with the application protocol specified in the Listener's Protocol field. * If an implementation does not support or recognize this resource type, it * MUST set the "ResolvedRefs" condition to False for this Listener with the * "InvalidRouteKinds" reason. * + * * Support: Core */ kinds: outputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesKinds[]; @@ -44377,6 +36129,7 @@ export namespace gateway { * Namespaces indicates namespaces from which Routes may be attached to this * Listener. This is restricted to the namespace of this Gateway by default. * + * * Support: Core */ export interface GatewaySpecListenersAllowedRoutesNamespaces { @@ -44384,11 +36137,13 @@ export namespace gateway { * From indicates where Routes will be selected for this Gateway. Possible * values are: * + * * * All: Routes in all namespaces may be used by this Gateway. * * Selector: Routes in namespaces selected by the selector may be used by * this Gateway. * * Same: Only Routes in the same namespace may be used by this Gateway. * + * * Support: Core */ from: string; @@ -44399,6 +36154,7 @@ export namespace gateway { * Namespaces indicates namespaces from which Routes may be attached to this * Listener. This is restricted to the namespace of this Gateway by default. * + * * Support: Core */ export interface GatewaySpecListenersAllowedRoutesNamespacesPatch { @@ -44406,11 +36162,13 @@ export namespace gateway { * From indicates where Routes will be selected for this Gateway. Possible * values are: * + * * * All: Routes in all namespaces may be used by this Gateway. * * Selector: Routes in namespaces selected by the selector may be used by * this Gateway. * * Same: Only Routes in the same namespace may be used by this Gateway. * + * * Support: Core */ from: string; @@ -44422,6 +36180,7 @@ export namespace gateway { * only Routes in Namespaces matching this Selector will be selected by this * Gateway. This field is ignored for other values of "From". * + * * Support: Core */ export interface GatewaySpecListenersAllowedRoutesNamespacesSelector { @@ -44488,6 +36247,7 @@ export namespace gateway { * only Routes in Namespaces matching this Selector will be selected by this * Gateway. This field is ignored for other values of "From". * + * * Support: Core */ export interface GatewaySpecListenersAllowedRoutesNamespacesSelectorPatch { @@ -44508,10 +36268,12 @@ export namespace gateway { * Listener and the trusted namespaces where those Route resources MAY be * present. * + * * Although a client request may match multiple route rules, only one rule * may ultimately receive the request. Matching precedence MUST be * determined in order of the following criteria: * + * * * The most specific match as defined by the Route type. * * The oldest Route based on creation timestamp. For example, a Route with * a creation timestamp of "2020-09-08 01:02:03" is given precedence over @@ -44520,6 +36282,7 @@ export namespace gateway { * alphabetical order (namespace/name) should be given precedence. For * example, foo/bar is given precedence over foo/baz. * + * * All valid rules within a Route attached to this Listener should be * implemented. Invalid Route rules can be ignored (sometimes that will mean * the full Route). If a Route rule transitions from valid to invalid, @@ -44527,6 +36290,7 @@ export namespace gateway { * example, even if a filter specified by a Route rule is invalid, the rest * of the rules within that Route should still be supported. * + * * Support: Core */ export interface GatewaySpecListenersAllowedRoutesPatch { @@ -44535,12 +36299,14 @@ export namespace gateway { * to this Gateway Listener. When unspecified or empty, the kinds of Routes * selected are determined using the Listener protocol. * + * * A RouteGroupKind MUST correspond to kinds of Routes that are compatible * with the application protocol specified in the Listener's Protocol field. * If an implementation does not support or recognize this resource type, it * MUST set the "ResolvedRefs" condition to False for this Listener with the * "InvalidRouteKinds" reason. * + * * Support: Core */ kinds: outputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesKindsPatch[]; @@ -44559,36 +36325,18 @@ export namespace gateway { * field is ignored for protocols that don't require hostname based * matching. * + * * Implementations MUST apply Hostname matching appropriately for each of * the following protocols: * + * * * TLS: The Listener Hostname MUST match the SNI. * * HTTP: The Listener Hostname MUST match the Host header of the request. - * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header. - * Note that this does not require the SNI and Host header to be the same. - * The semantics of this are described in more detail below. + * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + * protocol layers as described above. If an implementation does not + * ensure that both the SNI and Host header match the Listener hostname, + * it MUST clearly document that. * - * To ensure security, Section 11.1 of RFC-6066 emphasizes that server - * implementations that rely on SNI hostname matching MUST also verify - * hostnames within the application protocol. - * - * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the - * reuse of a connection by responding with the HTTP 421 Misdirected Request - * status code. This indicates that the origin server has rejected the - * request because it appears to have been misdirected. - * - * To detect misdirected requests, Gateways SHOULD match the authority of - * the requests with all the SNI hostname(s) configured across all the - * Gateway Listeners on the same port and protocol: - * - * * If another Listener has an exact match or more specific wildcard entry, - * the Gateway SHOULD return a 421. - * * If the current Listener (selected by SNI matching during ClientHello) - * does not match the Host: - * * If another Listener does match the Host the Gateway SHOULD return a - * 421. - * * If no other Listener matches the Host, the Gateway MUST return a - * 404. * * For HTTPRoute and TLSRoute resources, there is an interaction with the * `spec.hostnames` array. When both listener and route specify hostnames, @@ -44596,10 +36344,12 @@ export namespace gateway { * accepted. For more information, refer to the Route specific Hostnames * documentation. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * Support: Core */ hostname: string; @@ -44607,6 +36357,7 @@ export namespace gateway { * Name is the name of the Listener. This name MUST be unique within a * Gateway. * + * * Support: Core */ name: string; @@ -44614,12 +36365,14 @@ export namespace gateway { * Port is the network port. Multiple listeners may use the * same port, subject to the Listener compatibility rules. * + * * Support: Core */ port: number; /** * Protocol specifies the network protocol this listener expects to receive. * + * * Support: Core */ protocol: string; @@ -44631,12 +36384,15 @@ export namespace gateway { * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field * if the Protocol field is "HTTP", "TCP", or "UDP". * - * The association of SNIs to Certificate defined in ListenerTLSConfig is + * + * The association of SNIs to Certificate defined in GatewayTLSConfig is * defined based on the Hostname field for this listener. * + * * The GatewayClass MUST use the longest matching SNI out of all * available certificates for any TLS handshake. * + * * Support: Core */ export interface GatewaySpecListenersTls { @@ -44646,31 +36402,39 @@ export namespace gateway { * establish a TLS handshake for requests that match the hostname of the * associated listener. * + * * A single CertificateRef to a Kubernetes Secret has "Core" support. * Implementations MAY choose to support attaching multiple certificates to * a Listener, but this behavior is implementation-specific. * + * * References to a resource in different namespace are invalid UNLESS there * is a ReferenceGrant in the target namespace that allows the certificate * to be attached. If a ReferenceGrant does not allow this reference, the * "ResolvedRefs" condition MUST be set to False for this listener with the * "RefNotPermitted" reason. * + * * This field is required to have at least one element when the mode is set * to "Terminate" (default) and is optional otherwise. * + * * CertificateRefs can reference to standard Kubernetes resources, i.e. * Secret, or implementation-specific custom resources. * + * * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls * + * * Support: Implementation-specific (More than one reference or other resource types) */ certificateRefs: outputs.gateway.v1beta1.GatewaySpecListenersTlsCertificateRefs[]; + frontendValidation: outputs.gateway.v1beta1.GatewaySpecListenersTlsFrontendValidation; /** * Mode defines the TLS behavior for the TLS session initiated by the client. * There are two possible modes: * + * * - Terminate: The TLS session between the downstream client and the * Gateway is terminated at the Gateway. This mode requires certificates * to be specified in some way, such as populating the certificateRefs @@ -44680,6 +36444,7 @@ export namespace gateway { * the ClientHello message of the TLS protocol. The certificateRefs field * is ignored in this mode. * + * * Support: Core */ mode: string; @@ -44688,11 +36453,13 @@ export namespace gateway { * configuration for each implementation. For example, configuring the * minimum TLS version or supported cipher suites. * + * * A set of common keys MAY be defined by the API in the future. To avoid * any ambiguity, implementation-specific definitions MUST use * domain-prefixed names, such as `example.com/my-custom-option`. * Un-prefixed names are reserved for key names defined by Gateway API. * + * * Support: Implementation-specific */ options: {[key: string]: string}; @@ -44702,9 +36469,11 @@ export namespace gateway { * SecretObjectReference identifies an API object including its namespace, * defaulting to Secret. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. * + * * References to objects with invalid Group and Kind are not valid, and must * be rejected by the implementation, with appropriate Conditions set * on the containing object. @@ -44727,11 +36496,13 @@ export namespace gateway { * Namespace is the namespace of the referenced object. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -44741,9 +36512,11 @@ export namespace gateway { * SecretObjectReference identifies an API object including its namespace, * defaulting to Secret. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. * + * * References to objects with invalid Group and Kind are not valid, and must * be rejected by the implementation, with appropriate Conditions set * on the containing object. @@ -44766,27 +36539,198 @@ export namespace gateway { * Namespace is the namespace of the referenced object. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; } + /** + * FrontendValidation holds configuration information for validating the frontend (client). + * Setting this field will require clients to send a client certificate + * required for validation during the TLS handshake. In browsers this may result in a dialog appearing + * that requests a user to specify the client certificate. + * The maximum depth of a certificate chain accepted in verification is Implementation specific. + * + * + * Support: Extended + */ + export interface GatewaySpecListenersTlsFrontendValidation { + /** + * CACertificateRefs contains one or more references to + * Kubernetes objects that contain TLS certificates of + * the Certificate Authorities that can be used + * as a trust anchor to validate the certificates presented by the client. + * + * + * A single CA certificate reference to a Kubernetes ConfigMap + * has "Core" support. + * Implementations MAY choose to support attaching multiple CA certificates to + * a Listener, but this behavior is implementation-specific. + * + * + * Support: Core - A single reference to a Kubernetes ConfigMap + * with the CA certificate in a key named `ca.crt`. + * + * + * Support: Implementation-specific (More than one reference, or other kinds + * of resources). + * + * + * References to a resource in a different namespace are invalid UNLESS there + * is a ReferenceGrant in the target namespace that allows the certificate + * to be attached. If a ReferenceGrant does not allow this reference, the + * "ResolvedRefs" condition MUST be set to False for this listener with the + * "RefNotPermitted" reason. + */ + caCertificateRefs: outputs.gateway.v1beta1.GatewaySpecListenersTlsFrontendValidationCaCertificateRefs[]; + } + + /** + * ObjectReference identifies an API object including its namespace. + * + * + * The API object must be valid in the cluster; the Group and Kind must + * be registered in the cluster for this reference to be valid. + * + * + * References to objects with invalid Group and Kind are not valid, and must + * be rejected by the implementation, with appropriate Conditions set + * on the containing object. + */ + export interface GatewaySpecListenersTlsFrontendValidationCaCertificateRefs { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group: string; + /** + * Kind is kind of the referent. For example "ConfigMap" or "Service". + */ + kind: string; + /** + * Name is the name of the referent. + */ + name: string; + /** + * Namespace is the namespace of the referenced object. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace: string; + } + + /** + * ObjectReference identifies an API object including its namespace. + * + * + * The API object must be valid in the cluster; the Group and Kind must + * be registered in the cluster for this reference to be valid. + * + * + * References to objects with invalid Group and Kind are not valid, and must + * be rejected by the implementation, with appropriate Conditions set + * on the containing object. + */ + export interface GatewaySpecListenersTlsFrontendValidationCaCertificateRefsPatch { + /** + * Group is the group of the referent. For example, "gateway.networking.k8s.io". + * When unspecified or empty string, core API group is inferred. + */ + group: string; + /** + * Kind is kind of the referent. For example "ConfigMap" or "Service". + */ + kind: string; + /** + * Name is the name of the referent. + */ + name: string; + /** + * Namespace is the namespace of the referenced object. When unspecified, the local + * namespace is inferred. + * + * + * Note that when a namespace different than the local namespace is specified, + * a ReferenceGrant object is required in the referent namespace to allow that + * namespace's owner to accept the reference. See the ReferenceGrant + * documentation for details. + * + * + * Support: Core + */ + namespace: string; + } + + /** + * FrontendValidation holds configuration information for validating the frontend (client). + * Setting this field will require clients to send a client certificate + * required for validation during the TLS handshake. In browsers this may result in a dialog appearing + * that requests a user to specify the client certificate. + * The maximum depth of a certificate chain accepted in verification is Implementation specific. + * + * + * Support: Extended + */ + export interface GatewaySpecListenersTlsFrontendValidationPatch { + /** + * CACertificateRefs contains one or more references to + * Kubernetes objects that contain TLS certificates of + * the Certificate Authorities that can be used + * as a trust anchor to validate the certificates presented by the client. + * + * + * A single CA certificate reference to a Kubernetes ConfigMap + * has "Core" support. + * Implementations MAY choose to support attaching multiple CA certificates to + * a Listener, but this behavior is implementation-specific. + * + * + * Support: Core - A single reference to a Kubernetes ConfigMap + * with the CA certificate in a key named `ca.crt`. + * + * + * Support: Implementation-specific (More than one reference, or other kinds + * of resources). + * + * + * References to a resource in a different namespace are invalid UNLESS there + * is a ReferenceGrant in the target namespace that allows the certificate + * to be attached. If a ReferenceGrant does not allow this reference, the + * "ResolvedRefs" condition MUST be set to False for this listener with the + * "RefNotPermitted" reason. + */ + caCertificateRefs: outputs.gateway.v1beta1.GatewaySpecListenersTlsFrontendValidationCaCertificateRefsPatch[]; + } + /** * TLS is the TLS configuration for the Listener. This field is required if * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field * if the Protocol field is "HTTP", "TCP", or "UDP". * - * The association of SNIs to Certificate defined in ListenerTLSConfig is + * + * The association of SNIs to Certificate defined in GatewayTLSConfig is * defined based on the Hostname field for this listener. * + * * The GatewayClass MUST use the longest matching SNI out of all * available certificates for any TLS handshake. * + * * Support: Core */ export interface GatewaySpecListenersTlsPatch { @@ -44796,31 +36740,39 @@ export namespace gateway { * establish a TLS handshake for requests that match the hostname of the * associated listener. * + * * A single CertificateRef to a Kubernetes Secret has "Core" support. * Implementations MAY choose to support attaching multiple certificates to * a Listener, but this behavior is implementation-specific. * + * * References to a resource in different namespace are invalid UNLESS there * is a ReferenceGrant in the target namespace that allows the certificate * to be attached. If a ReferenceGrant does not allow this reference, the * "ResolvedRefs" condition MUST be set to False for this listener with the * "RefNotPermitted" reason. * + * * This field is required to have at least one element when the mode is set * to "Terminate" (default) and is optional otherwise. * + * * CertificateRefs can reference to standard Kubernetes resources, i.e. * Secret, or implementation-specific custom resources. * + * * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls * + * * Support: Implementation-specific (More than one reference or other resource types) */ certificateRefs: outputs.gateway.v1beta1.GatewaySpecListenersTlsCertificateRefsPatch[]; + frontendValidation: outputs.gateway.v1beta1.GatewaySpecListenersTlsFrontendValidationPatch; /** * Mode defines the TLS behavior for the TLS session initiated by the client. * There are two possible modes: * + * * - Terminate: The TLS session between the downstream client and the * Gateway is terminated at the Gateway. This mode requires certificates * to be specified in some way, such as populating the certificateRefs @@ -44830,6 +36782,7 @@ export namespace gateway { * the ClientHello message of the TLS protocol. The certificateRefs field * is ignored in this mode. * + * * Support: Core */ mode: string; @@ -44838,11 +36791,13 @@ export namespace gateway { * configuration for each implementation. For example, configuring the * minimum TLS version or supported cipher suites. * + * * A set of common keys MAY be defined by the API in the future. To avoid * any ambiguity, implementation-specific definitions MUST use * domain-prefixed names, such as `example.com/my-custom-option`. * Un-prefixed names are reserved for key names defined by Gateway API. * + * * Support: Implementation-specific */ options: {[key: string]: string}; @@ -44856,7 +36811,8 @@ export namespace gateway { * Addresses requested for this Gateway. This is optional and behavior can * depend on the implementation. If a value is set in the spec and the * requested address is invalid or unavailable, the implementation MUST - * indicate this in an associated entry in GatewayStatus.Conditions. + * indicate this in the associated entry in GatewayStatus.Addresses. + * * * The Addresses field represents a request for the address(es) on the * "outside of the Gateway", that traffic bound for this Gateway will use. @@ -44864,38 +36820,20 @@ export namespace gateway { * other networking infrastructure, or some other address that traffic will * be sent to. * + * * If no Addresses are specified, the implementation MAY schedule the * Gateway in an implementation-specific manner, assigning an appropriate * set of Addresses. * + * * The implementation MUST bind all Listeners to every GatewayAddress that * it assigns to the Gateway and add a corresponding entry in * GatewayStatus.Addresses. * + * * Support: Extended */ addresses: outputs.gateway.v1beta1.GatewaySpecAddressesPatch[]; - allowedListeners: outputs.gateway.v1beta1.GatewaySpecAllowedListenersPatch; - /** - * DefaultScope, when set, configures the Gateway as a default Gateway, - * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute) - * attached to it, according to the scope configured here. - * - * If unset (the default) or set to None, the Gateway will not act as a - * default Gateway; if set, the Gateway will claim any Route with a - * matching scope set in its UseDefaultGateway field, subject to the usual - * rules about which routes the Gateway can attach to. - * - * Think carefully before using this functionality! While the normal rules - * about which Route can apply are still enforced, it is simply easier for - * the wrong Route to be accidentally attached to this Gateway in this - * configuration. If the Gateway operator is not also the operator in - * control of the scope (e.g. namespace) with tight controls and checks on - * what kind of workloads and Routes get added in that scope, we strongly - * recommend not using this just because it seems convenient, and instead - * stick to direct Route attachment. - */ - defaultScope: string; /** * GatewayClassName used for this Gateway. This is the name of a * GatewayClass resource. @@ -44907,7 +36845,6 @@ export namespace gateway { * logical endpoints that are bound on this Gateway's addresses. * At least one Listener MUST be specified. * - * ## Distinct Listeners * * Each Listener in a set of Listeners (for example, in a single Gateway) * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to @@ -44916,107 +36853,97 @@ export namespace gateway { * from multiple Gateways onto a single data plane, and these rules _also_ * apply in that case). * + * * Practically, this means that each listener in a set MUST have a unique * combination of Port, Protocol, and, if supported by the protocol, Hostname. * - * Some combinations of port, protocol, and TLS settings are considered - * Core support and MUST be supported by implementations based on the objects - * they support: * - * HTTPRoute + * Some combinations of port, protocol, and TLS settings are considered + * Core support and MUST be supported by implementations based on their + * targeted conformance profile: + * + * + * HTTP Profile + * * * 1. HTTPRoute, Port: 80, Protocol: HTTP * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided * - * TLSRoute + * + * TLS Profile + * * * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough * + * * "Distinct" Listeners have the following property: * - * **The implementation can match inbound requests to a single distinct - * Listener**. * - * When multiple Listeners share values for fields (for + * The implementation can match inbound requests to a single distinct + * Listener. When multiple Listeners share values for fields (for * example, two Listeners with the same Port value), the implementation * can match requests to only one of the Listeners using other * Listener fields. * - * When multiple listeners have the same value for the Protocol field, then - * each of the Listeners with matching Protocol values MUST have different - * values for other fields. * - * The set of fields that MUST be different for a Listener differs per protocol. - * The following rules define the rules for what fields MUST be considered for - * Listeners to be distinct with each protocol currently defined in the - * Gateway API spec. + * For example, the following Listener scenarios are distinct: * - * The set of listeners that all share a protocol value MUST have _different_ - * values for _at least one_ of these fields to be distinct: * - * * **HTTP, HTTPS, TLS**: Port, Hostname - * * **TCP, UDP**: Port + * 1. Multiple Listeners with the same Port that all use the "HTTP" + * Protocol that all have unique Hostname values. + * 2. Multiple Listeners with the same Port that use either the "HTTPS" or + * "TLS" Protocol that all have unique Hostname values. + * 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener + * with the same Protocol has the same Port value. * - * One **very** important rule to call out involves what happens when an - * implementation: * - * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol - * Listeners, and - * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP - * Protocol. + * Some fields in the Listener struct have possible values that affect + * whether the Listener is distinct. Hostname is particularly relevant + * for HTTP or HTTPS protocols. * - * In this case all the Listeners that share a port with the - * TCP Listener are not distinct and so MUST NOT be accepted. * - * If an implementation does not support TCP Protocol Listeners, then the - * previous rule does not apply, and the TCP Listeners SHOULD NOT be - * accepted. + * When using the Hostname value to select between same-Port, same-Protocol + * Listeners, the Hostname value must be different on each Listener for the + * Listener to be distinct. * - * Note that the `tls` field is not used for determining if a listener is distinct, because - * Listeners that _only_ differ on TLS config will still conflict in all cases. * - * ### Listeners that are distinct only by Hostname - * - * When the Listeners are distinct based only on Hostname, inbound request + * When the Listeners are distinct based on Hostname, inbound request * hostnames MUST match from the most specific to least specific Hostname * values to choose the correct Listener and its associated set of Routes. * - * Exact matches MUST be processed before wildcard matches, and wildcard - * matches MUST be processed before fallback (empty Hostname value) + * + * Exact matches must be processed before wildcard matches, and wildcard + * matches must be processed before fallback (empty Hostname value) * matches. For example, `"foo.example.com"` takes precedence over * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. * + * * Additionally, if there are multiple wildcard entries, more specific * wildcard entries must be processed before less specific wildcard entries. * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. - * * The precise definition here is that the higher the number of dots in the * hostname to the right of the wildcard character, the higher the precedence. * + * * The wildcard character will match any number of characters _and dots_ to * the left, however, so `"*.example.com"` will match both * `"foo.bar.example.com"` _and_ `"bar.example.com"`. * - * ## Handling indistinct Listeners * * If a set of Listeners contains Listeners that are not distinct, then those - * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted" + * Listeners are Conflicted, and the implementation MUST set the "Conflicted" * condition in the Listener Status to "True". * - * The words "indistinct" and "conflicted" are considered equivalent for the - * purpose of this documentation. * * Implementations MAY choose to accept a Gateway with some Conflicted * Listeners only if they only accept the partial Listener set that contains - * no Conflicted Listeners. + * no Conflicted Listeners. To put this another way, implementations may + * accept a partial Listener set only if they throw out *all* the conflicting + * Listeners. No picking one of the conflicting listeners as the winner. + * This also means that the Gateway must have at least one non-conflicting + * Listener in this case, otherwise it violates the requirement that at + * least one Listener must be present. * - * Specifically, an implementation MAY accept a partial Listener set subject to - * the following rules: - * - * * The implementation MUST NOT pick one conflicting Listener as the winner. - * ALL indistinct Listeners must not be accepted for processing. - * * At least one distinct Listener MUST be present, or else the Gateway effectively - * contains _no_ Listeners, and must be rejected from processing as a whole. * * The implementation MUST set a "ListenersNotValid" condition on the * Gateway Status when the Gateway contains Conflicted Listeners whether or @@ -45025,656 +36952,41 @@ export namespace gateway { * Accepted. Additionally, the Listener status for those listeners SHOULD * indicate which Listeners are conflicted and not Accepted. * - * ## General Listener behavior * - * Note that, for all distinct Listeners, requests SHOULD match at most one Listener. - * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a - * request to "foo.example.com" SHOULD only be routed using routes attached - * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * A Gateway's Listeners are considered "compatible" if: * - * This concept is known as "Listener Isolation", and it is an Extended feature - * of Gateway API. Implementations that do not support Listener Isolation MUST - * clearly document this, and MUST NOT claim support for the - * `GatewayHTTPListenerIsolation` feature. - * - * Implementations that _do_ support Listener Isolation SHOULD claim support - * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated - * conformance tests. - * - * ## Compatible Listeners - * - * A Gateway's Listeners are considered _compatible_ if: * * 1. They are distinct. * 2. The implementation can serve them in compliance with the Addresses * requirement that all Listeners are available on all assigned * addresses. * + * * Compatible combinations in Extended support are expected to vary across * implementations. A combination that is compatible for one implementation * may not be compatible for another. * + * * For example, an implementation that cannot serve both TCP and UDP listeners * on the same address, or cannot mix HTTPS and generic TLS listens on the same port * would not consider those cases compatible, even though they are distinct. * + * + * Note that requests SHOULD match at most one Listener. For example, if + * Listeners are defined for "foo.example.com" and "*.example.com", a + * request to "foo.example.com" SHOULD only be routed using routes attached + * to the "foo.example.com" Listener (and not the "*.example.com" Listener). + * This concept is known as "Listener Isolation". Implementations that do + * not support Listener Isolation MUST clearly document this. + * + * * Implementations MAY merge separate Gateways onto a single set of * Addresses if all Listeners across all Gateways are compatible. * - * In a future release the MinItems=1 requirement MAY be dropped. * * Support: Core */ listeners: outputs.gateway.v1beta1.GatewaySpecListenersPatch[]; - tls: outputs.gateway.v1beta1.GatewaySpecTlsPatch; - } - - /** - * TLS specifies frontend and backend tls configuration for entire gateway. - * - * Support: Extended - */ - export interface GatewaySpecTls { - backend: outputs.gateway.v1beta1.GatewaySpecTlsBackend; - frontend: outputs.gateway.v1beta1.GatewaySpecTlsFrontend; - } - - /** - * Backend describes TLS configuration for gateway when connecting - * to backends. - * - * Note that this contains only details for the Gateway as a TLS client, - * and does _not_ imply behavior about how to choose which backend should - * get a TLS connection. That is determined by the presence of a BackendTLSPolicy. - * - * Support: Core - */ - export interface GatewaySpecTlsBackend { - clientCertificateRef: outputs.gateway.v1beta1.GatewaySpecTlsBackendClientCertificateRef; - } - - /** - * ClientCertificateRef is a reference to an object that contains a Client - * Certificate and the associated private key. - * - * References to a resource in different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - * - * ClientCertificateRef can reference to standard Kubernetes resources, i.e. - * Secret, or implementation-specific custom resources. - * - * Support: Core - */ - export interface GatewaySpecTlsBackendClientCertificateRef { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "Secret". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - } - - /** - * ClientCertificateRef is a reference to an object that contains a Client - * Certificate and the associated private key. - * - * References to a resource in different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - * - * ClientCertificateRef can reference to standard Kubernetes resources, i.e. - * Secret, or implementation-specific custom resources. - * - * Support: Core - */ - export interface GatewaySpecTlsBackendClientCertificateRefPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "Secret". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - } - - /** - * Backend describes TLS configuration for gateway when connecting - * to backends. - * - * Note that this contains only details for the Gateway as a TLS client, - * and does _not_ imply behavior about how to choose which backend should - * get a TLS connection. That is determined by the presence of a BackendTLSPolicy. - * - * Support: Core - */ - export interface GatewaySpecTlsBackendPatch { - clientCertificateRef: outputs.gateway.v1beta1.GatewaySpecTlsBackendClientCertificateRefPatch; - } - - /** - * Frontend describes TLS config when client connects to Gateway. - * Support: Core - */ - export interface GatewaySpecTlsFrontend { - default: outputs.gateway.v1beta1.GatewaySpecTlsFrontendDefault; - /** - * PerPort specifies tls configuration assigned per port. - * Per port configuration is optional. Once set this configuration overrides - * the default configuration for all Listeners handling HTTPS traffic - * that match this port. - * Each override port requires a unique TLS configuration. - * - * support: Core - */ - perPort: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPort[]; - } - - /** - * Default specifies the default client certificate validation configuration - * for all Listeners handling HTTPS traffic, unless a per-port configuration - * is defined. - * - * support: Core - */ - export interface GatewaySpecTlsFrontendDefault { - validation: outputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultValidation; - } - - /** - * Default specifies the default client certificate validation configuration - * for all Listeners handling HTTPS traffic, unless a per-port configuration - * is defined. - * - * support: Core - */ - export interface GatewaySpecTlsFrontendDefaultPatch { - validation: outputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultValidationPatch; - } - - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - export interface GatewaySpecTlsFrontendDefaultValidation { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs: outputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultValidationCaCertificateRefs[]; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode: string; - } - - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - export interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefs { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - } - - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - export interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefsPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - } - - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - export interface GatewaySpecTlsFrontendDefaultValidationPatch { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs: outputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultValidationCaCertificateRefsPatch[]; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode: string; - } - - /** - * Frontend describes TLS config when client connects to Gateway. - * Support: Core - */ - export interface GatewaySpecTlsFrontendPatch { - default: outputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultPatch; - /** - * PerPort specifies tls configuration assigned per port. - * Per port configuration is optional. Once set this configuration overrides - * the default configuration for all Listeners handling HTTPS traffic - * that match this port. - * Each override port requires a unique TLS configuration. - * - * support: Core - */ - perPort: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortPatch[]; - } - - export interface GatewaySpecTlsFrontendPerPort { - /** - * The Port indicates the Port Number to which the TLS configuration will be - * applied. This configuration will be applied to all Listeners handling HTTPS - * traffic that match this port. - * - * Support: Core - */ - port: number; - tls: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTls; - } - - export interface GatewaySpecTlsFrontendPerPortPatch { - /** - * The Port indicates the Port Number to which the TLS configuration will be - * applied. This configuration will be applied to all Listeners handling HTTPS - * traffic that match this port. - * - * Support: Core - */ - port: number; - tls: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsPatch; - } - - /** - * TLS store the configuration that will be applied to all Listeners handling - * HTTPS traffic and matching given port. - * - * Support: Core - */ - export interface GatewaySpecTlsFrontendPerPortTls { - validation: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsValidation; - } - - /** - * TLS store the configuration that will be applied to all Listeners handling - * HTTPS traffic and matching given port. - * - * Support: Core - */ - export interface GatewaySpecTlsFrontendPerPortTlsPatch { - validation: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsValidationPatch; - } - - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - export interface GatewaySpecTlsFrontendPerPortTlsValidation { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefs[]; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode: string; - } - - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - export interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefs { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - } - - /** - * ObjectReference identifies an API object including its namespace. - * - * The API object must be valid in the cluster; the Group and Kind must - * be registered in the cluster for this reference to be valid. - * - * References to objects with invalid Group and Kind are not valid, and must - * be rejected by the implementation, with appropriate Conditions set - * on the containing object. - */ - export interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefsPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When set to the empty string, core API group is inferred. - */ - group: string; - /** - * Kind is kind of the referent. For example "ConfigMap" or "Service". - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the referenced object. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - } - - /** - * Validation holds configuration information for validating the frontend (client). - * Setting this field will result in mutual authentication when connecting to the gateway. - * In browsers this may result in a dialog appearing - * that requests a user to specify the client certificate. - * The maximum depth of a certificate chain accepted in verification is Implementation specific. - * - * Support: Core - */ - export interface GatewaySpecTlsFrontendPerPortTlsValidationPatch { - /** - * CACertificateRefs contains one or more references to - * Kubernetes objects that contain TLS certificates of - * the Certificate Authorities that can be used - * as a trust anchor to validate the certificates presented by the client. - * - * A single CA certificate reference to a Kubernetes ConfigMap - * has "Core" support. - * Implementations MAY choose to support attaching multiple CA certificates to - * a Listener, but this behavior is implementation-specific. - * - * Support: Core - A single reference to a Kubernetes ConfigMap - * with the CA certificate in a key named `ca.crt`. - * - * Support: Implementation-specific (More than one certificate in a ConfigMap - * with different keys or more than one reference, or other kinds of resources). - * - * References to a resource in a different namespace are invalid UNLESS there - * is a ReferenceGrant in the target namespace that allows the certificate - * to be attached. If a ReferenceGrant does not allow this reference, the - * "ResolvedRefs" condition MUST be set to False for this listener with the - * "RefNotPermitted" reason. - */ - caCertificateRefs: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefsPatch[]; - /** - * FrontendValidationMode defines the mode for validating the client certificate. - * There are two possible modes: - * - * - AllowValidOnly: In this mode, the gateway will accept connections only if - * the client presents a valid certificate. This certificate must successfully - * pass validation against the CA certificates specified in `CACertificateRefs`. - * - AllowInsecureFallback: In this mode, the gateway will accept connections - * even if the client certificate is not presented or fails verification. - * - * This approach delegates client authorization to the backend and introduce - * a significant security risk. It should be used in testing environments or - * on a temporary basis in non-testing environments. - * - * Defaults to AllowValidOnly. - * - * Support: Core - */ - mode: string; - } - - /** - * TLS specifies frontend and backend tls configuration for entire gateway. - * - * Support: Extended - */ - export interface GatewaySpecTlsPatch { - backend: outputs.gateway.v1beta1.GatewaySpecTlsBackendPatch; - frontend: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPatch; } /** @@ -45685,9 +36997,11 @@ export namespace gateway { * Addresses lists the network addresses that have been bound to the * Gateway. * + * * This list may differ from the addresses provided in the spec under some * conditions: * + * * * no addresses are specified, all addresses are dynamically assigned * * a combination of specified and dynamic addresses are assigned * * a specified address was unusable (e.g. already in use) @@ -45696,13 +37010,16 @@ export namespace gateway { /** * Conditions describe the current conditions of the Gateway. * + * * Implementations should prefer to express Gateway conditions * using the `GatewayConditionType` and `GatewayConditionReason` * constants so that operators and tools can converge on a common * vocabulary to describe Gateway state. * + * * Known condition types are: * + * * * "Accepted" * * "Programmed" * * "Ready" @@ -45726,6 +37043,7 @@ export namespace gateway { * Value of the address. The validity of the values will depend * on the type and support by the controller. * + * * Examples: `1.2.3.4`, `128::1`, `my-ip-address`. */ value: string; @@ -45743,6 +37061,7 @@ export namespace gateway { * Value of the address. The validity of the values will depend * on the type and support by the controller. * + * * Examples: `1.2.3.4`, `128::1`, `my-ip-address`. */ value: string; @@ -45750,6 +37069,22 @@ export namespace gateway { /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface GatewayStatusConditions { /** @@ -45782,12 +37117,32 @@ export namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface GatewayStatusConditionsPatch { /** @@ -45820,6 +37175,10 @@ export namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } @@ -45832,6 +37191,7 @@ export namespace gateway { * AttachedRoutes represents the total number of Routes that have been * successfully attached to this Listener. * + * * Successful attachment of a Route to a Listener is based solely on the * combination of the AllowedRoutes field on the corresponding Listener * and the Route's ParentRefs field. A Route is successfully attached to @@ -45844,6 +37204,7 @@ export namespace gateway { * for Listeners with condition Accepted: false and MUST count successfully * attached Routes that may themselves have Accepted: false conditions. * + * * Uses for this field include troubleshooting Route attachment and * measuring blast radius/impact of changes to a Listener. */ @@ -45861,6 +37222,7 @@ export namespace gateway { * listener. This MUST represent the kinds an implementation supports for * that Listener configuration. * + * * If kinds are specified in Spec that are not supported, they MUST NOT * appear in this list and an implementation MUST set the "ResolvedRefs" * condition to "False" with the "InvalidRouteKinds" reason. If both valid @@ -45872,6 +37234,22 @@ export namespace gateway { /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface GatewayStatusListenersConditions { /** @@ -45904,12 +37282,32 @@ export namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface GatewayStatusListenersConditionsPatch { /** @@ -45942,6 +37340,10 @@ export namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } @@ -45954,6 +37356,7 @@ export namespace gateway { * AttachedRoutes represents the total number of Routes that have been * successfully attached to this Listener. * + * * Successful attachment of a Route to a Listener is based solely on the * combination of the AllowedRoutes field on the corresponding Listener * and the Route's ParentRefs field. A Route is successfully attached to @@ -45966,6 +37369,7 @@ export namespace gateway { * for Listeners with condition Accepted: false and MUST count successfully * attached Routes that may themselves have Accepted: false conditions. * + * * Uses for this field include troubleshooting Route attachment and * measuring blast radius/impact of changes to a Listener. */ @@ -45983,6 +37387,7 @@ export namespace gateway { * listener. This MUST represent the kinds an implementation supports for * that Listener configuration. * + * * If kinds are specified in Spec that are not supported, they MUST NOT * appear in this list and an implementation MUST set the "ResolvedRefs" * condition to "False" with the "InvalidRouteKinds" reason. If both valid @@ -46028,9 +37433,11 @@ export namespace gateway { * Addresses lists the network addresses that have been bound to the * Gateway. * + * * This list may differ from the addresses provided in the spec under some * conditions: * + * * * no addresses are specified, all addresses are dynamically assigned * * a combination of specified and dynamic addresses are assigned * * a specified address was unusable (e.g. already in use) @@ -46039,13 +37446,16 @@ export namespace gateway { /** * Conditions describe the current conditions of the Gateway. * + * * Implementations should prefer to express Gateway conditions * using the `GatewayConditionType` and `GatewayConditionReason` * constants so that operators and tools can converge on a common * vocabulary to describe Gateway state. * + * * Known condition types are: * + * * * "Accepted" * * "Programmed" * * "Ready" @@ -46091,17 +37501,21 @@ export namespace gateway { * performing a match and (absent of any applicable header modification * configuration) MUST forward this header unmodified to the backend. * + * * Valid values for Hostnames are determined by RFC 1123 definition of a * hostname with 2 notable exceptions: * + * * 1. IPs are not allowed. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label must appear by itself as the first label. * + * * If a hostname is specified by both the Listener and HTTPRoute, there * must be at least one intersecting hostname for the HTTPRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches HTTPRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -46112,31 +37526,38 @@ export namespace gateway { * all match. On the other hand, `example.com` and `test.example.net` would * not match. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * If both the Listener and HTTPRoute have specified hostnames, any * HTTPRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * HTTPRoute specified `test.example.com` and `test.example.net`, * `test.example.net` must not be considered for a match. * + * * If both the Listener and HTTPRoute have specified hostnames, and none * match with the criteria above, then the HTTPRoute is not accepted. The * implementation must raise an 'Accepted' Condition with a status of * `False` in the corresponding RouteParentStatus. * + * * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. * overlapping wildcard matching and exact matching hostnames), precedence must * be given to rules from the HTTPRoute with the largest number of: * + * * * Characters in a matching non-wildcard hostname. * * Characters in a matching hostname. * + * * If ties exist across multiple Routes, the matching precedence rules for * HTTPRouteMatches takes over. * + * * Support: Core */ hostnames: string[]; @@ -46152,16 +37573,21 @@ export namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -46171,8 +37597,10 @@ export namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -46180,12 +37608,14 @@ export namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -46193,10 +37623,12 @@ export namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -46208,21 +37640,6 @@ export namespace gateway { * Rules are a list of HTTP matchers, filters and actions. */ rules: outputs.gateway.v1beta1.HTTPRouteSpecRules[]; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways: string; } /** @@ -46230,12 +37647,15 @@ export namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -46246,23 +37666,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -46270,6 +37695,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -46277,10 +37703,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -46288,6 +37716,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -46295,6 +37724,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -46304,15 +37734,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -46321,6 +37754,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -46328,6 +37762,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -46335,10 +37770,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -46348,6 +37785,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -46358,12 +37796,15 @@ export namespace gateway { * a parent of this resource (usually a route). There are two kinds of parent resources * with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * The API object must be valid in the cluster; the Group and Kind must * be registered in the cluster for this reference to be valid. */ @@ -46374,23 +37815,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -46398,6 +37844,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -46405,10 +37852,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -46416,6 +37865,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -46423,6 +37873,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -46432,15 +37883,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -46449,6 +37903,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -46456,6 +37911,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -46463,10 +37919,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -46476,6 +37934,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -46492,17 +37951,21 @@ export namespace gateway { * performing a match and (absent of any applicable header modification * configuration) MUST forward this header unmodified to the backend. * + * * Valid values for Hostnames are determined by RFC 1123 definition of a * hostname with 2 notable exceptions: * + * * 1. IPs are not allowed. * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard * label must appear by itself as the first label. * + * * If a hostname is specified by both the Listener and HTTPRoute, there * must be at least one intersecting hostname for the HTTPRoute to be * attached to the Listener. For example: * + * * * A Listener with `test.example.com` as the hostname matches HTTPRoutes * that have either not specified any hostnames, or have specified at * least one of `test.example.com` or `*.example.com`. @@ -46513,31 +37976,38 @@ export namespace gateway { * all match. On the other hand, `example.com` and `test.example.net` would * not match. * + * * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted * as a suffix match. That means that a match for `*.example.com` would match * both `test.example.com`, and `foo.test.example.com`, but not `example.com`. * + * * If both the Listener and HTTPRoute have specified hostnames, any * HTTPRoute hostnames that do not match the Listener hostname MUST be * ignored. For example, if a Listener specified `*.example.com`, and the * HTTPRoute specified `test.example.com` and `test.example.net`, * `test.example.net` must not be considered for a match. * + * * If both the Listener and HTTPRoute have specified hostnames, and none * match with the criteria above, then the HTTPRoute is not accepted. The * implementation must raise an 'Accepted' Condition with a status of * `False` in the corresponding RouteParentStatus. * + * * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. * overlapping wildcard matching and exact matching hostnames), precedence must * be given to rules from the HTTPRoute with the largest number of: * + * * * Characters in a matching non-wildcard hostname. * * Characters in a matching hostname. * + * * If ties exist across multiple Routes, the matching precedence rules for * HTTPRouteMatches takes over. * + * * Support: Core */ hostnames: string[]; @@ -46553,16 +38023,21 @@ export namespace gateway { * create a "producer" route for a Service in a different namespace from the * Route. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * This API may be extended in the future to support additional kinds of parent * resources. * + * * ParentRefs must be _distinct_. This means either that: * + * * * They select different objects. If this is the case, then parentRef * entries are distinct. In terms of fields, this means that the * multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -46572,8 +38047,10 @@ export namespace gateway { * optional fields to different values. If one ParentRef sets a * combination of optional fields, all must set the same combination. * + * * Some examples: * + * * * If one ParentRef sets `sectionName`, all ParentRefs referencing the * same object must also set `sectionName`. * * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -46581,12 +38058,14 @@ export namespace gateway { * * If one ParentRef sets `sectionName` and `port`, all ParentRefs * referencing the same object must also set `sectionName` and `port`. * + * * It is possible to separately reference multiple distinct objects that may * be collapsed by an implementation. For example, some implementations may * choose to merge compatible Gateway Listeners together. If that is the * case, the list of routes attached to those resources should also be * merged. * + * * Note that for ParentRefs that cross namespace boundaries, there are specific * rules. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example, @@ -46594,10 +38073,12 @@ export namespace gateway { * generic way to enable other kinds of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -46609,21 +38090,6 @@ export namespace gateway { * Rules are a list of HTTP matchers, filters and actions. */ rules: outputs.gateway.v1beta1.HTTPRouteSpecRulesPatch[]; - /** - * UseDefaultGateways indicates the default Gateway scope to use for this - * Route. If unset (the default) or set to None, the Route will not be - * attached to any default Gateway; if set, it will be attached to any - * default Gateway supporting the named scope, subject to the usual rules - * about which Routes a Gateway is allowed to claim. - * - * Think carefully before using this functionality! The set of default - * Gateways supporting the requested scope can change over time without - * any notice to the Route author, and in many situations it will not be - * appropriate to request a default Gateway for a given Route -- for - * example, a Route with specific security requirements should almost - * certainly not use a default Gateway. - */ - useDefaultGateways: string; } /** @@ -46636,37 +38102,41 @@ export namespace gateway { * BackendRefs defines the backend(s) where matching requests should be * sent. * + * * Failure behavior here depends on how many BackendRefs are specified and * how many are invalid. * + * * If *all* entries in BackendRefs are invalid, and there are also no filters * specified in this route rule, *all* traffic which matches this rule MUST * receive a 500 status code. * + * * See the HTTPBackendRef definition for the rules about what makes a single * HTTPBackendRef invalid. * + * * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for * requests that would have otherwise been routed to an invalid backend. If * multiple backends are specified, and some are invalid, the proportion of * requests that would otherwise have been routed to an invalid backend * MUST receive a 500 status code. * + * * For example, if two backends are specified with equal weights, and one is * invalid, 50 percent of traffic must receive a 500. Implementations may * choose how that 50 percent is determined. * - * When a HTTPBackendRef refers to a Service that has no ready endpoints, - * implementations SHOULD return a 503 for requests to that backend instead. - * If an implementation chooses to do this, all of the above rules for 500 responses - * MUST also apply for responses that return a 503. * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Core */ backendRefs: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefs[]; @@ -46674,38 +38144,46 @@ export namespace gateway { * Filters define the filters that are applied to requests that match * this rule. * + * * Wherever possible, implementations SHOULD implement filters in the order * they are specified. * + * * Implementations MAY choose to implement this ordering strictly, rejecting - * any combination or order of filters that cannot be supported. If implementations + * any combination or order of filters that can not be supported. If implementations * choose a strict interpretation of filter ordering, they MUST clearly document * that behavior. * + * * To reject an invalid combination or order of filters, implementations SHOULD * consider the Route Rules with this configuration invalid. If all Route Rules * in a Route are invalid, the entire Route would be considered invalid. If only * a portion of Route Rules are invalid, implementations MUST set the * "PartiallyInvalid" condition for the Route. * + * * Conformance-levels at this level are defined based on the type of filter: * + * * - ALL core filters MUST be supported by all implementations. * - Implementers are encouraged to support extended filters. * - Implementation-specific custom filters have no API guarantees across * implementations. * + * * Specifying the same filter multiple times is not supported unless explicitly * indicated in the filter. * + * * All filters are expected to be compatible with each other except for the * URLRewrite and RequestRedirect filters, which may not be combined. If an - * implementation cannot support other combinations of filters, they must clearly + * implementation can not support other combinations of filters, they must clearly * document that limitation. In cases where incompatible or unsupported * filters are specified and cause the `Accepted` condition to be set to status * `False`, implementations may use the `IncompatibleFilters` reason to specify * this configuration error. * + * * Support: Core */ filters: outputs.gateway.v1beta1.HTTPRouteSpecRulesFilters[]; @@ -46714,8 +38192,10 @@ export namespace gateway { * HTTP requests. Each match is independent, i.e. this rule will be matched * if **any** one of the matches is satisfied. * + * * For example, take the following matches configuration: * + * * ``` * matches: * - path: @@ -46727,54 +38207,58 @@ export namespace gateway { * value: "/v2/foo" * ``` * + * * For a request to match against this rule, a request must satisfy * EITHER of the two conditions: * + * * - path prefixed with `/foo` AND contains the header `version: v2` * - path prefix of `/v2/foo` * + * * See the documentation for HTTPRouteMatch on how to specify multiple * match conditions that should be ANDed together. * + * * If no matches are specified, the default is a prefix * path match on "/", which has the effect of matching every * HTTP request. * + * * Proxy or Load Balancer routing configuration generated from HTTPRoutes * MUST prioritize matches based on the following criteria, continuing on * ties. Across all rules specified on applicable Routes, precedence must be * given to the match having: * + * * * "Exact" path match. * * "Prefix" path match with largest number of characters. * * Method match. * * Largest number of header matches. * * Largest number of query param matches. * + * * Note: The precedence of RegularExpression path matches are implementation-specific. * + * * If ties still exist across multiple Routes, matching precedence MUST be * determined in order of the following criteria, continuing on ties: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * If ties still exist within an HTTPRoute, matching precedence MUST be granted * to the FIRST matching rule (in list order) with a match meeting the above * criteria. * + * * When no rules matching a request have been successfully attached to the * parent a request is coming from, a HTTP 404 status code MUST be returned. */ matches: outputs.gateway.v1beta1.HTTPRouteSpecRulesMatches[]; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name: string; - retry: outputs.gateway.v1beta1.HTTPRouteSpecRulesRetry; sessionPersistence: outputs.gateway.v1beta1.HTTPRouteSpecRulesSessionPersistence; timeouts: outputs.gateway.v1beta1.HTTPRouteSpecRulesTimeouts; } @@ -46782,31 +38266,42 @@ export namespace gateway { /** * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * */ export interface HTTPRouteSpecRulesBackendRefs { /** * Filters defined at this level should be executed if and only if the * request is being forwarded to the backend defined here. * + * * Support: Implementation-specific (For broader support of filters, use the * Filters field in HTTPRouteRule.) */ @@ -46820,16 +38315,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -46841,11 +38340,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -46865,11 +38366,13 @@ export namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight: number; @@ -46884,9 +38387,7 @@ export namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ export interface HTTPRouteSpecRulesBackendRefsFilters { - cors: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersCors; extensionRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExtensionRef; - externalAuth: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuth; requestHeaderModifier: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifier; requestMirror: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirror; requestRedirect: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirect; @@ -46895,14 +38396,17 @@ export namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -46911,16 +38415,20 @@ export namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -46929,426 +38437,16 @@ export namespace gateway { urlRewrite: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewrite; } - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersCors { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials: boolean; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders: string[]; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods: string[]; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins: string[]; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders: string[]; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge: number; - } - - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersCorsPatch { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials: boolean; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders: string[]; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods: string[]; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins: string[]; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders: string[]; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge: number; - } - /** * ExtensionRef is an optional, implementation-specific extension to the * "filter" behavior. For example, resource "myroutefilter" in group * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ export interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRef { @@ -47373,8 +38471,10 @@ export namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ export interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRefPatch { @@ -47393,410 +38493,6 @@ export namespace gateway { name: string; } - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuth { - backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRef; - forwardBody: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBody; - grpc: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpc; - http: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttp; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol: string; - } - - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRef { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port: number; - } - - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRefPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port: number; - } - - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBody { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize: number; - } - - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBodyPatch { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize: number; - } - - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpc { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders: string[]; - } - - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpcPatch { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders: string[]; - } - - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttp { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders: string[]; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders: string[]; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path: string; - } - - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttpPatch { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders: string[]; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders: string[]; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path: string; - } - - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthPatch { - backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRefPatch; - forwardBody: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBodyPatch; - grpc: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpcPatch; - http: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttpPatch; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol: string; - } - /** * HTTPRouteFilter defines processing steps that must be completed during the * request or response lifecycle. HTTPRouteFilters are meant as an extension @@ -47806,9 +38502,7 @@ export namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ export interface HTTPRouteSpecRulesBackendRefsFiltersPatch { - cors: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersCorsPatch; extensionRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExtensionRefPatch; - externalAuth: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthPatch; requestHeaderModifier: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch; requestMirror: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorPatch; requestRedirect: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPatch; @@ -47817,14 +38511,17 @@ export namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -47833,16 +38530,20 @@ export namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -47855,6 +38556,7 @@ export namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifier { @@ -47863,15 +38565,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -47883,15 +38588,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -47901,15 +38609,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -47923,7 +38634,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -47944,7 +38656,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -47963,6 +38676,7 @@ export namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch { @@ -47971,15 +38685,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -47991,15 +38708,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -48009,15 +38729,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -48031,7 +38754,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -48052,7 +38776,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -48072,49 +38797,47 @@ export namespace gateway { * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirror { backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef; - fraction: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFraction; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent: number; } /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef { @@ -48127,16 +38850,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -48148,11 +38875,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -48169,26 +38898,32 @@ export namespace gateway { /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch { @@ -48201,16 +38936,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -48222,11 +38961,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -48240,59 +38981,28 @@ export namespace gateway { port: number; } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFraction { - denominator: number; - numerator: number; - } - - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch { - denominator: number; - numerator: number; - } - /** * RequestMirror defines a schema for a filter that mirrors requests. * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorPatch { backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch; - fraction: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent: number; } /** * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirect { @@ -48301,6 +39011,7 @@ export namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname: string; @@ -48309,9 +39020,11 @@ export namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -48319,14 +39032,17 @@ export namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port: number; @@ -48334,29 +39050,36 @@ export namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme: string; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode: number; @@ -48366,6 +39089,7 @@ export namespace gateway { * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPatch { @@ -48374,6 +39098,7 @@ export namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname: string; @@ -48382,9 +39107,11 @@ export namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -48392,14 +39119,17 @@ export namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port: number; @@ -48407,29 +39137,36 @@ export namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme: string; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode: number; @@ -48440,6 +39177,7 @@ export namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPath { @@ -48454,26 +39192,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -48486,6 +39241,7 @@ export namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPathPatch { @@ -48500,26 +39256,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -48531,6 +39304,7 @@ export namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifier { @@ -48539,15 +39313,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -48559,15 +39336,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -48577,15 +39357,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -48599,7 +39382,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -48620,7 +39404,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -48639,6 +39424,7 @@ export namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch { @@ -48647,15 +39433,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -48667,15 +39456,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -48685,15 +39477,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -48707,7 +39502,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -48728,7 +39524,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -48746,6 +39543,7 @@ export namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewrite { @@ -48753,6 +39551,7 @@ export namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname: string; @@ -48762,6 +39561,7 @@ export namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePatch { @@ -48769,6 +39569,7 @@ export namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname: string; @@ -48778,6 +39579,7 @@ export namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePath { @@ -48792,26 +39594,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -48822,6 +39641,7 @@ export namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePathPatch { @@ -48836,26 +39656,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -48866,31 +39703,42 @@ export namespace gateway { /** * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. * + * * Note that when a namespace different than the local namespace is specified, a * ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * * + * + * + * * When the BackendRef points to a Kubernetes Service, implementations SHOULD * honor the appProtocol field if it is set for the target Service Port. * + * * Implementations supporting appProtocol SHOULD recognize the Kubernetes * Standard Application Protocols defined in KEP-3726. * + * * If a Service appProtocol isn't specified, an implementation MAY infer the * backend protocol through its own means. Implementations MAY infer the * protocol from the Route type referring to the backend Service. * + * * If a Route is not able to send traffic to the backend using the specified * protocol then the backend is considered invalid. Implementations MUST set the * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + * + * + * */ export interface HTTPRouteSpecRulesBackendRefsPatch { /** * Filters defined at this level should be executed if and only if the * request is being forwarded to the backend defined here. * + * * Support: Implementation-specific (For broader support of filters, use the * Filters field in HTTPRouteRule.) */ @@ -48904,16 +39752,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -48925,11 +39777,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -48949,11 +39803,13 @@ export namespace gateway { * implementation supports. Weight is not a percentage and the sum of * weights does not need to equal 100. * + * * If only one backend is specified and it has a weight greater than 0, 100% * of the traffic is forwarded to that backend. If weight is set to 0, no * traffic should be forwarded for this entry. If unspecified, weight * defaults to 1. * + * * Support for this field varies based on the context where used. */ weight: number; @@ -48968,9 +39824,7 @@ export namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ export interface HTTPRouteSpecRulesFilters { - cors: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersCors; extensionRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExtensionRef; - externalAuth: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuth; requestHeaderModifier: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestHeaderModifier; requestMirror: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirror; requestRedirect: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestRedirect; @@ -48979,14 +39833,17 @@ export namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -48995,16 +39852,20 @@ export namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -49013,426 +39874,16 @@ export namespace gateway { urlRewrite: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersUrlRewrite; } - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesFiltersCors { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials: boolean; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders: string[]; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods: string[]; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins: string[]; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders: string[]; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge: number; - } - - /** - * CORS defines a schema for a filter that responds to the - * cross-origin request based on HTTP response header. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesFiltersCorsPatch { - /** - * AllowCredentials indicates whether the actual cross-origin request allows - * to include credentials. - * - * When set to true, the gateway will include the `Access-Control-Allow-Credentials` - * response header with value true (case-sensitive). - * - * When set to false or omitted the gateway will omit the header - * `Access-Control-Allow-Credentials` entirely (this is the standard CORS - * behavior). - * - * Support: Extended - */ - allowCredentials: boolean; - /** - * AllowHeaders indicates which HTTP request headers are supported for - * accessing the requested resource. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Allow-Headers` - * response header are separated by a comma (","). - * - * When the `AllowHeaders` field is configured with one or more headers, the - * gateway must return the `Access-Control-Allow-Headers` response header - * which value is present in the `AllowHeaders` field. - * - * If any header name in the `Access-Control-Request-Headers` request header - * is not included in the list of header names specified by the response - * header `Access-Control-Allow-Headers`, it will present an error on the - * client side. - * - * If any header name in the `Access-Control-Allow-Headers` response header - * does not recognize by the client, it will also occur an error on the - * client side. - * - * A wildcard indicates that the requests with all HTTP headers are allowed. - * The `Access-Control-Allow-Headers` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowHeaders` field - * specified with the `*` wildcard, the gateway must specify one or more - * HTTP headers in the value of the `Access-Control-Allow-Headers` response - * header. The value of the header `Access-Control-Allow-Headers` is same as - * the `Access-Control-Request-Headers` header provided by the client. If - * the header `Access-Control-Request-Headers` is not included in the - * request, the gateway will omit the `Access-Control-Allow-Headers` - * response header, instead of specifying the `*` wildcard. A Gateway - * implementation may choose to add implementation-specific default headers. - * - * Support: Extended - */ - allowHeaders: string[]; - /** - * AllowMethods indicates which HTTP methods are supported for accessing the - * requested resource. - * - * Valid values are any method defined by RFC9110, along with the special - * value `*`, which represents all HTTP methods are allowed. - * - * Method names are case sensitive, so these values are also case-sensitive. - * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) - * - * Multiple method names in the value of the `Access-Control-Allow-Methods` - * response header are separated by a comma (","). - * - * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`. - * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The - * CORS-safelisted methods are always allowed, regardless of whether they - * are specified in the `AllowMethods` field. - * - * When the `AllowMethods` field is configured with one or more methods, the - * gateway must return the `Access-Control-Allow-Methods` response header - * which value is present in the `AllowMethods` field. - * - * If the HTTP method of the `Access-Control-Request-Method` request header - * is not included in the list of methods specified by the response header - * `Access-Control-Allow-Methods`, it will present an error on the client - * side. - * - * The `Access-Control-Allow-Methods` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowMethods` field - * specified with the `*` wildcard, the gateway must specify one HTTP method - * in the value of the Access-Control-Allow-Methods response header. The - * value of the header `Access-Control-Allow-Methods` is same as the - * `Access-Control-Request-Method` header provided by the client. If the - * header `Access-Control-Request-Method` is not included in the request, - * the gateway will omit the `Access-Control-Allow-Methods` response header, - * instead of specifying the `*` wildcard. A Gateway implementation may - * choose to add implementation-specific default methods. - * - * Support: Extended - */ - allowMethods: string[]; - /** - * AllowOrigins indicates whether the response can be shared with requested - * resource from the given `Origin`. - * - * The `Origin` consists of a scheme and a host, with an optional port, and - * takes the form `://(:)`. - * - * Valid values for scheme are: `http` and `https`. - * - * Valid values for port are any integer between 1 and 65535 (the list of - * available TCP/UDP ports). Note that, if not included, port `80` is - * assumed for `http` scheme origins, and port `443` is assumed for `https` - * origins. This may affect origin matching. - * - * The host part of the origin may contain the wildcard character `*`. These - * wildcard characters behave as follows: - * - * * `*` is a greedy match to the _left_, including any number of - * DNS labels to the left of its position. This also means that - * `*` will include any number of period `.` characters to the - * left of its position. - * * A wildcard by itself matches all hosts. - * - * An origin value that includes _only_ the `*` character indicates requests - * from all `Origin`s are allowed. - * - * When the `AllowOrigins` field is configured with multiple origins, it - * means the server supports clients from multiple origins. If the request - * `Origin` matches the configured allowed origins, the gateway must return - * the given `Origin` and sets value of the header - * `Access-Control-Allow-Origin` same as the `Origin` header provided by the - * client. - * - * The status code of a successful response to a "preflight" request is - * always an OK status (i.e., 204 or 200). - * - * If the request `Origin` does not match the configured allowed origins, - * the gateway returns 204/200 response but doesn't set the relevant - * cross-origin response headers. Alternatively, the gateway responds with - * 403 status to the "preflight" request is denied, coupled with omitting - * the CORS headers. The cross-origin request fails on the client side. - * Therefore, the client doesn't attempt the actual cross-origin request. - * - * The `Access-Control-Allow-Origin` response header can only use `*` - * wildcard as value when the `AllowCredentials` field is false or omitted. - * - * When the `AllowCredentials` field is true and `AllowOrigins` field - * specified with the `*` wildcard, the gateway must return a single origin - * in the value of the `Access-Control-Allow-Origin` response header, - * instead of specifying the `*` wildcard. The value of the header - * `Access-Control-Allow-Origin` is same as the `Origin` header provided by - * the client. - * - * Support: Extended - */ - allowOrigins: string[]; - /** - * ExposeHeaders indicates which HTTP response headers can be exposed - * to client-side scripts in response to a cross-origin request. - * - * A CORS-safelisted response header is an HTTP header in a CORS response - * that it is considered safe to expose to the client scripts. - * The CORS-safelisted response headers include the following headers: - * `Cache-Control` - * `Content-Language` - * `Content-Length` - * `Content-Type` - * `Expires` - * `Last-Modified` - * `Pragma` - * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) - * The CORS-safelisted response headers are exposed to client by default. - * - * When an HTTP header name is specified using the `ExposeHeaders` field, - * this additional header will be exposed as part of the response to the - * client. - * - * Header names are not case sensitive. - * - * Multiple header names in the value of the `Access-Control-Expose-Headers` - * response header are separated by a comma (","). - * - * A wildcard indicates that the responses with all HTTP headers are exposed - * to clients. The `Access-Control-Expose-Headers` response header can only - * use `*` wildcard as value when the `AllowCredentials` field is false or omitted. - * - * Support: Extended - */ - exposeHeaders: string[]; - /** - * MaxAge indicates the duration (in seconds) for the client to cache the - * results of a "preflight" request. - * - * The information provided by the `Access-Control-Allow-Methods` and - * `Access-Control-Allow-Headers` response headers can be cached by the - * client until the time specified by `Access-Control-Max-Age` elapses. - * - * The default value of `Access-Control-Max-Age` response header is 5 - * (seconds). - */ - maxAge: number; - } - /** * ExtensionRef is an optional, implementation-specific extension to the * "filter" behavior. For example, resource "myroutefilter" in group * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ export interface HTTPRouteSpecRulesFiltersExtensionRef { @@ -49457,8 +39908,10 @@ export namespace gateway { * "networking.example.net"). ExtensionRef MUST NOT be used for core and * extended filters. * + * * This filter can be used multiple times within the same rule. * + * * Support: Implementation-specific */ export interface HTTPRouteSpecRulesFiltersExtensionRefPatch { @@ -49477,410 +39930,6 @@ export namespace gateway { name: string; } - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesFiltersExternalAuth { - backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthBackendRef; - forwardBody: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthForwardBody; - grpc: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthGrpc; - http: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthHttp; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol: string; - } - - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthBackendRef { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port: number; - } - - /** - * BackendRef is a reference to a backend to send authorization - * requests to. - * - * The backend must speak the selected protocol (GRPC or HTTP) on the - * referenced port. - * - * If the backend service requires TLS, use BackendTLSPolicy to tell the - * implementation to supply the TLS details to be used to connect to that - * backend. - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthBackendRefPatch { - /** - * Group is the group of the referent. For example, "gateway.networking.k8s.io". - * When unspecified or empty string, core API group is inferred. - */ - group: string; - /** - * Kind is the Kubernetes resource kind of the referent. For example - * "Service". - * - * Defaults to "Service" when not specified. - * - * ExternalName services can refer to CNAME DNS records that may live - * outside of the cluster and as such are difficult to reason about in - * terms of conformance. They also may not be safe to forward to (see - * CVE-2021-25740 for more information). Implementations SHOULD NOT - * support ExternalName Services. - * - * Support: Core (Services with a type other than ExternalName) - * - * Support: Implementation-specific (Services with type ExternalName) - */ - kind: string; - /** - * Name is the name of the referent. - */ - name: string; - /** - * Namespace is the namespace of the backend. When unspecified, the local - * namespace is inferred. - * - * Note that when a namespace different than the local namespace is specified, - * a ReferenceGrant object is required in the referent namespace to allow that - * namespace's owner to accept the reference. See the ReferenceGrant - * documentation for details. - * - * Support: Core - */ - namespace: string; - /** - * Port specifies the destination port number to use for this resource. - * Port is required when the referent is a Kubernetes Service. In this - * case, the port number is the service port number, not the target port. - * For other resources, destination port might be derived from the referent - * resource or this field. - */ - port: number; - } - - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthForwardBody { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize: number; - } - - /** - * ForwardBody controls if requests to the authorization server should include - * the body of the client request; and if so, how big that body is allowed - * to be. - * - * It is expected that implementations will buffer the request body up to - * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a - * 4xx series error (413 or 403 are common examples), and fail processing - * of the filter. - * - * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not - * be forwarded. - * - * Feature Name: HTTPRouteExternalAuthForwardBody - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthForwardBodyPatch { - /** - * MaxSize specifies how large in bytes the largest body that will be buffered - * and sent to the authorization server. If the body size is larger than - * `maxSize`, then the body sent to the authorization server must be - * truncated to `maxSize` bytes. - * - * Experimental note: This behavior needs to be checked against - * various dataplanes; it may need to be changed. - * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 - * for more. - * - * If 0, the body will not be sent to the authorization server. - */ - maxSize: number; - } - - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthGrpc { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders: string[]; - } - - /** - * GRPCAuthConfig contains configuration for communication with ext_authz - * protocol-speaking backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthGrpcPatch { - /** - * AllowedRequestHeaders specifies what headers from the client request - * will be sent to the authorization server. - * - * If this list is empty, then all headers must be sent. - * - * If the list has entries, only those entries must be sent. - */ - allowedHeaders: string[]; - } - - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthHttp { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders: string[]; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders: string[]; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path: string; - } - - /** - * HTTPAuthConfig contains configuration for communication with HTTP-speaking - * backends. - * - * If unset, implementations must assume the default behavior for each - * included field is intended. - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthHttpPatch { - /** - * AllowedRequestHeaders specifies what additional headers from the client request - * will be sent to the authorization server. - * - * The following headers must always be sent to the authorization server, - * regardless of this setting: - * - * * `Host` - * * `Method` - * * `Path` - * * `Content-Length` - * * `Authorization` - * - * If this list is empty, then only those headers must be sent. - * - * Note that `Content-Length` has a special behavior, in that the length - * sent must be correct for the actual request to the external authorization - * server - that is, it must reflect the actual number of bytes sent in the - * body of the request to the authorization server. - * - * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set - * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set - * to anything other than `0`, then the `Content-Length` of the authorization - * request must be set to the actual number of bytes forwarded. - */ - allowedHeaders: string[]; - /** - * AllowedResponseHeaders specifies what headers from the authorization response - * will be copied into the request to the backend. - * - * If this list is empty, then all headers from the authorization server - * except Authority or Host must be copied. - */ - allowedResponseHeaders: string[]; - /** - * Path sets the prefix that paths from the client request will have added - * when forwarded to the authorization server. - * - * When empty or unspecified, no prefix is added. - * - * Valid values are the same as the "value" regex for path values in the `match` - * stanza, and the validation regex will screen out invalid paths in the same way. - * Even with the validation, implementations MUST sanitize this input before using it - * directly. - */ - path: string; - } - - /** - * ExternalAuth configures settings related to sending request details - * to an external auth service. The external service MUST authenticate - * the request, and MAY authorize the request as well. - * - * If there is any problem communicating with the external service, - * this filter MUST fail closed. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesFiltersExternalAuthPatch { - backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthBackendRefPatch; - forwardBody: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthForwardBodyPatch; - grpc: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthGrpcPatch; - http: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthHttpPatch; - /** - * ExternalAuthProtocol describes which protocol to use when communicating with an - * ext_authz authorization server. - * - * When this is set to GRPC, each backend must use the Envoy ext_authz protocol - * on the port specified in `backendRefs`. Requests and responses are defined - * in the protobufs explained at: - * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto - * - * When this is set to HTTP, each backend must respond with a `200` status - * code in on a successful authorization. Any other code is considered - * an authorization failure. - * - * Feature Names: - * GRPC Support - HTTPRouteExternalAuthGRPC - * HTTP Support - HTTPRouteExternalAuthHTTP - */ - protocol: string; - } - /** * HTTPRouteFilter defines processing steps that must be completed during the * request or response lifecycle. HTTPRouteFilters are meant as an extension @@ -49890,9 +39939,7 @@ export namespace gateway { * guarantee/conformance is defined based on the type of the filter. */ export interface HTTPRouteSpecRulesFiltersPatch { - cors: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersCorsPatch; extensionRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExtensionRefPatch; - externalAuth: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthPatch; requestHeaderModifier: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestHeaderModifierPatch; requestMirror: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorPatch; requestRedirect: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestRedirectPatch; @@ -49901,14 +39948,17 @@ export namespace gateway { * Type identifies the type of filter to apply. As with other API fields, * types are classified into three conformance levels: * + * * - Core: Filter types and their corresponding configuration defined by * "Support: Core" in this package, e.g. "RequestHeaderModifier". All * implementations must support core filters. * + * * - Extended: Filter types and their corresponding configuration defined by * "Support: Extended" in this package, e.g. "RequestMirror". Implementers * are encouraged to support extended filters. * + * * - Implementation-specific: Filters that are defined and supported by * specific vendors. * In the future, filters showing convergence in behavior across multiple @@ -49917,16 +39967,20 @@ export namespace gateway { * is specified using the ExtensionRef field. `Type` should be set to * "ExtensionRef" for custom filters. * + * * Implementers are encouraged to define custom implementation types to * extend the core API with implementation-specific behavior. * + * * If a reference to a custom filter type cannot be resolved, the filter * MUST NOT be skipped. Instead, requests that would have been processed by * that filter MUST receive a HTTP error response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -49939,6 +39993,7 @@ export namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ export interface HTTPRouteSpecRulesFiltersRequestHeaderModifier { @@ -49947,15 +40002,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -49967,15 +40025,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -49985,15 +40046,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -50007,7 +40071,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -50028,7 +40093,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -50047,6 +40113,7 @@ export namespace gateway { * RequestHeaderModifier defines a schema for a filter that modifies request * headers. * + * * Support: Core */ export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierPatch { @@ -50055,15 +40122,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -50075,15 +40145,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -50093,15 +40166,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -50115,7 +40191,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -50136,7 +40213,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -50156,49 +40234,47 @@ export namespace gateway { * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersRequestMirror { backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorBackendRef; - fraction: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorFraction; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent: number; } /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ export interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRef { @@ -50211,16 +40287,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -50232,11 +40312,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -50253,26 +40335,32 @@ export namespace gateway { /** * BackendRef references a resource where mirrored requests are sent. * + * * Mirrored requests must be sent only to a single destination endpoint * within this BackendRef, irrespective of how many endpoints are present * within this BackendRef. * + * * If the referent cannot be found, this BackendRef is invalid and must be * dropped from the Gateway. The controller must ensure the "ResolvedRefs" * condition on the Route status is set to `status: False` and not configure * this backend in the underlying implementation. * + * * If there is a cross-namespace reference to an *existing* object * that is not allowed by a ReferenceGrant, the controller must ensure the * "ResolvedRefs" condition on the Route is set to `status: False`, * with the "RefNotPermitted" reason and not configure this backend in the * underlying implementation. * + * * In either error case, the Message of the `ResolvedRefs` Condition * should be used to provide more detail about the problem. * + * * Support: Extended for Kubernetes Service * + * * Support: Implementation-specific for any other resource */ export interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRefPatch { @@ -50285,16 +40373,20 @@ export namespace gateway { * Kind is the Kubernetes resource kind of the referent. For example * "Service". * + * * Defaults to "Service" when not specified. * + * * ExternalName services can refer to CNAME DNS records that may live * outside of the cluster and as such are difficult to reason about in * terms of conformance. They also may not be safe to forward to (see * CVE-2021-25740 for more information). Implementations SHOULD NOT * support ExternalName Services. * + * * Support: Core (Services with a type other than ExternalName) * + * * Support: Implementation-specific (Services with type ExternalName) */ kind: string; @@ -50306,11 +40398,13 @@ export namespace gateway { * Namespace is the namespace of the backend. When unspecified, the local * namespace is inferred. * + * * Note that when a namespace different than the local namespace is specified, * a ReferenceGrant object is required in the referent namespace to allow that * namespace's owner to accept the reference. See the ReferenceGrant * documentation for details. * + * * Support: Core */ namespace: string; @@ -50324,59 +40418,28 @@ export namespace gateway { port: number; } - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - export interface HTTPRouteSpecRulesFiltersRequestMirrorFraction { - denominator: number; - numerator: number; - } - - /** - * Fraction represents the fraction of requests that should be - * mirrored to BackendRef. - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - export interface HTTPRouteSpecRulesFiltersRequestMirrorFractionPatch { - denominator: number; - numerator: number; - } - /** * RequestMirror defines a schema for a filter that mirrors requests. * Requests are sent to the specified destination, but responses from * that destination are ignored. * + * * This filter can be used multiple times within the same rule. Note that * not all implementations will be able to support mirroring to multiple * backends. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersRequestMirrorPatch { backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorBackendRefPatch; - fraction: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorFractionPatch; - /** - * Percent represents the percentage of requests that should be - * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of - * requests) and its maximum value is 100 (indicating 100% of requests). - * - * Only one of Fraction or Percent may be specified. If neither field - * is specified, 100% of requests will be mirrored. - */ - percent: number; } /** * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ export interface HTTPRouteSpecRulesFiltersRequestRedirect { @@ -50385,6 +40448,7 @@ export namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname: string; @@ -50393,9 +40457,11 @@ export namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -50403,14 +40469,17 @@ export namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port: number; @@ -50418,29 +40487,36 @@ export namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme: string; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode: number; @@ -50450,6 +40526,7 @@ export namespace gateway { * RequestRedirect defines a schema for a filter that responds to the * request with an HTTP redirection. * + * * Support: Core */ export interface HTTPRouteSpecRulesFiltersRequestRedirectPatch { @@ -50458,6 +40535,7 @@ export namespace gateway { * header in the response. * When empty, the hostname in the `Host` header of the request is used. * + * * Support: Core */ hostname: string; @@ -50466,9 +40544,11 @@ export namespace gateway { * Port is the port to be used in the value of the `Location` * header in the response. * + * * If no port is specified, the redirect port MUST be derived using the * following rules: * + * * * If redirect scheme is not-empty, the redirect port MUST be the well-known * port associated with the redirect scheme. Specifically "http" to port 80 * and "https" to port 443. If the redirect scheme does not have a @@ -50476,14 +40556,17 @@ export namespace gateway { * * If redirect scheme is empty, the redirect port MUST be the Gateway * Listener port. * + * * Implementations SHOULD NOT add the port number in the 'Location' * header in the following cases: * + * * * A Location header that will use HTTP (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 80. * * A Location header that will use HTTPS (whether that is determined via * the Listener protocol or the Scheme field) _and_ use port 443. * + * * Support: Extended */ port: number; @@ -50491,29 +40574,36 @@ export namespace gateway { * Scheme is the scheme to be used in the value of the `Location` header in * the response. When empty, the scheme of the request is used. * + * * Scheme redirects can affect the port of the redirect, for more information, * refer to the documentation for the port field of this filter. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Extended */ scheme: string; /** * StatusCode is the HTTP status code to be used in response. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. * + * * Support: Core */ statusCode: number; @@ -50524,6 +40614,7 @@ export namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersRequestRedirectPath { @@ -50538,26 +40629,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -50570,6 +40678,7 @@ export namespace gateway { * The modified path is then used to construct the `Location` header. When * empty, the request path is used as-is. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersRequestRedirectPathPatch { @@ -50584,26 +40693,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -50615,6 +40741,7 @@ export namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersResponseHeaderModifier { @@ -50623,15 +40750,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -50643,15 +40773,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -50661,15 +40794,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -50683,7 +40819,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAdd { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -50704,7 +40841,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAddPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -50723,6 +40861,7 @@ export namespace gateway { * ResponseHeaderModifier defines a schema for a filter that modifies response * headers. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierPatch { @@ -50731,15 +40870,18 @@ export namespace gateway { * before the action. It appends to any existing values associated * with the header name. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * add: * - name: "my-header" * value: "bar,baz" * + * * Output: * GET /foo HTTP/1.1 * my-header: foo,bar,baz @@ -50751,15 +40893,18 @@ export namespace gateway { * names are case-insensitive (see * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). * + * * Input: * GET /foo HTTP/1.1 * my-header1: foo * my-header2: bar * my-header3: baz * + * * Config: * remove: ["my-header1", "my-header3"] * + * * Output: * GET /foo HTTP/1.1 * my-header2: bar @@ -50769,15 +40914,18 @@ export namespace gateway { * Set overwrites the request with the given header (name, value) * before the action. * + * * Input: * GET /foo HTTP/1.1 * my-header: foo * + * * Config: * set: * - name: "my-header" * value: "bar" * + * * Output: * GET /foo HTTP/1.1 * my-header: bar @@ -50791,7 +40939,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSet { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -50812,7 +40961,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSetPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, the first entry with * an equivalent name MUST be considered for a match. Subsequent entries @@ -50830,6 +40980,7 @@ export namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersUrlRewrite { @@ -50837,6 +40988,7 @@ export namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname: string; @@ -50846,6 +40998,7 @@ export namespace gateway { /** * URLRewrite defines a schema for a filter that modifies a request during forwarding. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersUrlRewritePatch { @@ -50853,6 +41006,7 @@ export namespace gateway { * Hostname is the value to be used to replace the Host header value during * forwarding. * + * * Support: Extended */ hostname: string; @@ -50862,6 +41016,7 @@ export namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersUrlRewritePath { @@ -50876,26 +41031,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -50906,6 +41078,7 @@ export namespace gateway { /** * Path defines a path rewrite. * + * * Support: Extended */ export interface HTTPRouteSpecRulesFiltersUrlRewritePathPatch { @@ -50920,26 +41093,43 @@ export namespace gateway { * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch * of "/xyz" would be modified to "/xyz/bar". * + * * Note that this matches the behavior of the PathPrefix match type. This * matches full path elements. A path element refers to the list of labels * in the path split by the `/` separator. When specified, a trailing `/` is * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all * match the prefix `/abc`, but the path `/abcd` would not. * + * * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in * the implementation setting the Accepted Condition for the Route to `status: False`. * + * * Request Path | Prefix Match | Replace Prefix | Modified Path + * -------------|--------------|----------------|---------- + * /foo/bar | /foo | /xyz | /xyz/bar + * /foo/bar | /foo | /xyz/ | /xyz/bar + * /foo/bar | /foo/ | /xyz | /xyz/bar + * /foo/bar | /foo/ | /xyz/ | /xyz/bar + * /foo | /foo | /xyz | /xyz + * /foo/ | /foo | /xyz | /xyz/ + * /foo/bar | /foo | | /bar + * /foo/ | /foo | | / + * /foo | /foo | | / + * /foo/ | /foo | / | / + * /foo | /foo | / | / */ replacePrefixMatch: string; /** * Type defines the type of path modifier. Additional types may be * added in a future release of the API. * + * * Note that values may be added to this enum, implementations * must ensure that unknown values will not cause a crash. * + * * Unknown values here must result in the implementation setting the * Accepted Condition for the Route to `status: False`, with a * Reason of `UnsupportedValue`. @@ -50952,18 +41142,22 @@ export namespace gateway { * action. Multiple match types are ANDed together, i.e. the match will * evaluate to true only if all conditions are satisfied. * + * * For example, the match below will match a HTTP request only if its path * starts with `/foo` AND it contains the `version: v1` header: * + * * ``` * match: * + * * path: * value: "/foo" * headers: * - name: "version" * value "v1" * + * * ``` */ export interface HTTPRouteSpecRulesMatches { @@ -50978,6 +41172,7 @@ export namespace gateway { * When specified, this route will be matched only if the request has the * specified method. * + * * Support: Extended */ method: string; @@ -50987,6 +41182,7 @@ export namespace gateway { * values are ANDed together, meaning, a request must match all the * specified query parameters to select the route. * + * * Support: Extended */ queryParams: outputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesQueryParams[]; @@ -50999,7 +41195,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesMatchesHeaders { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent @@ -51007,6 +41204,7 @@ export namespace gateway { * case-insensitivity of header names, "foo" and "Foo" are considered * equivalent. * + * * When a header is repeated in an HTTP request, it is * implementation-specific behavior as to how this is represented. * Generally, proxies should follow the guidance from the RFC: @@ -51017,10 +41215,13 @@ export namespace gateway { /** * Type specifies how to match against the value of the header. * + * * Support: Core (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression HeaderMatchType has implementation-specific * conformance, implementations can support POSIX, PCRE or any other dialects * of regular expressions. Please read the implementation's documentation to @@ -51040,7 +41241,8 @@ export namespace gateway { export interface HTTPRouteSpecRulesMatchesHeadersPatch { /** * Name is the name of the HTTP Header to be matched. Name matching MUST be - * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + * * * If multiple entries specify equivalent header names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent @@ -51048,6 +41250,7 @@ export namespace gateway { * case-insensitivity of header names, "foo" and "Foo" are considered * equivalent. * + * * When a header is repeated in an HTTP request, it is * implementation-specific behavior as to how this is represented. * Generally, proxies should follow the guidance from the RFC: @@ -51058,10 +41261,13 @@ export namespace gateway { /** * Type specifies how to match against the value of the header. * + * * Support: Core (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression HeaderMatchType has implementation-specific * conformance, implementations can support POSIX, PCRE or any other dialects * of regular expressions. Please read the implementation's documentation to @@ -51079,18 +41285,22 @@ export namespace gateway { * action. Multiple match types are ANDed together, i.e. the match will * evaluate to true only if all conditions are satisfied. * + * * For example, the match below will match a HTTP request only if its path * starts with `/foo` AND it contains the `version: v1` header: * + * * ``` * match: * + * * path: * value: "/foo" * headers: * - name: "version" * value "v1" * + * * ``` */ export interface HTTPRouteSpecRulesMatchesPatch { @@ -51105,6 +41315,7 @@ export namespace gateway { * When specified, this route will be matched only if the request has the * specified method. * + * * Support: Extended */ method: string; @@ -51114,6 +41325,7 @@ export namespace gateway { * values are ANDed together, meaning, a request must match all the * specified query parameters to select the route. * + * * Support: Extended */ queryParams: outputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesQueryParamsPatch[]; @@ -51127,8 +41339,10 @@ export namespace gateway { /** * Type specifies how to match against the path Value. * + * * Support: Core (Exact, PathPrefix) * + * * Support: Implementation-specific (RegularExpression) */ type: string; @@ -51146,8 +41360,10 @@ export namespace gateway { /** * Type specifies how to match against the path Value. * + * * Support: Core (Exact, PathPrefix) * + * * Support: Implementation-specific (RegularExpression) */ type: string; @@ -51167,10 +41383,12 @@ export namespace gateway { * exact string match. (See * https://tools.ietf.org/html/rfc7230#section-2.7.3). * + * * If multiple entries specify equivalent query param names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent * entries with an equivalent query param name MUST be ignored. * + * * If a query param is repeated in an HTTP request, the behavior is * purposely left undefined, since different data planes have different * capabilities. However, it is *recommended* that implementations should @@ -51178,6 +41396,7 @@ export namespace gateway { * as this behavior is expected in other load balancing contexts outside of * the Gateway API. * + * * Users SHOULD NOT route traffic based on repeated query params to guard * themselves against potential differences in the implementations. */ @@ -51185,10 +41404,13 @@ export namespace gateway { /** * Type specifies how to match against the value of the query parameter. * + * * Support: Extended (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression QueryParamMatchType has Implementation-specific * conformance, implementations can support POSIX, PCRE or any other * dialects of regular expressions. Please read the implementation's @@ -51211,10 +41433,12 @@ export namespace gateway { * exact string match. (See * https://tools.ietf.org/html/rfc7230#section-2.7.3). * + * * If multiple entries specify equivalent query param names, only the first * entry with an equivalent name MUST be considered for a match. Subsequent * entries with an equivalent query param name MUST be ignored. * + * * If a query param is repeated in an HTTP request, the behavior is * purposely left undefined, since different data planes have different * capabilities. However, it is *recommended* that implementations should @@ -51222,6 +41446,7 @@ export namespace gateway { * as this behavior is expected in other load balancing contexts outside of * the Gateway API. * + * * Users SHOULD NOT route traffic based on repeated query params to guard * themselves against potential differences in the implementations. */ @@ -51229,10 +41454,13 @@ export namespace gateway { /** * Type specifies how to match against the value of the query parameter. * + * * Support: Extended (Exact) * + * * Support: Implementation-specific (RegularExpression) * + * * Since RegularExpression QueryParamMatchType has Implementation-specific * conformance, implementations can support POSIX, PCRE or any other * dialects of regular expressions. Please read the implementation's @@ -51255,37 +41483,41 @@ export namespace gateway { * BackendRefs defines the backend(s) where matching requests should be * sent. * + * * Failure behavior here depends on how many BackendRefs are specified and * how many are invalid. * + * * If *all* entries in BackendRefs are invalid, and there are also no filters * specified in this route rule, *all* traffic which matches this rule MUST * receive a 500 status code. * + * * See the HTTPBackendRef definition for the rules about what makes a single * HTTPBackendRef invalid. * + * * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for * requests that would have otherwise been routed to an invalid backend. If * multiple backends are specified, and some are invalid, the proportion of * requests that would otherwise have been routed to an invalid backend * MUST receive a 500 status code. * + * * For example, if two backends are specified with equal weights, and one is * invalid, 50 percent of traffic must receive a 500. Implementations may * choose how that 50 percent is determined. * - * When a HTTPBackendRef refers to a Service that has no ready endpoints, - * implementations SHOULD return a 503 for requests to that backend instead. - * If an implementation chooses to do this, all of the above rules for 500 responses - * MUST also apply for responses that return a 503. * * Support: Core for Kubernetes Service * + * * Support: Extended for Kubernetes ServiceImport * + * * Support: Implementation-specific for any other resource * + * * Support for weight: Core */ backendRefs: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsPatch[]; @@ -51293,38 +41525,46 @@ export namespace gateway { * Filters define the filters that are applied to requests that match * this rule. * + * * Wherever possible, implementations SHOULD implement filters in the order * they are specified. * + * * Implementations MAY choose to implement this ordering strictly, rejecting - * any combination or order of filters that cannot be supported. If implementations + * any combination or order of filters that can not be supported. If implementations * choose a strict interpretation of filter ordering, they MUST clearly document * that behavior. * + * * To reject an invalid combination or order of filters, implementations SHOULD * consider the Route Rules with this configuration invalid. If all Route Rules * in a Route are invalid, the entire Route would be considered invalid. If only * a portion of Route Rules are invalid, implementations MUST set the * "PartiallyInvalid" condition for the Route. * + * * Conformance-levels at this level are defined based on the type of filter: * + * * - ALL core filters MUST be supported by all implementations. * - Implementers are encouraged to support extended filters. * - Implementation-specific custom filters have no API guarantees across * implementations. * + * * Specifying the same filter multiple times is not supported unless explicitly * indicated in the filter. * + * * All filters are expected to be compatible with each other except for the * URLRewrite and RequestRedirect filters, which may not be combined. If an - * implementation cannot support other combinations of filters, they must clearly + * implementation can not support other combinations of filters, they must clearly * document that limitation. In cases where incompatible or unsupported * filters are specified and cause the `Accepted` condition to be set to status * `False`, implementations may use the `IncompatibleFilters` reason to specify * this configuration error. * + * * Support: Core */ filters: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersPatch[]; @@ -51333,8 +41573,10 @@ export namespace gateway { * HTTP requests. Each match is independent, i.e. this rule will be matched * if **any** one of the matches is satisfied. * + * * For example, take the following matches configuration: * + * * ``` * matches: * - path: @@ -51346,196 +41588,67 @@ export namespace gateway { * value: "/v2/foo" * ``` * + * * For a request to match against this rule, a request must satisfy * EITHER of the two conditions: * + * * - path prefixed with `/foo` AND contains the header `version: v2` * - path prefix of `/v2/foo` * + * * See the documentation for HTTPRouteMatch on how to specify multiple * match conditions that should be ANDed together. * + * * If no matches are specified, the default is a prefix * path match on "/", which has the effect of matching every * HTTP request. * + * * Proxy or Load Balancer routing configuration generated from HTTPRoutes * MUST prioritize matches based on the following criteria, continuing on * ties. Across all rules specified on applicable Routes, precedence must be * given to the match having: * + * * * "Exact" path match. * * "Prefix" path match with largest number of characters. * * Method match. * * Largest number of header matches. * * Largest number of query param matches. * + * * Note: The precedence of RegularExpression path matches are implementation-specific. * + * * If ties still exist across multiple Routes, matching precedence MUST be * determined in order of the following criteria, continuing on ties: * + * * * The oldest Route based on creation timestamp. * * The Route appearing first in alphabetical order by * "{namespace}/{name}". * + * * If ties still exist within an HTTPRoute, matching precedence MUST be granted * to the FIRST matching rule (in list order) with a match meeting the above * criteria. * + * * When no rules matching a request have been successfully attached to the * parent a request is coming from, a HTTP 404 status code MUST be returned. */ matches: outputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesPatch[]; - /** - * Name is the name of the route rule. This name MUST be unique within a Route if it is set. - * - * Support: Extended - */ - name: string; - retry: outputs.gateway.v1beta1.HTTPRouteSpecRulesRetryPatch; sessionPersistence: outputs.gateway.v1beta1.HTTPRouteSpecRulesSessionPersistencePatch; timeouts: outputs.gateway.v1beta1.HTTPRouteSpecRulesTimeoutsPatch; } - /** - * Retry defines the configuration for when to retry an HTTP request. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesRetry { - /** - * Attempts specifies the maximum number of times an individual request - * from the gateway to a backend should be retried. - * - * If the maximum number of retries has been attempted without a successful - * response from the backend, the Gateway MUST return an error. - * - * When this field is unspecified, the number of times to attempt to retry - * a backend request is implementation-specific. - * - * Support: Extended - */ - attempts: number; - /** - * Backoff specifies the minimum duration a Gateway should wait between - * retry attempts and is represented in Gateway API Duration formatting. - * - * For example, setting the `rules[].retry.backoff` field to the value - * `100ms` will cause a backend request to first be retried approximately - * 100 milliseconds after timing out or receiving a response code configured - * to be retryable. - * - * An implementation MAY use an exponential or alternative backoff strategy - * for subsequent retry attempts, MAY cap the maximum backoff duration to - * some amount greater than the specified minimum, and MAY add arbitrary - * jitter to stagger requests, as long as unsuccessful backend requests are - * not retried before the configured minimum duration. - * - * If a Request timeout (`rules[].timeouts.request`) is configured on the - * route, the entire duration of the initial request and any retry attempts - * MUST not exceed the Request timeout duration. If any retry attempts are - * still in progress when the Request timeout duration has been reached, - * these SHOULD be canceled if possible and the Gateway MUST immediately - * return a timeout error. - * - * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is - * configured on the route, any retry attempts which reach the configured - * BackendRequest timeout duration without a response SHOULD be canceled if - * possible and the Gateway should wait for at least the specified backoff - * duration before attempting to retry the backend request again. - * - * If a BackendRequest timeout is _not_ configured on the route, retry - * attempts MAY time out after an implementation default duration, or MAY - * remain pending until a configured Request timeout or implementation - * default duration for total request time is reached. - * - * When this field is unspecified, the time to wait between retry attempts - * is implementation-specific. - * - * Support: Extended - */ - backoff: string; - /** - * Codes defines the HTTP response status codes for which a backend request - * should be retried. - * - * Support: Extended - */ - codes: number[]; - } - - /** - * Retry defines the configuration for when to retry an HTTP request. - * - * Support: Extended - */ - export interface HTTPRouteSpecRulesRetryPatch { - /** - * Attempts specifies the maximum number of times an individual request - * from the gateway to a backend should be retried. - * - * If the maximum number of retries has been attempted without a successful - * response from the backend, the Gateway MUST return an error. - * - * When this field is unspecified, the number of times to attempt to retry - * a backend request is implementation-specific. - * - * Support: Extended - */ - attempts: number; - /** - * Backoff specifies the minimum duration a Gateway should wait between - * retry attempts and is represented in Gateway API Duration formatting. - * - * For example, setting the `rules[].retry.backoff` field to the value - * `100ms` will cause a backend request to first be retried approximately - * 100 milliseconds after timing out or receiving a response code configured - * to be retryable. - * - * An implementation MAY use an exponential or alternative backoff strategy - * for subsequent retry attempts, MAY cap the maximum backoff duration to - * some amount greater than the specified minimum, and MAY add arbitrary - * jitter to stagger requests, as long as unsuccessful backend requests are - * not retried before the configured minimum duration. - * - * If a Request timeout (`rules[].timeouts.request`) is configured on the - * route, the entire duration of the initial request and any retry attempts - * MUST not exceed the Request timeout duration. If any retry attempts are - * still in progress when the Request timeout duration has been reached, - * these SHOULD be canceled if possible and the Gateway MUST immediately - * return a timeout error. - * - * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is - * configured on the route, any retry attempts which reach the configured - * BackendRequest timeout duration without a response SHOULD be canceled if - * possible and the Gateway should wait for at least the specified backoff - * duration before attempting to retry the backend request again. - * - * If a BackendRequest timeout is _not_ configured on the route, retry - * attempts MAY time out after an implementation default duration, or MAY - * remain pending until a configured Request timeout or implementation - * default duration for total request time is reached. - * - * When this field is unspecified, the time to wait between retry attempts - * is implementation-specific. - * - * Support: Extended - */ - backoff: string; - /** - * Codes defines the HTTP response status codes for which a backend request - * should be retried. - * - * Support: Extended - */ - codes: number[]; - } - /** * SessionPersistence defines and configures session persistence * for the route rule. * + * * Support: Extended */ export interface HTTPRouteSpecRulesSessionPersistence { @@ -51544,6 +41657,7 @@ export namespace gateway { * session. Once the AbsoluteTimeout duration has elapsed, the * session becomes invalid. * + * * Support: Extended */ absoluteTimeout: string; @@ -51553,6 +41667,7 @@ export namespace gateway { * Once the session has been idle for more than the specified * IdleTimeout duration, the session becomes invalid. * + * * Support: Extended */ idleTimeout: string; @@ -51562,6 +41677,7 @@ export namespace gateway { * should avoid reusing session names to prevent unintended * consequences, such as rejection or unpredictable behavior. * + * * Support: Implementation-specific */ sessionName: string; @@ -51570,8 +41686,10 @@ export namespace gateway { * the use a header or cookie. Defaults to cookie based session * persistence. * + * * Support: Core for "Cookie" type * + * * Support: Extended for "Header" type */ type: string; @@ -51581,6 +41699,7 @@ export namespace gateway { * CookieConfig provides configuration settings that are specific * to cookie-based session persistence. * + * * Support: Core */ export interface HTTPRouteSpecRulesSessionPersistenceCookieConfig { @@ -51591,18 +41710,20 @@ export namespace gateway { * attributes, while a session cookie is deleted when the current * session ends. * + * * When set to "Permanent", AbsoluteTimeout indicates the * cookie's lifetime via the Expires or Max-Age cookie attributes * and is required. * + * * When set to "Session", AbsoluteTimeout indicates the * absolute lifetime of the cookie tracked by the gateway and * is optional. * - * Defaults to "Session". * * Support: Core for "Session" type * + * * Support: Extended for "Permanent" type */ lifetimeType: string; @@ -51612,6 +41733,7 @@ export namespace gateway { * CookieConfig provides configuration settings that are specific * to cookie-based session persistence. * + * * Support: Core */ export interface HTTPRouteSpecRulesSessionPersistenceCookieConfigPatch { @@ -51622,18 +41744,20 @@ export namespace gateway { * attributes, while a session cookie is deleted when the current * session ends. * + * * When set to "Permanent", AbsoluteTimeout indicates the * cookie's lifetime via the Expires or Max-Age cookie attributes * and is required. * + * * When set to "Session", AbsoluteTimeout indicates the * absolute lifetime of the cookie tracked by the gateway and * is optional. * - * Defaults to "Session". * * Support: Core for "Session" type * + * * Support: Extended for "Permanent" type */ lifetimeType: string; @@ -51643,6 +41767,7 @@ export namespace gateway { * SessionPersistence defines and configures session persistence * for the route rule. * + * * Support: Extended */ export interface HTTPRouteSpecRulesSessionPersistencePatch { @@ -51651,6 +41776,7 @@ export namespace gateway { * session. Once the AbsoluteTimeout duration has elapsed, the * session becomes invalid. * + * * Support: Extended */ absoluteTimeout: string; @@ -51660,6 +41786,7 @@ export namespace gateway { * Once the session has been idle for more than the specified * IdleTimeout duration, the session becomes invalid. * + * * Support: Extended */ idleTimeout: string; @@ -51669,6 +41796,7 @@ export namespace gateway { * should avoid reusing session names to prevent unintended * consequences, such as rejection or unpredictable behavior. * + * * Support: Implementation-specific */ sessionName: string; @@ -51677,8 +41805,10 @@ export namespace gateway { * the use a header or cookie. Defaults to cookie based session * persistence. * + * * Support: Core for "Cookie" type * + * * Support: Extended for "Header" type */ type: string; @@ -51687,6 +41817,7 @@ export namespace gateway { /** * Timeouts defines the timeouts that can be configured for an HTTP request. * + * * Support: Extended */ export interface HTTPRouteSpecRulesTimeouts { @@ -51695,19 +41826,21 @@ export namespace gateway { * to a backend. This covers the time from when the request first starts being * sent from the gateway to when the full response has been received from the backend. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * An entire client HTTP transaction with a gateway, covered by the Request timeout, * may result in more than one call from the gateway to the destination backend, * for example, if automatic retries are supported. * - * The value of BackendRequest must be a Gateway API Duration string as defined by - * GEP-2257. When this field is unspecified, its behavior is implementation-specific; - * when specified, the value of BackendRequest must be no more than the value of the - * Request timeout (since the Request timeout encompasses the BackendRequest timeout). + * + * Because the Request timeout encompasses the BackendRequest timeout, the value of + * BackendRequest must be <= the value of Request timeout. + * * * Support: Extended */ @@ -51717,22 +41850,26 @@ export namespace gateway { * If the gateway has not been able to respond before this deadline is met, the gateway * MUST return a timeout error. * + * * For example, setting the `rules.timeouts.request` field to the value `10s` in an * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds * to complete. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * This timeout is intended to cover as close to the whole request-response transaction * as possible although an implementation MAY choose to start the timeout after the entire * request stream has been received instead of immediately after the transaction is * initiated by the client. * - * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this - * field is unspecified, request timeout behavior is implementation-specific. + * + * When this field is unspecified, request timeout behavior is implementation-specific. + * * * Support: Extended */ @@ -51742,6 +41879,7 @@ export namespace gateway { /** * Timeouts defines the timeouts that can be configured for an HTTP request. * + * * Support: Extended */ export interface HTTPRouteSpecRulesTimeoutsPatch { @@ -51750,19 +41888,21 @@ export namespace gateway { * to a backend. This covers the time from when the request first starts being * sent from the gateway to when the full response has been received from the backend. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * An entire client HTTP transaction with a gateway, covered by the Request timeout, * may result in more than one call from the gateway to the destination backend, * for example, if automatic retries are supported. * - * The value of BackendRequest must be a Gateway API Duration string as defined by - * GEP-2257. When this field is unspecified, its behavior is implementation-specific; - * when specified, the value of BackendRequest must be no more than the value of the - * Request timeout (since the Request timeout encompasses the BackendRequest timeout). + * + * Because the Request timeout encompasses the BackendRequest timeout, the value of + * BackendRequest must be <= the value of Request timeout. + * * * Support: Extended */ @@ -51772,22 +41912,26 @@ export namespace gateway { * If the gateway has not been able to respond before this deadline is met, the gateway * MUST return a timeout error. * + * * For example, setting the `rules.timeouts.request` field to the value `10s` in an * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds * to complete. * + * * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout * completely. Implementations that cannot completely disable the timeout MUST * instead interpret the zero duration as the longest possible value to which * the timeout can be set. * + * * This timeout is intended to cover as close to the whole request-response transaction * as possible although an implementation MAY choose to start the timeout after the entire * request stream has been received instead of immediately after the transaction is * initiated by the client. * - * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this - * field is unspecified, request timeout behavior is implementation-specific. + * + * When this field is unspecified, request timeout behavior is implementation-specific. + * * * Support: Extended */ @@ -51806,11 +41950,13 @@ export namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -51827,19 +41973,23 @@ export namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -51849,12 +41999,15 @@ export namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -51865,6 +42018,22 @@ export namespace gateway { /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface HTTPRouteStatusParentsConditions { /** @@ -51897,12 +42066,32 @@ export namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } /** * Condition contains details for one aspect of the current state of this API Resource. + * --- + * This struct is intended for direct use as an array at the field path .status.conditions. For example, + * + * + * type FooStatus struct{ + * // Represents the observations of a foo's current state. + * // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + * // +patchMergeKey=type + * // +patchStrategy=merge + * // +listType=map + * // +listMapKey=type + * Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + * + * + * // other fields + * } */ export interface HTTPRouteStatusParentsConditionsPatch { /** @@ -51935,6 +42124,10 @@ export namespace gateway { status: string; /** * type of condition in CamelCase or in foo.example.com/CamelCase. + * --- + * Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + * useful (see .node.status.conditions), the ability to deconflict is important. + * The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) */ type: string; } @@ -51950,23 +42143,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -51974,6 +42172,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -51981,10 +42180,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -51992,6 +42193,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -51999,6 +42201,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -52008,15 +42211,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -52025,6 +42231,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -52032,6 +42239,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -52039,10 +42247,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -52052,6 +42262,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -52068,23 +42279,28 @@ export namespace gateway { * To set the core API group (such as for a "Service" kind referent), * Group must be explicitly set to "" (empty string). * + * * Support: Core */ group: string; /** * Kind is kind of the referent. * + * * There are two kinds of parent resources with "Core" support: * + * * * Gateway (Gateway conformance profile) * * Service (Mesh conformance profile, ClusterIP Services only) * + * * Support for other resources is Implementation-Specific. */ kind: string; /** * Name is the name of the referent. * + * * Support: Core */ name: string; @@ -52092,6 +42308,7 @@ export namespace gateway { * Namespace is the namespace of the referent. When unspecified, this refers * to the local namespace of the Route. * + * * Note that there are specific rules for ParentRefs which cross namespace * boundaries. Cross-namespace references are only valid if they are explicitly * allowed by something in the namespace they are referring to. For example: @@ -52099,10 +42316,12 @@ export namespace gateway { * generic way to enable any other kind of cross-namespace reference. * * + * * ParentRefs from a Route to a Service in the same namespace are "producer" * routes, which apply default routing rules to inbound connections from * any namespace to the Service. * + * * ParentRefs from a Route to a Service in a different namespace are * "consumer" routes, and these routing rules are only applied to outbound * connections originating from the same namespace as the Route, for which @@ -52110,6 +42329,7 @@ export namespace gateway { * ParentRef of the Route. * * + * * Support: Core */ namespace: string; @@ -52117,6 +42337,7 @@ export namespace gateway { * Port is the network port this Route targets. It can be interpreted * differently based on the type of parent resource. * + * * When the parent resource is a Gateway, this targets all listeners * listening on the specified port that also support this kind of Route(and * select this Route). It's not recommended to set `Port` unless the @@ -52126,15 +42347,18 @@ export namespace gateway { * must match both specified values. * * + * * When the parent resource is a Service, this targets a specific port in the * Service spec. When both Port (experimental) and SectionName are specified, * the name and port of the selected port must match both specified values. * * + * * Implementations MAY choose to support other parent resources. * Implementations supporting other types of parent resources MUST clearly * document how/if Port is interpreted. * + * * For the purpose of status, an attachment is considered successful as * long as the parent resource accepts it partially. For example, Gateway * listeners can restrict which Routes can attach to them by Route kind, @@ -52143,6 +42367,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, * the Route MUST be considered detached from the Gateway. * + * * Support: Extended */ port: number; @@ -52150,6 +42375,7 @@ export namespace gateway { * SectionName is the name of a section within the target resource. In the * following resources, SectionName is interpreted as the following: * + * * * Gateway: Listener name. When both Port (experimental) and SectionName * are specified, the name and port of the selected listener must match * both specified values. @@ -52157,10 +42383,12 @@ export namespace gateway { * are specified, the name and port of the selected listener must match * both specified values. * + * * Implementations MAY choose to support attaching Routes to other resources. * If that is the case, they MUST clearly document how SectionName is * interpreted. * + * * When unspecified (empty string), this will reference the entire resource. * For the purpose of status, an attachment is considered successful if at * least one section in the parent resource accepts it. For example, Gateway @@ -52170,6 +42398,7 @@ export namespace gateway { * attached. If no Gateway listeners accept attachment from this Route, the * Route MUST be considered detached from the Gateway. * + * * Support: Core */ sectionName: string; @@ -52185,19 +42414,23 @@ export namespace gateway { * Note that the route's availability is also subject to the Gateway's own * status conditions and listener status. * + * * If the Route's ParentRef specifies an existing Gateway that supports * Routes of this kind AND that Gateway's controller has sufficient access, * then that Gateway's controller MUST set the "Accepted" condition on the * Route, to indicate whether the route has been accepted or rejected by the * Gateway, and why. * + * * A Route MUST be considered "Accepted" if at least one of the Route's * rules is implemented by the Gateway. * + * * There are a number of cases where the "Accepted" condition may not be set * due to lack of controller visibility, that includes when: * - * * The Route refers to a nonexistent parent. + * + * * The Route refers to a non-existent parent. * * The Route is of a type that the controller does not support. * * The Route is in a namespace the controller does not have access to. */ @@ -52207,12 +42440,15 @@ export namespace gateway { * controller that wrote this status. This corresponds with the * controllerName field on GatewayClass. * + * * Example: "example.net/gateway-controller". * + * * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are * valid Kubernetes names * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). * + * * Controllers MUST populate this field when writing status. Controllers should ensure that * entries to status populated with their ControllerName are cleaned up when they are no * longer necessary. @@ -52233,11 +42469,13 @@ export namespace gateway { * first sees the route and should update the entry as appropriate when the * route or gateway is modified. * + * * Note that parent references that cannot be resolved by an implementation * of this API will not be added to this list. Implementations of this API * can only populate Route status for the Gateways/parent resources they are * responsible for. * + * * A maximum of 32 Gateways will be represented in this list. An empty list * means the route has not been attached to any Gateway. */ @@ -52249,13 +42487,16 @@ export namespace gateway { * trusted to reference the specified kinds of resources in the same namespace * as the policy. * + * * Each ReferenceGrant can be used to represent a unique trust relationship. * Additional Reference Grants can be used to add to the set of trusted * sources of inbound references for the namespace they are defined within. * + * * All cross-namespace references in Gateway API (with the exception of cross-namespace * Gateway-route attachment) require a ReferenceGrant. * + * * ReferenceGrant is a form of runtime verification allowing users to assert * which cross-namespace object references are permitted. Implementations that * support ReferenceGrant MUST NOT permit cross-namespace references which have @@ -52288,6 +42529,7 @@ export namespace gateway { * to be an additional place that references can be valid from, or to put * this another way, entries MUST be combined using OR. * + * * Support: Core */ from: outputs.gateway.v1beta1.ReferenceGrantSpecFrom[]; @@ -52297,6 +42539,7 @@ export namespace gateway { * additional place that references can be valid to, or to put this another * way, entries MUST be combined using OR. * + * * Support: Core */ to: outputs.gateway.v1beta1.ReferenceGrantSpecTo[]; @@ -52310,6 +42553,7 @@ export namespace gateway { * Group is the group of the referent. * When empty, the Kubernetes core API group is inferred. * + * * Support: Core */ group: string; @@ -52318,12 +42562,16 @@ export namespace gateway { * additional resources, the following types are part of the "Core" * support level for this field. * + * * When used to permit a SecretObjectReference: * + * * * Gateway * + * * When used to permit a BackendObjectReference: * + * * * GRPCRoute * * HTTPRoute * * TCPRoute @@ -52334,6 +42582,7 @@ export namespace gateway { /** * Namespace is the namespace of the referent. * + * * Support: Core */ namespace: string; @@ -52347,6 +42596,7 @@ export namespace gateway { * Group is the group of the referent. * When empty, the Kubernetes core API group is inferred. * + * * Support: Core */ group: string; @@ -52355,12 +42605,16 @@ export namespace gateway { * additional resources, the following types are part of the "Core" * support level for this field. * + * * When used to permit a SecretObjectReference: * + * * * Gateway * + * * When used to permit a BackendObjectReference: * + * * * GRPCRoute * * HTTPRoute * * TCPRoute @@ -52371,6 +42625,7 @@ export namespace gateway { /** * Namespace is the namespace of the referent. * + * * Support: Core */ namespace: string; @@ -52386,6 +42641,7 @@ export namespace gateway { * to be an additional place that references can be valid from, or to put * this another way, entries MUST be combined using OR. * + * * Support: Core */ from: outputs.gateway.v1beta1.ReferenceGrantSpecFromPatch[]; @@ -52395,6 +42651,7 @@ export namespace gateway { * additional place that references can be valid to, or to put this another * way, entries MUST be combined using OR. * + * * Support: Core */ to: outputs.gateway.v1beta1.ReferenceGrantSpecToPatch[]; @@ -52409,6 +42666,7 @@ export namespace gateway { * Group is the group of the referent. * When empty, the Kubernetes core API group is inferred. * + * * Support: Core */ group: string; @@ -52417,6 +42675,7 @@ export namespace gateway { * additional resources, the following types are part of the "Core" * support level for this field: * + * * * Secret when used to permit a SecretObjectReference * * Service when used to permit a BackendObjectReference */ @@ -52438,6 +42697,7 @@ export namespace gateway { * Group is the group of the referent. * When empty, the Kubernetes core API group is inferred. * + * * Support: Core */ group: string; @@ -52446,6 +42706,7 @@ export namespace gateway { * additional resources, the following types are part of the "Core" * support level for this field: * + * * * Secret when used to permit a SecretObjectReference * * Service when used to permit a BackendObjectReference */ diff --git a/package-lock.json b/package-lock.json new file mode 100644 index 0000000..13a37e9 --- /dev/null +++ b/package-lock.json @@ -0,0 +1,3423 @@ +{ + "name": "pulumi-extra-crds", + "version": "1.0.10", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "name": "pulumi-extra-crds", + "version": "1.0.10", + "license": "Apache-2.0", + "dependencies": { + "@pulumi/kubernetes": "^4.23.0", + "@pulumi/pulumi": "^3.113.0", + "pulumi-extra-crds": "^1.0.0" + }, + "devDependencies": { + "@types/node": "^20.0.0", + "typescript": "^5.0.0" + } + }, + "node_modules/@grpc/grpc-js": { + "version": "1.14.1", + "resolved": "https://registry.npmjs.org/@grpc/grpc-js/-/grpc-js-1.14.1.tgz", + "integrity": "sha512-sPxgEWtPUR3EnRJCEtbGZG2iX8LQDUls2wUS3o27jg07KqJFMq6YDeWvMo1wfpmy3rqRdS0rivpLwhqQtEyCuQ==", + "license": "Apache-2.0", + "dependencies": { + "@grpc/proto-loader": "^0.8.0", + "@js-sdsl/ordered-map": "^4.4.2" + }, + "engines": { + "node": ">=12.10.0" + } + }, + "node_modules/@grpc/proto-loader": { + "version": "0.8.0", + "resolved": "https://registry.npmjs.org/@grpc/proto-loader/-/proto-loader-0.8.0.tgz", + "integrity": "sha512-rc1hOQtjIWGxcxpb9aHAfLpIctjEnsDehj0DAiVfBlmT84uvR0uUtN2hEi/ecvWVjXUGf5qPF4qEgiLOx1YIMQ==", + "license": "Apache-2.0", + "dependencies": { + "lodash.camelcase": "^4.3.0", + "long": "^5.0.0", + "protobufjs": "^7.5.3", + "yargs": "^17.7.2" + }, + "bin": { + "proto-loader-gen-types": "build/bin/proto-loader-gen-types.js" + }, + "engines": { + "node": ">=6" + } + }, + "node_modules/@isaacs/cliui": { + "version": "8.0.2", + "resolved": "https://registry.npmjs.org/@isaacs/cliui/-/cliui-8.0.2.tgz", + "integrity": "sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==", + "license": "ISC", + "dependencies": { + "string-width": "^5.1.2", + "string-width-cjs": "npm:string-width@^4.2.0", + "strip-ansi": "^7.0.1", + "strip-ansi-cjs": "npm:strip-ansi@^6.0.1", + "wrap-ansi": "^8.1.0", + "wrap-ansi-cjs": "npm:wrap-ansi@^7.0.0" + }, + "engines": { + "node": ">=12" + } + }, + "node_modules/@isaacs/string-locale-compare": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/@isaacs/string-locale-compare/-/string-locale-compare-1.1.0.tgz", + "integrity": "sha512-SQ7Kzhh9+D+ZW9MA0zkYv3VXhIDNx+LzM6EJ+/65I3QY+enU6Itte7E5XX7EWrqLW2FN4n06GWzBnPoC3th2aQ==", + "license": "ISC" + }, + "node_modules/@js-sdsl/ordered-map": { + "version": "4.4.2", + "resolved": "https://registry.npmjs.org/@js-sdsl/ordered-map/-/ordered-map-4.4.2.tgz", + "integrity": "sha512-iUKgm52T8HOE/makSxjqoWhe95ZJA1/G1sYsGev2JDKUSS14KAgg1LHb+Ba+IPow0xflbnSkOsZcO08C7w1gYw==", + "license": "MIT", + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/js-sdsl" + } + }, + "node_modules/@logdna/tail-file": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/@logdna/tail-file/-/tail-file-2.2.0.tgz", + "integrity": "sha512-XGSsWDweP80Fks16lwkAUIr54ICyBs6PsI4mpfTLQaWgEJRtY9xEV+PeyDpJ+sJEGZxqINlpmAwe/6tS1pP8Ng==", + "license": "SEE LICENSE IN LICENSE", + "engines": { + "node": ">=10.3.0" + } + }, + "node_modules/@npmcli/agent": { + "version": "2.2.2", + "resolved": "https://registry.npmjs.org/@npmcli/agent/-/agent-2.2.2.tgz", + "integrity": "sha512-OrcNPXdpSl9UX7qPVRWbmWMCSXrcDa2M9DvrbOTj7ao1S4PlqVFYv9/yLKMkrJKZ/V5A/kDBC690or307i26Og==", + "license": "ISC", + "dependencies": { + "agent-base": "^7.1.0", + "http-proxy-agent": "^7.0.0", + "https-proxy-agent": "^7.0.1", + "lru-cache": "^10.0.1", + "socks-proxy-agent": "^8.0.3" + }, + "engines": { + "node": "^16.14.0 || >=18.0.0" + } + }, + "node_modules/@npmcli/arborist": { + "version": "7.5.4", + "resolved": "https://registry.npmjs.org/@npmcli/arborist/-/arborist-7.5.4.tgz", + "integrity": "sha512-nWtIc6QwwoUORCRNzKx4ypHqCk3drI+5aeYdMTQQiRCcn4lOOgfQh7WyZobGYTxXPSq1VwV53lkpN/BRlRk08g==", + "license": "ISC", + "dependencies": { + "@isaacs/string-locale-compare": "^1.1.0", + "@npmcli/fs": "^3.1.1", + "@npmcli/installed-package-contents": "^2.1.0", + "@npmcli/map-workspaces": "^3.0.2", + "@npmcli/metavuln-calculator": "^7.1.1", + "@npmcli/name-from-folder": "^2.0.0", + "@npmcli/node-gyp": "^3.0.0", + "@npmcli/package-json": "^5.1.0", + "@npmcli/query": "^3.1.0", + "@npmcli/redact": "^2.0.0", + "@npmcli/run-script": "^8.1.0", + "bin-links": "^4.0.4", + "cacache": "^18.0.3", + "common-ancestor-path": "^1.0.1", + "hosted-git-info": "^7.0.2", + "json-parse-even-better-errors": "^3.0.2", + "json-stringify-nice": "^1.1.4", + "lru-cache": "^10.2.2", + "minimatch": "^9.0.4", + "nopt": "^7.2.1", + "npm-install-checks": "^6.2.0", + "npm-package-arg": "^11.0.2", + "npm-pick-manifest": "^9.0.1", + "npm-registry-fetch": "^17.0.1", + "pacote": "^18.0.6", + "parse-conflict-json": "^3.0.0", + "proc-log": "^4.2.0", + "proggy": "^2.0.0", + "promise-all-reject-late": "^1.0.0", + "promise-call-limit": "^3.0.1", + "read-package-json-fast": "^3.0.2", + "semver": "^7.3.7", + "ssri": "^10.0.6", + "treeverse": "^3.0.0", + "walk-up-path": "^3.0.1" + }, + "bin": { + "arborist": "bin/index.js" + }, + "engines": { + "node": "^16.14.0 || >=18.0.0" + } + }, + "node_modules/@npmcli/fs": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/@npmcli/fs/-/fs-3.1.1.tgz", + "integrity": "sha512-q9CRWjpHCMIh5sVyefoD1cA7PkvILqCZsnSOEUUivORLjxCO/Irmue2DprETiNgEqktDBZaM1Bi+jrarx1XdCg==", + "license": "ISC", + "dependencies": { + "semver": "^7.3.5" + }, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/@npmcli/git": { + "version": "5.0.8", + "resolved": "https://registry.npmjs.org/@npmcli/git/-/git-5.0.8.tgz", + "integrity": "sha512-liASfw5cqhjNW9UFd+ruwwdEf/lbOAQjLL2XY2dFW/bkJheXDYZgOyul/4gVvEV4BWkTXjYGmDqMw9uegdbJNQ==", + "license": "ISC", + "dependencies": { + "@npmcli/promise-spawn": "^7.0.0", + "ini": "^4.1.3", + "lru-cache": "^10.0.1", + "npm-pick-manifest": "^9.0.0", + "proc-log": "^4.0.0", + "promise-inflight": "^1.0.1", + "promise-retry": "^2.0.1", + "semver": "^7.3.5", + "which": "^4.0.0" + }, + "engines": { + "node": "^16.14.0 || >=18.0.0" + } + }, + "node_modules/@npmcli/git/node_modules/ini": { + "version": "4.1.3", + "resolved": "https://registry.npmjs.org/ini/-/ini-4.1.3.tgz", + "integrity": "sha512-X7rqawQBvfdjS10YU1y1YVreA3SsLrW9dX2CewP2EbBJM4ypVNLDkO5y04gejPwKIY9lR+7r9gn3rFPt/kmWFg==", + "license": "ISC", + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/@npmcli/installed-package-contents": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/@npmcli/installed-package-contents/-/installed-package-contents-2.1.0.tgz", + "integrity": "sha512-c8UuGLeZpm69BryRykLuKRyKFZYJsZSCT4aVY5ds4omyZqJ172ApzgfKJ5eV/r3HgLdUYgFVe54KSFVjKoe27w==", + "license": "ISC", + "dependencies": { + "npm-bundled": "^3.0.0", + "npm-normalize-package-bin": "^3.0.0" + }, + "bin": { + "installed-package-contents": "bin/index.js" + }, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/@npmcli/map-workspaces": { + "version": "3.0.6", + "resolved": "https://registry.npmjs.org/@npmcli/map-workspaces/-/map-workspaces-3.0.6.tgz", + "integrity": "sha512-tkYs0OYnzQm6iIRdfy+LcLBjcKuQCeE5YLb8KnrIlutJfheNaPvPpgoFEyEFgbjzl5PLZ3IA/BWAwRU0eHuQDA==", + "license": "ISC", + "dependencies": { + "@npmcli/name-from-folder": "^2.0.0", + "glob": "^10.2.2", + "minimatch": "^9.0.0", + "read-package-json-fast": "^3.0.0" + }, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/@npmcli/metavuln-calculator": { + "version": "7.1.1", + "resolved": "https://registry.npmjs.org/@npmcli/metavuln-calculator/-/metavuln-calculator-7.1.1.tgz", + "integrity": "sha512-Nkxf96V0lAx3HCpVda7Vw4P23RILgdi/5K1fmj2tZkWIYLpXAN8k2UVVOsW16TsS5F8Ws2I7Cm+PU1/rsVF47g==", + "license": "ISC", + "dependencies": { + "cacache": "^18.0.0", + "json-parse-even-better-errors": "^3.0.0", + "pacote": "^18.0.0", + "proc-log": "^4.1.0", + "semver": "^7.3.5" + }, + "engines": { + "node": "^16.14.0 || >=18.0.0" + } + }, + "node_modules/@npmcli/name-from-folder": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/@npmcli/name-from-folder/-/name-from-folder-2.0.0.tgz", + "integrity": "sha512-pwK+BfEBZJbKdNYpHHRTNBwBoqrN/iIMO0AiGvYsp3Hoaq0WbgGSWQR6SCldZovoDpY3yje5lkFUe6gsDgJ2vg==", + "license": "ISC", + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/@npmcli/node-gyp": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/@npmcli/node-gyp/-/node-gyp-3.0.0.tgz", + "integrity": "sha512-gp8pRXC2oOxu0DUE1/M3bYtb1b3/DbJ5aM113+XJBgfXdussRAsX0YOrOhdd8WvnAR6auDBvJomGAkLKA5ydxA==", + "license": "ISC", + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/@npmcli/package-json": { + "version": "5.2.1", + "resolved": "https://registry.npmjs.org/@npmcli/package-json/-/package-json-5.2.1.tgz", + "integrity": "sha512-f7zYC6kQautXHvNbLEWgD/uGu1+xCn9izgqBfgItWSx22U0ZDekxN08A1vM8cTxj/cRVe0Q94Ode+tdoYmIOOQ==", + "license": "ISC", + "dependencies": { + "@npmcli/git": "^5.0.0", + "glob": "^10.2.2", + "hosted-git-info": "^7.0.0", + "json-parse-even-better-errors": "^3.0.0", + "normalize-package-data": "^6.0.0", + "proc-log": "^4.0.0", + "semver": "^7.5.3" + }, + "engines": { + "node": "^16.14.0 || >=18.0.0" + } + }, + "node_modules/@npmcli/promise-spawn": { + "version": "7.0.2", + "resolved": "https://registry.npmjs.org/@npmcli/promise-spawn/-/promise-spawn-7.0.2.tgz", + "integrity": "sha512-xhfYPXoV5Dy4UkY0D+v2KkwvnDfiA/8Mt3sWCGI/hM03NsYIH8ZaG6QzS9x7pje5vHZBZJ2v6VRFVTWACnqcmQ==", + "license": "ISC", + "dependencies": { + "which": "^4.0.0" + }, + "engines": { + "node": "^16.14.0 || >=18.0.0" + } + }, + "node_modules/@npmcli/query": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/@npmcli/query/-/query-3.1.0.tgz", + "integrity": "sha512-C/iR0tk7KSKGldibYIB9x8GtO/0Bd0I2mhOaDb8ucQL/bQVTmGoeREaFj64Z5+iCBRf3dQfed0CjJL7I8iTkiQ==", + "license": "ISC", + "dependencies": { + "postcss-selector-parser": "^6.0.10" + }, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/@npmcli/redact": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/@npmcli/redact/-/redact-2.0.1.tgz", + "integrity": "sha512-YgsR5jCQZhVmTJvjduTOIHph0L73pK8xwMVaDY0PatySqVM9AZj93jpoXYSJqfHFxFkN9dmqTw6OiqExsS3LPw==", + "license": "ISC", + "engines": { + "node": "^16.14.0 || >=18.0.0" + } + }, + "node_modules/@npmcli/run-script": { + "version": "8.1.0", + "resolved": "https://registry.npmjs.org/@npmcli/run-script/-/run-script-8.1.0.tgz", + "integrity": "sha512-y7efHHwghQfk28G2z3tlZ67pLG0XdfYbcVG26r7YIXALRsrVQcTq4/tdenSmdOrEsNahIYA/eh8aEVROWGFUDg==", + "license": "ISC", + "dependencies": { + "@npmcli/node-gyp": "^3.0.0", + "@npmcli/package-json": "^5.0.0", + "@npmcli/promise-spawn": "^7.0.0", + "node-gyp": "^10.0.0", + "proc-log": "^4.0.0", + "which": "^4.0.0" + }, + "engines": { + "node": "^16.14.0 || >=18.0.0" + } + }, + "node_modules/@opentelemetry/api": { + "version": "1.9.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/api/-/api-1.9.0.tgz", + "integrity": "sha512-3giAOQvZiH5F9bMlMiv8+GSPMeqg0dbaeo58/0SlA9sxSqZhnUtxzX9/2FzyhS9sWQf5S0GJE0AKBrFqjpeYcg==", + "license": "Apache-2.0", + "engines": { + "node": ">=8.0.0" + } + }, + "node_modules/@opentelemetry/api-logs": { + "version": "0.55.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/api-logs/-/api-logs-0.55.0.tgz", + "integrity": "sha512-3cpa+qI45VHYcA5c0bHM6VHo9gicv3p5mlLHNG3rLyjQU8b7e0st1rWtrUn3JbZ3DwwCfhKop4eQ9UuYlC6Pkg==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/api": "^1.3.0" + }, + "engines": { + "node": ">=14" + } + }, + "node_modules/@opentelemetry/context-async-hooks": { + "version": "1.30.1", + "resolved": "https://registry.npmjs.org/@opentelemetry/context-async-hooks/-/context-async-hooks-1.30.1.tgz", + "integrity": "sha512-s5vvxXPVdjqS3kTLKMeBMvop9hbWkwzBpu+mUO2M7sZtlkyDJGwFe33wRKnbaYDo8ExRVBIIdwIGrqpxHuKttA==", + "license": "Apache-2.0", + "engines": { + "node": ">=14" + }, + "peerDependencies": { + "@opentelemetry/api": ">=1.0.0 <1.10.0" + } + }, + "node_modules/@opentelemetry/core": { + "version": "1.30.1", + "resolved": "https://registry.npmjs.org/@opentelemetry/core/-/core-1.30.1.tgz", + "integrity": "sha512-OOCM2C/QIURhJMuKaekP3TRBxBKxG/TWWA0TL2J6nXUtDnuCtccy49LUJF8xPFXMX+0LMcxFpCo8M9cGY1W6rQ==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/semantic-conventions": "1.28.0" + }, + "engines": { + "node": ">=14" + }, + "peerDependencies": { + "@opentelemetry/api": ">=1.0.0 <1.10.0" + } + }, + "node_modules/@opentelemetry/exporter-zipkin": { + "version": "1.30.1", + "resolved": "https://registry.npmjs.org/@opentelemetry/exporter-zipkin/-/exporter-zipkin-1.30.1.tgz", + "integrity": "sha512-6S2QIMJahIquvFaaxmcwpvQQRD/YFaMTNoIxrfPIPOeITN+a8lfEcPDxNxn8JDAaxkg+4EnXhz8upVDYenoQjA==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/core": "1.30.1", + "@opentelemetry/resources": "1.30.1", + "@opentelemetry/sdk-trace-base": "1.30.1", + "@opentelemetry/semantic-conventions": "1.28.0" + }, + "engines": { + "node": ">=14" + }, + "peerDependencies": { + "@opentelemetry/api": "^1.0.0" + } + }, + "node_modules/@opentelemetry/instrumentation": { + "version": "0.55.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/instrumentation/-/instrumentation-0.55.0.tgz", + "integrity": "sha512-YDCMlaQRZkziLL3t6TONRgmmGxDx6MyQDXRD0dknkkgUZtOK5+8MWft1OXzmNu6XfBOdT12MKN5rz+jHUkafKQ==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/api-logs": "0.55.0", + "@types/shimmer": "^1.2.0", + "import-in-the-middle": "^1.8.1", + "require-in-the-middle": "^7.1.1", + "semver": "^7.5.2", + "shimmer": "^1.2.1" + }, + "engines": { + "node": ">=14" + }, + "peerDependencies": { + "@opentelemetry/api": "^1.3.0" + } + }, + "node_modules/@opentelemetry/instrumentation-grpc": { + "version": "0.55.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/instrumentation-grpc/-/instrumentation-grpc-0.55.0.tgz", + "integrity": "sha512-n2ZH4pRwOy0Vhag/3eKqiyDBwcpUnGgJI9iiIRX7vivE0FMncaLazWphNFezRRaM/LuKwq1TD8pVUvieP68mow==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/instrumentation": "0.55.0", + "@opentelemetry/semantic-conventions": "1.27.0" + }, + "engines": { + "node": ">=14" + }, + "peerDependencies": { + "@opentelemetry/api": "^1.3.0" + } + }, + "node_modules/@opentelemetry/instrumentation-grpc/node_modules/@opentelemetry/semantic-conventions": { + "version": "1.27.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/semantic-conventions/-/semantic-conventions-1.27.0.tgz", + "integrity": "sha512-sAay1RrB+ONOem0OZanAR1ZI/k7yDpnOQSQmTMuGImUQb2y8EbSaCJ94FQluM74xoU03vlb2d2U90hZluL6nQg==", + "license": "Apache-2.0", + "engines": { + "node": ">=14" + } + }, + "node_modules/@opentelemetry/propagator-b3": { + "version": "1.30.1", + "resolved": "https://registry.npmjs.org/@opentelemetry/propagator-b3/-/propagator-b3-1.30.1.tgz", + "integrity": "sha512-oATwWWDIJzybAZ4pO76ATN5N6FFbOA1otibAVlS8v90B4S1wClnhRUk7K+2CHAwN1JKYuj4jh/lpCEG5BAqFuQ==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/core": "1.30.1" + }, + "engines": { + "node": ">=14" + }, + "peerDependencies": { + "@opentelemetry/api": ">=1.0.0 <1.10.0" + } + }, + "node_modules/@opentelemetry/propagator-jaeger": { + "version": "1.30.1", + "resolved": "https://registry.npmjs.org/@opentelemetry/propagator-jaeger/-/propagator-jaeger-1.30.1.tgz", + "integrity": "sha512-Pj/BfnYEKIOImirH76M4hDaBSx6HyZ2CXUqk+Kj02m6BB80c/yo4BdWkn/1gDFfU+YPY+bPR2U0DKBfdxCKwmg==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/core": "1.30.1" + }, + "engines": { + "node": ">=14" + }, + "peerDependencies": { + "@opentelemetry/api": ">=1.0.0 <1.10.0" + } + }, + "node_modules/@opentelemetry/resources": { + "version": "1.30.1", + "resolved": "https://registry.npmjs.org/@opentelemetry/resources/-/resources-1.30.1.tgz", + "integrity": "sha512-5UxZqiAgLYGFjS4s9qm5mBVo433u+dSPUFWVWXmLAD4wB65oMCoXaJP1KJa9DIYYMeHu3z4BZcStG3LC593cWA==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/core": "1.30.1", + "@opentelemetry/semantic-conventions": "1.28.0" + }, + "engines": { + "node": ">=14" + }, + "peerDependencies": { + "@opentelemetry/api": ">=1.0.0 <1.10.0" + } + }, + "node_modules/@opentelemetry/sdk-trace-base": { + "version": "1.30.1", + "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-trace-base/-/sdk-trace-base-1.30.1.tgz", + "integrity": "sha512-jVPgBbH1gCy2Lb7X0AVQ8XAfgg0pJ4nvl8/IiQA6nxOsPvS+0zMJaFSs2ltXe0J6C8dqjcnpyqINDJmU30+uOg==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/core": "1.30.1", + "@opentelemetry/resources": "1.30.1", + "@opentelemetry/semantic-conventions": "1.28.0" + }, + "engines": { + "node": ">=14" + }, + "peerDependencies": { + "@opentelemetry/api": ">=1.0.0 <1.10.0" + } + }, + "node_modules/@opentelemetry/sdk-trace-node": { + "version": "1.30.1", + "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-trace-node/-/sdk-trace-node-1.30.1.tgz", + "integrity": "sha512-cBjYOINt1JxXdpw1e5MlHmFRc5fgj4GW/86vsKFxJCJ8AL4PdVtYH41gWwl4qd4uQjqEL1oJVrXkSy5cnduAnQ==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/context-async-hooks": "1.30.1", + "@opentelemetry/core": "1.30.1", + "@opentelemetry/propagator-b3": "1.30.1", + "@opentelemetry/propagator-jaeger": "1.30.1", + "@opentelemetry/sdk-trace-base": "1.30.1", + "semver": "^7.5.2" + }, + "engines": { + "node": ">=14" + }, + "peerDependencies": { + "@opentelemetry/api": ">=1.0.0 <1.10.0" + } + }, + "node_modules/@opentelemetry/semantic-conventions": { + "version": "1.28.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/semantic-conventions/-/semantic-conventions-1.28.0.tgz", + "integrity": "sha512-lp4qAiMTD4sNWW4DbKLBkfiMZ4jbAboJIGOQr5DvciMRI494OapieI9qiODpOt0XBr1LjIDy1xAGAnVs5supTA==", + "license": "Apache-2.0", + "engines": { + "node": ">=14" + } + }, + "node_modules/@pkgjs/parseargs": { + "version": "0.11.0", + "resolved": "https://registry.npmjs.org/@pkgjs/parseargs/-/parseargs-0.11.0.tgz", + "integrity": "sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==", + "license": "MIT", + "optional": true, + "engines": { + "node": ">=14" + } + }, + "node_modules/@protobufjs/aspromise": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/@protobufjs/aspromise/-/aspromise-1.1.2.tgz", + "integrity": "sha512-j+gKExEuLmKwvz3OgROXtrJ2UG2x8Ch2YZUxahh+s1F2HZ+wAceUNLkvy6zKCPVRkU++ZWQrdxsUeQXmcg4uoQ==", + "license": "BSD-3-Clause" + }, + "node_modules/@protobufjs/base64": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/@protobufjs/base64/-/base64-1.1.2.tgz", + "integrity": "sha512-AZkcAA5vnN/v4PDqKyMR5lx7hZttPDgClv83E//FMNhR2TMcLUhfRUBHCmSl0oi9zMgDDqRUJkSxO3wm85+XLg==", + "license": "BSD-3-Clause" + }, + "node_modules/@protobufjs/codegen": { + "version": "2.0.4", + "resolved": "https://registry.npmjs.org/@protobufjs/codegen/-/codegen-2.0.4.tgz", + "integrity": "sha512-YyFaikqM5sH0ziFZCN3xDC7zeGaB/d0IUb9CATugHWbd1FRFwWwt4ld4OYMPWu5a3Xe01mGAULCdqhMlPl29Jg==", + "license": "BSD-3-Clause" + }, + "node_modules/@protobufjs/eventemitter": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/@protobufjs/eventemitter/-/eventemitter-1.1.0.tgz", + "integrity": "sha512-j9ednRT81vYJ9OfVuXG6ERSTdEL1xVsNgqpkxMsbIabzSo3goCjDIveeGv5d03om39ML71RdmrGNjG5SReBP/Q==", + "license": "BSD-3-Clause" + }, + "node_modules/@protobufjs/fetch": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/@protobufjs/fetch/-/fetch-1.1.0.tgz", + "integrity": "sha512-lljVXpqXebpsijW71PZaCYeIcE5on1w5DlQy5WH6GLbFryLUrBD4932W/E2BSpfRJWseIL4v/KPgBFxDOIdKpQ==", + "license": "BSD-3-Clause", + "dependencies": { + "@protobufjs/aspromise": "^1.1.1", + "@protobufjs/inquire": "^1.1.0" + } + }, + "node_modules/@protobufjs/float": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/@protobufjs/float/-/float-1.0.2.tgz", + "integrity": "sha512-Ddb+kVXlXst9d+R9PfTIxh1EdNkgoRe5tOX6t01f1lYWOvJnSPDBlG241QLzcyPdoNTsblLUdujGSE4RzrTZGQ==", + "license": "BSD-3-Clause" + }, + "node_modules/@protobufjs/inquire": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/@protobufjs/inquire/-/inquire-1.1.0.tgz", + "integrity": "sha512-kdSefcPdruJiFMVSbn801t4vFK7KB/5gd2fYvrxhuJYg8ILrmn9SKSX2tZdV6V+ksulWqS7aXjBcRXl3wHoD9Q==", + "license": "BSD-3-Clause" + }, + "node_modules/@protobufjs/path": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/@protobufjs/path/-/path-1.1.2.tgz", + "integrity": "sha512-6JOcJ5Tm08dOHAbdR3GrvP+yUUfkjG5ePsHYczMFLq3ZmMkAD98cDgcT2iA1lJ9NVwFd4tH/iSSoe44YWkltEA==", + "license": "BSD-3-Clause" + }, + "node_modules/@protobufjs/pool": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/@protobufjs/pool/-/pool-1.1.0.tgz", + "integrity": "sha512-0kELaGSIDBKvcgS4zkjz1PeddatrjYcmMWOlAuAPwAeccUrPHdUqo/J6LiymHHEiJT5NrF1UVwxY14f+fy4WQw==", + "license": "BSD-3-Clause" + }, + "node_modules/@protobufjs/utf8": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.0.tgz", + "integrity": "sha512-Vvn3zZrhQZkkBE8LSuW3em98c0FwgO4nxzv6OdSxPKJIEKY2bGbHn+mhGIPerzI4twdxaP8/0+06HBpwf345Lw==", + "license": "BSD-3-Clause" + }, + "node_modules/@pulumi/kubernetes": { + "version": "4.24.0", + "resolved": "https://registry.npmjs.org/@pulumi/kubernetes/-/kubernetes-4.24.0.tgz", + "integrity": "sha512-6aWo91xWpCMQe7kv9DGiVGXN0doYu/h98joEHPDc9gTpckSNkctGeRCZ0KKpBU0RLk9Ig+MVdx48WbY467GD8A==", + "hasInstallScript": true, + "license": "Apache-2.0", + "dependencies": { + "@pulumi/pulumi": "^3.142.0", + "glob": "^10.3.10", + "shell-quote": "^1.6.1" + } + }, + "node_modules/@pulumi/pulumi": { + "version": "3.208.0", + "resolved": "https://registry.npmjs.org/@pulumi/pulumi/-/pulumi-3.208.0.tgz", + "integrity": "sha512-6RM/QQXyAoEj1J1U8bdtRqLp4zCdxl0YpoQfc+CtOfR1QrR7sHcZ4anpLbVs+fE7nxK1h4Cx8YykJ8cYq2BzJQ==", + "license": "Apache-2.0", + "dependencies": { + "@grpc/grpc-js": "^1.10.1", + "@logdna/tail-file": "^2.0.6", + "@npmcli/arborist": "^7.3.1", + "@opentelemetry/api": "^1.9", + "@opentelemetry/exporter-zipkin": "^1.28", + "@opentelemetry/instrumentation": "^0.55", + "@opentelemetry/instrumentation-grpc": "^0.55", + "@opentelemetry/resources": "^1.28", + "@opentelemetry/sdk-trace-base": "^1.28", + "@opentelemetry/sdk-trace-node": "^1.28", + "@types/google-protobuf": "^3.15.5", + "@types/semver": "^7.5.6", + "@types/tmp": "^0.2.6", + "execa": "^5.1.0", + "fdir": "^6.1.1", + "google-protobuf": "^3.21.4", + "got": "^11.8.6", + "ini": "^2.0.0", + "js-yaml": "^3.14.0", + "minimist": "^1.2.6", + "normalize-package-data": "^6.0.0", + "picomatch": "^3.0.1", + "pkg-dir": "^7.0.0", + "require-from-string": "^2.0.1", + "semver": "^7.5.2", + "source-map-support": "^0.5.6", + "tmp": "^0.2.4", + "upath": "^1.1.0" + }, + "engines": { + "node": ">=20" + }, + "peerDependencies": { + "ts-node": ">= 7.0.1 < 12", + "typescript": ">= 3.8.3 < 6" + }, + "peerDependenciesMeta": { + "ts-node": { + "optional": true + }, + "typescript": { + "optional": true + } + } + }, + "node_modules/@sigstore/bundle": { + "version": "2.3.2", + "resolved": "https://registry.npmjs.org/@sigstore/bundle/-/bundle-2.3.2.tgz", + "integrity": "sha512-wueKWDk70QixNLB363yHc2D2ItTgYiMTdPwK8D9dKQMR3ZQ0c35IxP5xnwQ8cNLoCgCRcHf14kE+CLIvNX1zmA==", + "license": "Apache-2.0", + "dependencies": { + "@sigstore/protobuf-specs": "^0.3.2" + }, + "engines": { + "node": "^16.14.0 || >=18.0.0" + } + }, + "node_modules/@sigstore/core": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/@sigstore/core/-/core-1.1.0.tgz", + "integrity": "sha512-JzBqdVIyqm2FRQCulY6nbQzMpJJpSiJ8XXWMhtOX9eKgaXXpfNOF53lzQEjIydlStnd/eFtuC1dW4VYdD93oRg==", + "license": "Apache-2.0", + "engines": { + "node": "^16.14.0 || >=18.0.0" + } + }, + "node_modules/@sigstore/protobuf-specs": { + "version": "0.3.3", + "resolved": "https://registry.npmjs.org/@sigstore/protobuf-specs/-/protobuf-specs-0.3.3.tgz", + "integrity": "sha512-RpacQhBlwpBWd7KEJsRKcBQalbV28fvkxwTOJIqhIuDysMMaJW47V4OqW30iJB9uRpqOSxxEAQFdr8tTattReQ==", + "license": "Apache-2.0", + "engines": { + "node": "^18.17.0 || >=20.5.0" + } + }, + "node_modules/@sigstore/sign": { + "version": "2.3.2", + "resolved": "https://registry.npmjs.org/@sigstore/sign/-/sign-2.3.2.tgz", + "integrity": "sha512-5Vz5dPVuunIIvC5vBb0APwo7qKA4G9yM48kPWJT+OEERs40md5GoUR1yedwpekWZ4m0Hhw44m6zU+ObsON+iDA==", + "license": "Apache-2.0", + "dependencies": { + "@sigstore/bundle": "^2.3.2", + "@sigstore/core": "^1.0.0", + "@sigstore/protobuf-specs": "^0.3.2", + "make-fetch-happen": "^13.0.1", + "proc-log": "^4.2.0", + "promise-retry": "^2.0.1" + }, + "engines": { + "node": "^16.14.0 || >=18.0.0" + } + }, + "node_modules/@sigstore/tuf": { + "version": "2.3.4", + "resolved": "https://registry.npmjs.org/@sigstore/tuf/-/tuf-2.3.4.tgz", + "integrity": "sha512-44vtsveTPUpqhm9NCrbU8CWLe3Vck2HO1PNLw7RIajbB7xhtn5RBPm1VNSCMwqGYHhDsBJG8gDF0q4lgydsJvw==", + "license": "Apache-2.0", + "dependencies": { + "@sigstore/protobuf-specs": "^0.3.2", + "tuf-js": "^2.2.1" + }, + "engines": { + "node": "^16.14.0 || >=18.0.0" + } + }, + "node_modules/@sigstore/verify": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/@sigstore/verify/-/verify-1.2.1.tgz", + "integrity": "sha512-8iKx79/F73DKbGfRf7+t4dqrc0bRr0thdPrxAtCKWRm/F0tG71i6O1rvlnScncJLLBZHn3h8M3c1BSUAb9yu8g==", + "license": "Apache-2.0", + "dependencies": { + "@sigstore/bundle": "^2.3.2", + "@sigstore/core": "^1.1.0", + "@sigstore/protobuf-specs": "^0.3.2" + }, + "engines": { + "node": "^16.14.0 || >=18.0.0" + } + }, + "node_modules/@sindresorhus/is": { + "version": "4.6.0", + "resolved": "https://registry.npmjs.org/@sindresorhus/is/-/is-4.6.0.tgz", + "integrity": "sha512-t09vSN3MdfsyCHoFcTRCH/iUtG7OJ0CsjzB8cjAmKc/va/kIgeDI/TxsigdncE/4be734m0cvIYwNaV4i2XqAw==", + "license": "MIT", + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sindresorhus/is?sponsor=1" + } + }, + "node_modules/@szmarczak/http-timer": { + "version": "4.0.6", + "resolved": "https://registry.npmjs.org/@szmarczak/http-timer/-/http-timer-4.0.6.tgz", + "integrity": "sha512-4BAffykYOgO+5nzBWYwE3W90sBgLJoUPRWWcL8wlyiM8IB8ipJz3UMJ9KXQd1RKQXpKp8Tutn80HZtWsu2u76w==", + "license": "MIT", + "dependencies": { + "defer-to-connect": "^2.0.0" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/@tufjs/canonical-json": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/@tufjs/canonical-json/-/canonical-json-2.0.0.tgz", + "integrity": "sha512-yVtV8zsdo8qFHe+/3kw81dSLyF7D576A5cCFCi4X7B39tWT7SekaEFUnvnWJHz+9qO7qJTah1JbrDjWKqFtdWA==", + "license": "MIT", + "engines": { + "node": "^16.14.0 || >=18.0.0" + } + }, + "node_modules/@tufjs/models": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/@tufjs/models/-/models-2.0.1.tgz", + "integrity": "sha512-92F7/SFyufn4DXsha9+QfKnN03JGqtMFMXgSHbZOo8JG59WkTni7UzAouNQDf7AuP9OAMxVOPQcqG3sB7w+kkg==", + "license": "MIT", + "dependencies": { + "@tufjs/canonical-json": "2.0.0", + "minimatch": "^9.0.4" + }, + "engines": { + "node": "^16.14.0 || >=18.0.0" + } + }, + "node_modules/@types/cacheable-request": { + "version": "6.0.3", + "resolved": "https://registry.npmjs.org/@types/cacheable-request/-/cacheable-request-6.0.3.tgz", + "integrity": "sha512-IQ3EbTzGxIigb1I3qPZc1rWJnH0BmSKv5QYTalEwweFvyBDLSAe24zP0le/hyi7ecGfZVlIVAg4BZqb8WBwKqw==", + "license": "MIT", + "dependencies": { + "@types/http-cache-semantics": "*", + "@types/keyv": "^3.1.4", + "@types/node": "*", + "@types/responselike": "^1.0.0" + } + }, + "node_modules/@types/google-protobuf": { + "version": "3.15.12", + "resolved": "https://registry.npmjs.org/@types/google-protobuf/-/google-protobuf-3.15.12.tgz", + "integrity": "sha512-40um9QqwHjRS92qnOaDpL7RmDK15NuZYo9HihiJRbYkMQZlWnuH8AdvbMy8/o6lgLmKbDUKa+OALCltHdbOTpQ==", + "license": "MIT" + }, + "node_modules/@types/http-cache-semantics": { + "version": "4.0.4", + "resolved": "https://registry.npmjs.org/@types/http-cache-semantics/-/http-cache-semantics-4.0.4.tgz", + "integrity": "sha512-1m0bIFVc7eJWyve9S0RnuRgcQqF/Xd5QsUZAZeQFr1Q3/p9JWoQQEqmVy+DPTNpGXwhgIetAoYF8JSc33q29QA==", + "license": "MIT" + }, + "node_modules/@types/keyv": { + "version": "3.1.4", + "resolved": "https://registry.npmjs.org/@types/keyv/-/keyv-3.1.4.tgz", + "integrity": "sha512-BQ5aZNSCpj7D6K2ksrRCTmKRLEpnPvWDiLPfoGyhZ++8YtiK9d/3DBKPJgry359X/P1PfruyYwvnvwFjuEiEIg==", + "license": "MIT", + "dependencies": { + "@types/node": "*" + } + }, + "node_modules/@types/node": { + "version": "20.19.25", + "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.25.tgz", + "integrity": "sha512-ZsJzA5thDQMSQO788d7IocwwQbI8B5OPzmqNvpf3NY/+MHDAS759Wo0gd2WQeXYt5AAAQjzcrTVC6SKCuYgoCQ==", + "license": "MIT", + "dependencies": { + "undici-types": "~6.21.0" + } + }, + "node_modules/@types/responselike": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/@types/responselike/-/responselike-1.0.3.tgz", + "integrity": "sha512-H/+L+UkTV33uf49PH5pCAUBVPNj2nDBXTN+qS1dOwyyg24l3CcicicCA7ca+HMvJBZcFgl5r8e+RR6elsb4Lyw==", + "license": "MIT", + "dependencies": { + "@types/node": "*" + } + }, + "node_modules/@types/semver": { + "version": "7.7.1", + "resolved": "https://registry.npmjs.org/@types/semver/-/semver-7.7.1.tgz", + "integrity": "sha512-FmgJfu+MOcQ370SD0ev7EI8TlCAfKYU+B4m5T3yXc1CiRN94g/SZPtsCkk506aUDtlMnFZvasDwHHUcZUEaYuA==", + "license": "MIT" + }, + "node_modules/@types/shimmer": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/@types/shimmer/-/shimmer-1.2.0.tgz", + "integrity": "sha512-UE7oxhQLLd9gub6JKIAhDq06T0F6FnztwMNRvYgjeQSBeMc1ZG/tA47EwfduvkuQS8apbkM/lpLpWsaCeYsXVg==", + "license": "MIT" + }, + "node_modules/@types/tmp": { + "version": "0.2.6", + "resolved": "https://registry.npmjs.org/@types/tmp/-/tmp-0.2.6.tgz", + "integrity": "sha512-chhaNf2oKHlRkDGt+tiKE2Z5aJ6qalm7Z9rlLdBwmOiAAf09YQvvoLXjWK4HWPF1xU/fqvMgfNfpVoBscA/tKA==", + "license": "MIT" + }, + "node_modules/abbrev": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-2.0.0.tgz", + "integrity": "sha512-6/mh1E2u2YgEsCHdY0Yx5oW+61gZU+1vXaoiHHrpKeuRNNgFvS+/jrwHiQhB5apAf5oB7UB7E19ol2R2LKH8hQ==", + "license": "ISC", + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/acorn": { + "version": "8.15.0", + "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.15.0.tgz", + "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==", + "license": "MIT", + "bin": { + "acorn": "bin/acorn" + }, + "engines": { + "node": ">=0.4.0" + } + }, + "node_modules/acorn-import-attributes": { + "version": "1.9.5", + "resolved": "https://registry.npmjs.org/acorn-import-attributes/-/acorn-import-attributes-1.9.5.tgz", + "integrity": "sha512-n02Vykv5uA3eHGM/Z2dQrcD56kL8TyDb2p1+0P83PClMnC/nc+anbQRhIOWnSq4Ke/KvDPrY3C9hDtC/A3eHnQ==", + "license": "MIT", + "peerDependencies": { + "acorn": "^8" + } + }, + "node_modules/agent-base": { + "version": "7.1.4", + "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-7.1.4.tgz", + "integrity": "sha512-MnA+YT8fwfJPgBx3m60MNqakm30XOkyIoH1y6huTQvC0PwZG7ki8NacLBcrPbNoo8vEZy7Jpuk7+jMO+CUovTQ==", + "license": "MIT", + "engines": { + "node": ">= 14" + } + }, + "node_modules/aggregate-error": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/aggregate-error/-/aggregate-error-3.1.0.tgz", + "integrity": "sha512-4I7Td01quW/RpocfNayFdFVk1qSuoh0E7JrbRJ16nH01HhKFQ88INq9Sd+nd72zqRySlr9BmDA8xlEJ6vJMrYA==", + "license": "MIT", + "dependencies": { + "clean-stack": "^2.0.0", + "indent-string": "^4.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/ansi-regex": { + "version": "6.2.2", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.2.2.tgz", + "integrity": "sha512-Bq3SmSpyFHaWjPk8If9yc6svM8c56dB5BAtW4Qbw5jHTwwXXcTLoRMkpDJp6VL0XzlWaCHTXrkFURMYmD0sLqg==", + "license": "MIT", + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/ansi-regex?sponsor=1" + } + }, + "node_modules/ansi-styles": { + "version": "6.2.3", + "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-6.2.3.tgz", + "integrity": "sha512-4Dj6M28JB+oAH8kFkTLUo+a2jwOFkuqb3yucU0CANcRRUbxS0cP0nZYCGjcc3BNXwRIsUVmDGgzawme7zvJHvg==", + "license": "MIT", + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/ansi-styles?sponsor=1" + } + }, + "node_modules/argparse": { + "version": "1.0.10", + "resolved": "https://registry.npmjs.org/argparse/-/argparse-1.0.10.tgz", + "integrity": "sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==", + "license": "MIT", + "dependencies": { + "sprintf-js": "~1.0.2" + } + }, + "node_modules/balanced-match": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", + "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==", + "license": "MIT" + }, + "node_modules/bin-links": { + "version": "4.0.4", + "resolved": "https://registry.npmjs.org/bin-links/-/bin-links-4.0.4.tgz", + "integrity": "sha512-cMtq4W5ZsEwcutJrVId+a/tjt8GSbS+h0oNkdl6+6rBuEv8Ot33Bevj5KPm40t309zuhVic8NjpuL42QCiJWWA==", + "license": "ISC", + "dependencies": { + "cmd-shim": "^6.0.0", + "npm-normalize-package-bin": "^3.0.0", + "read-cmd-shim": "^4.0.0", + "write-file-atomic": "^5.0.0" + }, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/brace-expansion": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz", + "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==", + "license": "MIT", + "dependencies": { + "balanced-match": "^1.0.0" + } + }, + "node_modules/buffer-from": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/buffer-from/-/buffer-from-1.1.2.tgz", + "integrity": "sha512-E+XQCRwSbaaiChtv6k6Dwgc+bx+Bs6vuKJHHl5kox/BaKbhiXzqQOwK4cO22yElGp2OCmjwVhT3HmxgyPGnJfQ==", + "license": "MIT" + }, + "node_modules/cacache": { + "version": "18.0.4", + "resolved": "https://registry.npmjs.org/cacache/-/cacache-18.0.4.tgz", + "integrity": "sha512-B+L5iIa9mgcjLbliir2th36yEwPftrzteHYujzsx3dFP/31GCHcIeS8f5MGd80odLOjaOvSpU3EEAmRQptkxLQ==", + "license": "ISC", + "dependencies": { + "@npmcli/fs": "^3.1.0", + "fs-minipass": "^3.0.0", + "glob": "^10.2.2", + "lru-cache": "^10.0.1", + "minipass": "^7.0.3", + "minipass-collect": "^2.0.1", + "minipass-flush": "^1.0.5", + "minipass-pipeline": "^1.2.4", + "p-map": "^4.0.0", + "ssri": "^10.0.0", + "tar": "^6.1.11", + "unique-filename": "^3.0.0" + }, + "engines": { + "node": "^16.14.0 || >=18.0.0" + } + }, + "node_modules/cacheable-lookup": { + "version": "5.0.4", + "resolved": "https://registry.npmjs.org/cacheable-lookup/-/cacheable-lookup-5.0.4.tgz", + "integrity": "sha512-2/kNscPhpcxrOigMZzbiWF7dz8ilhb/nIHU3EyZiXWXpeq/au8qJ8VhdftMkty3n7Gj6HIGalQG8oiBNB3AJgA==", + "license": "MIT", + "engines": { + "node": ">=10.6.0" + } + }, + "node_modules/cacheable-request": { + "version": "7.0.4", + "resolved": "https://registry.npmjs.org/cacheable-request/-/cacheable-request-7.0.4.tgz", + "integrity": "sha512-v+p6ongsrp0yTGbJXjgxPow2+DL93DASP4kXCDKb8/bwRtt9OEF3whggkkDkGNzgcWy2XaF4a8nZglC7uElscg==", + "license": "MIT", + "dependencies": { + "clone-response": "^1.0.2", + "get-stream": "^5.1.0", + "http-cache-semantics": "^4.0.0", + "keyv": "^4.0.0", + "lowercase-keys": "^2.0.0", + "normalize-url": "^6.0.1", + "responselike": "^2.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/cacheable-request/node_modules/get-stream": { + "version": "5.2.0", + "resolved": "https://registry.npmjs.org/get-stream/-/get-stream-5.2.0.tgz", + "integrity": "sha512-nBF+F1rAZVCu/p7rjzgA+Yb4lfYXrpl7a6VmJrU8wF9I1CKvP/QwPNZHnOlwbTkY6dvtFIzFMSyQXbLoTQPRpA==", + "license": "MIT", + "dependencies": { + "pump": "^3.0.0" + }, + "engines": { + "node": ">=8" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/chownr": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/chownr/-/chownr-2.0.0.tgz", + "integrity": "sha512-bIomtDF5KGpdogkLd9VspvFzk9KfpyyGlS8YFVZl7TGPBHL5snIOnxeshwVgPteQ9b4Eydl+pVbIyE1DcvCWgQ==", + "license": "ISC", + "engines": { + "node": ">=10" + } + }, + "node_modules/cjs-module-lexer": { + "version": "1.4.3", + "resolved": "https://registry.npmjs.org/cjs-module-lexer/-/cjs-module-lexer-1.4.3.tgz", + "integrity": "sha512-9z8TZaGM1pfswYeXrUpzPrkx8UnWYdhJclsiYMm6x/w5+nN+8Tf/LnAgfLGQCm59qAOxU8WwHEq2vNwF6i4j+Q==", + "license": "MIT" + }, + "node_modules/clean-stack": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/clean-stack/-/clean-stack-2.2.0.tgz", + "integrity": "sha512-4diC9HaTE+KRAMWhDhrGOECgWZxoevMc5TlkObMqNSsVU62PYzXZ/SMTjzyGAFF1YusgxGcSWTEXBhp0CPwQ1A==", + "license": "MIT", + "engines": { + "node": ">=6" + } + }, + "node_modules/cliui": { + "version": "8.0.1", + "resolved": "https://registry.npmjs.org/cliui/-/cliui-8.0.1.tgz", + "integrity": "sha512-BSeNnyus75C4//NQ9gQt1/csTXyo/8Sb+afLAkzAptFuMsod9HFokGNudZpi/oQV73hnVK+sR+5PVRMd+Dr7YQ==", + "license": "ISC", + "dependencies": { + "string-width": "^4.2.0", + "strip-ansi": "^6.0.1", + "wrap-ansi": "^7.0.0" + }, + "engines": { + "node": ">=12" + } + }, + "node_modules/cliui/node_modules/ansi-regex": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", + "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", + "license": "MIT", + "engines": { + "node": ">=8" + } + }, + "node_modules/cliui/node_modules/ansi-styles": { + "version": "4.3.0", + "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz", + "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==", + "license": "MIT", + "dependencies": { + "color-convert": "^2.0.1" + }, + "engines": { + "node": ">=8" + }, + "funding": { + "url": "https://github.com/chalk/ansi-styles?sponsor=1" + } + }, + "node_modules/cliui/node_modules/emoji-regex": { + "version": "8.0.0", + "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", + "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", + "license": "MIT" + }, + "node_modules/cliui/node_modules/string-width": { + "version": "4.2.3", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", + "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", + "license": "MIT", + "dependencies": { + "emoji-regex": "^8.0.0", + "is-fullwidth-code-point": "^3.0.0", + "strip-ansi": "^6.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/cliui/node_modules/strip-ansi": { + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", + "license": "MIT", + "dependencies": { + "ansi-regex": "^5.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/cliui/node_modules/wrap-ansi": { + "version": "7.0.0", + "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz", + "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==", + "license": "MIT", + "dependencies": { + "ansi-styles": "^4.0.0", + "string-width": "^4.1.0", + "strip-ansi": "^6.0.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/chalk/wrap-ansi?sponsor=1" + } + }, + "node_modules/clone-response": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/clone-response/-/clone-response-1.0.3.tgz", + "integrity": "sha512-ROoL94jJH2dUVML2Y/5PEDNaSHgeOdSDicUyS7izcF63G6sTc/FTjLub4b8Il9S8S0beOfYt0TaA5qvFK+w0wA==", + "license": "MIT", + "dependencies": { + "mimic-response": "^1.0.0" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/cmd-shim": { + "version": "6.0.3", + "resolved": "https://registry.npmjs.org/cmd-shim/-/cmd-shim-6.0.3.tgz", + "integrity": "sha512-FMabTRlc5t5zjdenF6mS0MBeFZm0XqHqeOkcskKFb/LYCcRQ5fVgLOHVc4Lq9CqABd9zhjwPjMBCJvMCziSVtA==", + "license": "ISC", + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/color-convert": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz", + "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==", + "license": "MIT", + "dependencies": { + "color-name": "~1.1.4" + }, + "engines": { + "node": ">=7.0.0" + } + }, + "node_modules/color-name": { + "version": "1.1.4", + "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz", + "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==", + "license": "MIT" + }, + "node_modules/common-ancestor-path": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/common-ancestor-path/-/common-ancestor-path-1.0.1.tgz", + "integrity": "sha512-L3sHRo1pXXEqX8VU28kfgUY+YGsk09hPqZiZmLacNib6XNTCM8ubYeT7ryXQw8asB1sKgcU5lkB7ONug08aB8w==", + "license": "ISC" + }, + "node_modules/cross-spawn": { + "version": "7.0.6", + "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz", + "integrity": "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==", + "license": "MIT", + "dependencies": { + "path-key": "^3.1.0", + "shebang-command": "^2.0.0", + "which": "^2.0.1" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/cross-spawn/node_modules/isexe": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz", + "integrity": "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==", + "license": "ISC" + }, + "node_modules/cross-spawn/node_modules/which": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz", + "integrity": "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==", + "license": "ISC", + "dependencies": { + "isexe": "^2.0.0" + }, + "bin": { + "node-which": "bin/node-which" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/cssesc": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/cssesc/-/cssesc-3.0.0.tgz", + "integrity": "sha512-/Tb/JcjK111nNScGob5MNtsntNM1aCNUDipB/TkwZFhyDrrE47SOx/18wF2bbjgc3ZzCSKW1T5nt5EbFoAz/Vg==", + "license": "MIT", + "bin": { + "cssesc": "bin/cssesc" + }, + "engines": { + "node": ">=4" + } + }, + "node_modules/debug": { + "version": "4.4.3", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz", + "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==", + "license": "MIT", + "dependencies": { + "ms": "^2.1.3" + }, + "engines": { + "node": ">=6.0" + }, + "peerDependenciesMeta": { + "supports-color": { + "optional": true + } + } + }, + "node_modules/decompress-response": { + "version": "6.0.0", + "resolved": "https://registry.npmjs.org/decompress-response/-/decompress-response-6.0.0.tgz", + "integrity": "sha512-aW35yZM6Bb/4oJlZncMH2LCoZtJXTRxES17vE3hoRiowU2kWHaJKFkSBDnDR+cm9J+9QhXmREyIfv0pji9ejCQ==", + "license": "MIT", + "dependencies": { + "mimic-response": "^3.1.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/decompress-response/node_modules/mimic-response": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/mimic-response/-/mimic-response-3.1.0.tgz", + "integrity": "sha512-z0yWI+4FDrrweS8Zmt4Ej5HdJmky15+L2e6Wgn3+iK5fWzb6T3fhNFq2+MeTRb064c6Wr4N/wv0DzQTjNzHNGQ==", + "license": "MIT", + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/defer-to-connect": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/defer-to-connect/-/defer-to-connect-2.0.1.tgz", + "integrity": "sha512-4tvttepXG1VaYGrRibk5EwJd1t4udunSOVMdLSAL6mId1ix438oPwPZMALY41FCijukO1L0twNcGsdzS7dHgDg==", + "license": "MIT", + "engines": { + "node": ">=10" + } + }, + "node_modules/eastasianwidth": { + "version": "0.2.0", + "resolved": "https://registry.npmjs.org/eastasianwidth/-/eastasianwidth-0.2.0.tgz", + "integrity": "sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==", + "license": "MIT" + }, + "node_modules/emoji-regex": { + "version": "9.2.2", + "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-9.2.2.tgz", + "integrity": "sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg==", + "license": "MIT" + }, + "node_modules/encoding": { + "version": "0.1.13", + "resolved": "https://registry.npmjs.org/encoding/-/encoding-0.1.13.tgz", + "integrity": "sha512-ETBauow1T35Y/WZMkio9jiM0Z5xjHHmJ4XmjZOq1l/dXz3lr2sRn87nJy20RupqSh1F2m3HHPSp8ShIPQJrJ3A==", + "license": "MIT", + "optional": true, + "dependencies": { + "iconv-lite": "^0.6.2" + } + }, + "node_modules/end-of-stream": { + "version": "1.4.5", + "resolved": "https://registry.npmjs.org/end-of-stream/-/end-of-stream-1.4.5.tgz", + "integrity": "sha512-ooEGc6HP26xXq/N+GCGOT0JKCLDGrq2bQUZrQ7gyrJiZANJ/8YDTxTpQBXGMn+WbIQXNVpyWymm7KYVICQnyOg==", + "license": "MIT", + "dependencies": { + "once": "^1.4.0" + } + }, + "node_modules/env-paths": { + "version": "2.2.1", + "resolved": "https://registry.npmjs.org/env-paths/-/env-paths-2.2.1.tgz", + "integrity": "sha512-+h1lkLKhZMTYjog1VEpJNG7NZJWcuc2DDk/qsqSTRRCOXiLjeQ1d1/udrUGhqMxUgAlwKNZ0cf2uqan5GLuS2A==", + "license": "MIT", + "engines": { + "node": ">=6" + } + }, + "node_modules/err-code": { + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/err-code/-/err-code-2.0.3.tgz", + "integrity": "sha512-2bmlRpNKBxT/CRmPOlyISQpNj+qSeYvcym/uT0Jx2bMOlKLtSy1ZmLuVxSEKKyor/N5yhvp/ZiG1oE3DEYMSFA==", + "license": "MIT" + }, + "node_modules/escalade": { + "version": "3.2.0", + "resolved": "https://registry.npmjs.org/escalade/-/escalade-3.2.0.tgz", + "integrity": "sha512-WUj2qlxaQtO4g6Pq5c29GTcWGDyd8itL8zTlipgECz3JesAiiOKotd8JU6otB3PACgG6xkJUyVhboMS+bje/jA==", + "license": "MIT", + "engines": { + "node": ">=6" + } + }, + "node_modules/esprima": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/esprima/-/esprima-4.0.1.tgz", + "integrity": "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==", + "license": "BSD-2-Clause", + "bin": { + "esparse": "bin/esparse.js", + "esvalidate": "bin/esvalidate.js" + }, + "engines": { + "node": ">=4" + } + }, + "node_modules/execa": { + "version": "5.1.1", + "resolved": "https://registry.npmjs.org/execa/-/execa-5.1.1.tgz", + "integrity": "sha512-8uSpZZocAZRBAPIEINJj3Lo9HyGitllczc27Eh5YYojjMFMn8yHMDMaUHE2Jqfq05D/wucwI4JGURyXt1vchyg==", + "license": "MIT", + "dependencies": { + "cross-spawn": "^7.0.3", + "get-stream": "^6.0.0", + "human-signals": "^2.1.0", + "is-stream": "^2.0.0", + "merge-stream": "^2.0.0", + "npm-run-path": "^4.0.1", + "onetime": "^5.1.2", + "signal-exit": "^3.0.3", + "strip-final-newline": "^2.0.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sindresorhus/execa?sponsor=1" + } + }, + "node_modules/exponential-backoff": { + "version": "3.1.3", + "resolved": "https://registry.npmjs.org/exponential-backoff/-/exponential-backoff-3.1.3.tgz", + "integrity": "sha512-ZgEeZXj30q+I0EN+CbSSpIyPaJ5HVQD18Z1m+u1FXbAeT94mr1zw50q4q6jiiC447Nl/YTcIYSAftiGqetwXCA==", + "license": "Apache-2.0" + }, + "node_modules/fdir": { + "version": "6.5.0", + "resolved": "https://registry.npmjs.org/fdir/-/fdir-6.5.0.tgz", + "integrity": "sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==", + "license": "MIT", + "engines": { + "node": ">=12.0.0" + }, + "peerDependencies": { + "picomatch": "^3 || ^4" + }, + "peerDependenciesMeta": { + "picomatch": { + "optional": true + } + } + }, + "node_modules/find-up": { + "version": "6.3.0", + "resolved": "https://registry.npmjs.org/find-up/-/find-up-6.3.0.tgz", + "integrity": "sha512-v2ZsoEuVHYy8ZIlYqwPe/39Cy+cFDzp4dXPaxNvkEuouymu+2Jbz0PxpKarJHYJTmv2HWT3O382qY8l4jMWthw==", + "license": "MIT", + "dependencies": { + "locate-path": "^7.1.0", + "path-exists": "^5.0.0" + }, + "engines": { + "node": "^12.20.0 || ^14.13.1 || >=16.0.0" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/foreground-child": { + "version": "3.3.1", + "resolved": "https://registry.npmjs.org/foreground-child/-/foreground-child-3.3.1.tgz", + "integrity": "sha512-gIXjKqtFuWEgzFRJA9WCQeSJLZDjgJUOMCMzxtvFq/37KojM1BFGufqsCy0r4qSQmYLsZYMeyRqzIWOMup03sw==", + "license": "ISC", + "dependencies": { + "cross-spawn": "^7.0.6", + "signal-exit": "^4.0.1" + }, + "engines": { + "node": ">=14" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/foreground-child/node_modules/signal-exit": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", + "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==", + "license": "ISC", + "engines": { + "node": ">=14" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/fs-minipass": { + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/fs-minipass/-/fs-minipass-3.0.3.tgz", + "integrity": "sha512-XUBA9XClHbnJWSfBzjkm6RvPsyg3sryZt06BEQoXcF7EK/xpGaQYJgQKDJSUH5SGZ76Y7pFx1QBnXz09rU5Fbw==", + "license": "ISC", + "dependencies": { + "minipass": "^7.0.3" + }, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/function-bind": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz", + "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==", + "license": "MIT", + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/get-caller-file": { + "version": "2.0.5", + "resolved": "https://registry.npmjs.org/get-caller-file/-/get-caller-file-2.0.5.tgz", + "integrity": "sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==", + "license": "ISC", + "engines": { + "node": "6.* || 8.* || >= 10.*" + } + }, + "node_modules/get-stream": { + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/get-stream/-/get-stream-6.0.1.tgz", + "integrity": "sha512-ts6Wi+2j3jQjqi70w5AlN8DFnkSwC+MqmxEzdEALB2qXZYV3X/b1CTfgPLGJNMeAWxdPfU8FO1ms3NUfaHCPYg==", + "license": "MIT", + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/glob": { + "version": "10.5.0", + "resolved": "https://registry.npmjs.org/glob/-/glob-10.5.0.tgz", + "integrity": "sha512-DfXN8DfhJ7NH3Oe7cFmu3NCu1wKbkReJ8TorzSAFbSKrlNaQSKfIzqYqVY8zlbs2NLBbWpRiU52GX2PbaBVNkg==", + "license": "ISC", + "dependencies": { + "foreground-child": "^3.1.0", + "jackspeak": "^3.1.2", + "minimatch": "^9.0.4", + "minipass": "^7.1.2", + "package-json-from-dist": "^1.0.0", + "path-scurry": "^1.11.1" + }, + "bin": { + "glob": "dist/esm/bin.mjs" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/google-protobuf": { + "version": "3.21.4", + "resolved": "https://registry.npmjs.org/google-protobuf/-/google-protobuf-3.21.4.tgz", + "integrity": "sha512-MnG7N936zcKTco4Jd2PX2U96Kf9PxygAPKBug+74LHzmHXmceN16MmRcdgZv+DGef/S9YvQAfRsNCn4cjf9yyQ==", + "license": "(BSD-3-Clause AND Apache-2.0)" + }, + "node_modules/got": { + "version": "11.8.6", + "resolved": "https://registry.npmjs.org/got/-/got-11.8.6.tgz", + "integrity": "sha512-6tfZ91bOr7bOXnK7PRDCGBLa1H4U080YHNaAQ2KsMGlLEzRbk44nsZF2E1IeRc3vtJHPVbKCYgdFbaGO2ljd8g==", + "license": "MIT", + "dependencies": { + "@sindresorhus/is": "^4.0.0", + "@szmarczak/http-timer": "^4.0.5", + "@types/cacheable-request": "^6.0.1", + "@types/responselike": "^1.0.0", + "cacheable-lookup": "^5.0.3", + "cacheable-request": "^7.0.2", + "decompress-response": "^6.0.0", + "http2-wrapper": "^1.0.0-beta.5.2", + "lowercase-keys": "^2.0.0", + "p-cancelable": "^2.0.0", + "responselike": "^2.0.0" + }, + "engines": { + "node": ">=10.19.0" + }, + "funding": { + "url": "https://github.com/sindresorhus/got?sponsor=1" + } + }, + "node_modules/graceful-fs": { + "version": "4.2.11", + "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.11.tgz", + "integrity": "sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ==", + "license": "ISC" + }, + "node_modules/hasown": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz", + "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==", + "license": "MIT", + "dependencies": { + "function-bind": "^1.1.2" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/hosted-git-info": { + "version": "7.0.2", + "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-7.0.2.tgz", + "integrity": "sha512-puUZAUKT5m8Zzvs72XWy3HtvVbTWljRE66cP60bxJzAqf2DgICo7lYTY2IHUmLnNpjYvw5bvmoHvPc0QO2a62w==", + "license": "ISC", + "dependencies": { + "lru-cache": "^10.0.1" + }, + "engines": { + "node": "^16.14.0 || >=18.0.0" + } + }, + "node_modules/http-cache-semantics": { + "version": "4.2.0", + "resolved": "https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.2.0.tgz", + "integrity": "sha512-dTxcvPXqPvXBQpq5dUr6mEMJX4oIEFv6bwom3FDwKRDsuIjjJGANqhBuoAn9c1RQJIdAKav33ED65E2ys+87QQ==", + "license": "BSD-2-Clause" + }, + "node_modules/http-proxy-agent": { + "version": "7.0.2", + "resolved": "https://registry.npmjs.org/http-proxy-agent/-/http-proxy-agent-7.0.2.tgz", + "integrity": "sha512-T1gkAiYYDWYx3V5Bmyu7HcfcvL7mUrTWiM6yOfa3PIphViJ/gFPbvidQ+veqSOHci/PxBcDabeUNCzpOODJZig==", + "license": "MIT", + "dependencies": { + "agent-base": "^7.1.0", + "debug": "^4.3.4" + }, + "engines": { + "node": ">= 14" + } + }, + "node_modules/http2-wrapper": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/http2-wrapper/-/http2-wrapper-1.0.3.tgz", + "integrity": "sha512-V+23sDMr12Wnz7iTcDeJr3O6AIxlnvT/bmaAAAP/Xda35C90p9599p0F1eHR/N1KILWSoWVAiOMFjBBXaXSMxg==", + "license": "MIT", + "dependencies": { + "quick-lru": "^5.1.1", + "resolve-alpn": "^1.0.0" + }, + "engines": { + "node": ">=10.19.0" + } + }, + "node_modules/https-proxy-agent": { + "version": "7.0.6", + "resolved": "https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-7.0.6.tgz", + "integrity": "sha512-vK9P5/iUfdl95AI+JVyUuIcVtd4ofvtrOr3HNtM2yxC9bnMbEdp3x01OhQNnjb8IJYi38VlTE3mBXwcfvywuSw==", + "license": "MIT", + "dependencies": { + "agent-base": "^7.1.2", + "debug": "4" + }, + "engines": { + "node": ">= 14" + } + }, + "node_modules/human-signals": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/human-signals/-/human-signals-2.1.0.tgz", + "integrity": "sha512-B4FFZ6q/T2jhhksgkbEW3HBvWIfDW85snkQgawt07S7J5QXTk6BkNV+0yAeZrM5QpMAdYlocGoljn0sJ/WQkFw==", + "license": "Apache-2.0", + "engines": { + "node": ">=10.17.0" + } + }, + "node_modules/iconv-lite": { + "version": "0.6.3", + "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.6.3.tgz", + "integrity": "sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw==", + "license": "MIT", + "optional": true, + "dependencies": { + "safer-buffer": ">= 2.1.2 < 3.0.0" + }, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/ignore-walk": { + "version": "6.0.5", + "resolved": "https://registry.npmjs.org/ignore-walk/-/ignore-walk-6.0.5.tgz", + "integrity": "sha512-VuuG0wCnjhnylG1ABXT3dAuIpTNDs/G8jlpmwXY03fXoXy/8ZK8/T+hMzt8L4WnrLCJgdybqgPagnF/f97cg3A==", + "license": "ISC", + "dependencies": { + "minimatch": "^9.0.0" + }, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/import-in-the-middle": { + "version": "1.15.0", + "resolved": "https://registry.npmjs.org/import-in-the-middle/-/import-in-the-middle-1.15.0.tgz", + "integrity": "sha512-bpQy+CrsRmYmoPMAE/0G33iwRqwW4ouqdRg8jgbH3aKuCtOc8lxgmYXg2dMM92CRiGP660EtBcymH/eVUpCSaA==", + "license": "Apache-2.0", + "dependencies": { + "acorn": "^8.14.0", + "acorn-import-attributes": "^1.9.5", + "cjs-module-lexer": "^1.2.2", + "module-details-from-path": "^1.0.3" + } + }, + "node_modules/imurmurhash": { + "version": "0.1.4", + "resolved": "https://registry.npmjs.org/imurmurhash/-/imurmurhash-0.1.4.tgz", + "integrity": "sha512-JmXMZ6wuvDmLiHEml9ykzqO6lwFbof0GG4IkcGaENdCRDDmMVnny7s5HsIgHCbaq0w2MyPhDqkhTUgS2LU2PHA==", + "license": "MIT", + "engines": { + "node": ">=0.8.19" + } + }, + "node_modules/indent-string": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/indent-string/-/indent-string-4.0.0.tgz", + "integrity": "sha512-EdDDZu4A2OyIK7Lr/2zG+w5jmbuk1DVBnEwREQvBzspBJkCEbRa8GxU1lghYcaGJCnRWibjDXlq779X1/y5xwg==", + "license": "MIT", + "engines": { + "node": ">=8" + } + }, + "node_modules/ini": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/ini/-/ini-2.0.0.tgz", + "integrity": "sha512-7PnF4oN3CvZF23ADhA5wRaYEQpJ8qygSkbtTXWBeXWXmEVRXK+1ITciHWwHhsjv1TmW0MgacIv6hEi5pX5NQdA==", + "license": "ISC", + "engines": { + "node": ">=10" + } + }, + "node_modules/ip-address": { + "version": "10.1.0", + "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-10.1.0.tgz", + "integrity": "sha512-XXADHxXmvT9+CRxhXg56LJovE+bmWnEWB78LB83VZTprKTmaC5QfruXocxzTZ2Kl0DNwKuBdlIhjL8LeY8Sf8Q==", + "license": "MIT", + "engines": { + "node": ">= 12" + } + }, + "node_modules/is-core-module": { + "version": "2.16.1", + "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.16.1.tgz", + "integrity": "sha512-UfoeMA6fIJ8wTYFEUjelnaGI67v6+N7qXJEvQuIGa99l4xsCruSYOVSQ0uPANn4dAzm8lkYPaKLrrijLq7x23w==", + "license": "MIT", + "dependencies": { + "hasown": "^2.0.2" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/is-fullwidth-code-point": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", + "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", + "license": "MIT", + "engines": { + "node": ">=8" + } + }, + "node_modules/is-lambda": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/is-lambda/-/is-lambda-1.0.1.tgz", + "integrity": "sha512-z7CMFGNrENq5iFB9Bqo64Xk6Y9sg+epq1myIcdHaGnbMTYOxvzsEtdYqQUylB7LxfkvgrrjP32T6Ywciio9UIQ==", + "license": "MIT" + }, + "node_modules/is-stream": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/is-stream/-/is-stream-2.0.1.tgz", + "integrity": "sha512-hFoiJiTl63nn+kstHGBtewWSKnQLpyb155KHheA1l39uvtO9nWIop1p3udqPcUd/xbF1VLMO4n7OI6p7RbngDg==", + "license": "MIT", + "engines": { + "node": ">=8" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/isexe": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/isexe/-/isexe-3.1.1.tgz", + "integrity": "sha512-LpB/54B+/2J5hqQ7imZHfdU31OlgQqx7ZicVlkm9kzg9/w8GKLEcFfJl/t7DCEDueOyBAD6zCCwTO6Fzs0NoEQ==", + "license": "ISC", + "engines": { + "node": ">=16" + } + }, + "node_modules/jackspeak": { + "version": "3.4.3", + "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.4.3.tgz", + "integrity": "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==", + "license": "BlueOak-1.0.0", + "dependencies": { + "@isaacs/cliui": "^8.0.2" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + }, + "optionalDependencies": { + "@pkgjs/parseargs": "^0.11.0" + } + }, + "node_modules/js-yaml": { + "version": "3.14.2", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.2.tgz", + "integrity": "sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==", + "license": "MIT", + "dependencies": { + "argparse": "^1.0.7", + "esprima": "^4.0.0" + }, + "bin": { + "js-yaml": "bin/js-yaml.js" + } + }, + "node_modules/json-buffer": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/json-buffer/-/json-buffer-3.0.1.tgz", + "integrity": "sha512-4bV5BfR2mqfQTJm+V5tPPdf+ZpuhiIvTuAB5g8kcrXOZpTT/QwwVRWBywX1ozr6lEuPdbHxwaJlm9G6mI2sfSQ==", + "license": "MIT" + }, + "node_modules/json-parse-even-better-errors": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/json-parse-even-better-errors/-/json-parse-even-better-errors-3.0.2.tgz", + "integrity": "sha512-fi0NG4bPjCHunUJffmLd0gxssIgkNmArMvis4iNah6Owg1MCJjWhEcDLmsK6iGkJq3tHwbDkTlce70/tmXN4cQ==", + "license": "MIT", + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/json-stringify-nice": { + "version": "1.1.4", + "resolved": "https://registry.npmjs.org/json-stringify-nice/-/json-stringify-nice-1.1.4.tgz", + "integrity": "sha512-5Z5RFW63yxReJ7vANgW6eZFGWaQvnPE3WNmZoOJrSkGju2etKA2L5rrOa1sm877TVTFt57A80BH1bArcmlLfPw==", + "license": "ISC", + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/jsonparse": { + "version": "1.3.1", + "resolved": "https://registry.npmjs.org/jsonparse/-/jsonparse-1.3.1.tgz", + "integrity": "sha512-POQXvpdL69+CluYsillJ7SUhKvytYjW9vG/GKpnf+xP8UWgYEM/RaMzHHofbALDiKbbP1W8UEYmgGl39WkPZsg==", + "engines": [ + "node >= 0.2.0" + ], + "license": "MIT" + }, + "node_modules/just-diff": { + "version": "6.0.2", + "resolved": "https://registry.npmjs.org/just-diff/-/just-diff-6.0.2.tgz", + "integrity": "sha512-S59eriX5u3/QhMNq3v/gm8Kd0w8OS6Tz2FS1NG4blv+z0MuQcBRJyFWjdovM0Rad4/P4aUPFtnkNjMjyMlMSYA==", + "license": "MIT" + }, + "node_modules/just-diff-apply": { + "version": "5.5.0", + "resolved": "https://registry.npmjs.org/just-diff-apply/-/just-diff-apply-5.5.0.tgz", + "integrity": "sha512-OYTthRfSh55WOItVqwpefPtNt2VdKsq5AnAK6apdtR6yCH8pr0CmSr710J0Mf+WdQy7K/OzMy7K2MgAfdQURDw==", + "license": "MIT" + }, + "node_modules/keyv": { + "version": "4.5.4", + "resolved": "https://registry.npmjs.org/keyv/-/keyv-4.5.4.tgz", + "integrity": "sha512-oxVHkHR/EJf2CNXnWxRLW6mg7JyCCUcG0DtEGmL2ctUo1PNTin1PUil+r/+4r5MpVgC/fn1kjsx7mjSujKqIpw==", + "license": "MIT", + "dependencies": { + "json-buffer": "3.0.1" + } + }, + "node_modules/locate-path": { + "version": "7.2.0", + "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-7.2.0.tgz", + "integrity": "sha512-gvVijfZvn7R+2qyPX8mAuKcFGDf6Nc61GdvGafQsHL0sBIxfKzA+usWn4GFC/bk+QdwPUD4kWFJLhElipq+0VA==", + "license": "MIT", + "dependencies": { + "p-locate": "^6.0.0" + }, + "engines": { + "node": "^12.20.0 || ^14.13.1 || >=16.0.0" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/lodash.camelcase": { + "version": "4.3.0", + "resolved": "https://registry.npmjs.org/lodash.camelcase/-/lodash.camelcase-4.3.0.tgz", + "integrity": "sha512-TwuEnCnxbc3rAvhf/LbG7tJUDzhqXyFnv3dtzLOPgCG/hODL7WFnsbwktkD7yUV0RrreP/l1PALq/YSg6VvjlA==", + "license": "MIT" + }, + "node_modules/long": { + "version": "5.3.2", + "resolved": "https://registry.npmjs.org/long/-/long-5.3.2.tgz", + "integrity": "sha512-mNAgZ1GmyNhD7AuqnTG3/VQ26o760+ZYBPKjPvugO8+nLbYfX6TVpJPseBvopbdY+qpZ/lKUnmEc1LeZYS3QAA==", + "license": "Apache-2.0" + }, + "node_modules/lowercase-keys": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/lowercase-keys/-/lowercase-keys-2.0.0.tgz", + "integrity": "sha512-tqNXrS78oMOE73NMxK4EMLQsQowWf8jKooH9g7xPavRT706R6bkQJ6DY2Te7QukaZsulxa30wQ7bk0pm4XiHmA==", + "license": "MIT", + "engines": { + "node": ">=8" + } + }, + "node_modules/lru-cache": { + "version": "10.4.3", + "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.4.3.tgz", + "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==", + "license": "ISC" + }, + "node_modules/make-fetch-happen": { + "version": "13.0.1", + "resolved": "https://registry.npmjs.org/make-fetch-happen/-/make-fetch-happen-13.0.1.tgz", + "integrity": "sha512-cKTUFc/rbKUd/9meOvgrpJ2WrNzymt6jfRDdwg5UCnVzv9dTpEj9JS5m3wtziXVCjluIXyL8pcaukYqezIzZQA==", + "license": "ISC", + "dependencies": { + "@npmcli/agent": "^2.0.0", + "cacache": "^18.0.0", + "http-cache-semantics": "^4.1.1", + "is-lambda": "^1.0.1", + "minipass": "^7.0.2", + "minipass-fetch": "^3.0.0", + "minipass-flush": "^1.0.5", + "minipass-pipeline": "^1.2.4", + "negotiator": "^0.6.3", + "proc-log": "^4.2.0", + "promise-retry": "^2.0.1", + "ssri": "^10.0.0" + }, + "engines": { + "node": "^16.14.0 || >=18.0.0" + } + }, + "node_modules/merge-stream": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/merge-stream/-/merge-stream-2.0.0.tgz", + "integrity": "sha512-abv/qOcuPfk3URPfDzmZU1LKmuw8kT+0nIHvKrKgFrwifol/doWcdA4ZqsWQ8ENrFKkd67Mfpo/LovbIUsbt3w==", + "license": "MIT" + }, + "node_modules/mimic-fn": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/mimic-fn/-/mimic-fn-2.1.0.tgz", + "integrity": "sha512-OqbOk5oEQeAZ8WXWydlu9HJjz9WVdEIvamMCcXmuqUYjTknH/sqsWvhQ3vgwKFRR1HpjvNBKQ37nbJgYzGqGcg==", + "license": "MIT", + "engines": { + "node": ">=6" + } + }, + "node_modules/mimic-response": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/mimic-response/-/mimic-response-1.0.1.tgz", + "integrity": "sha512-j5EctnkH7amfV/q5Hgmoal1g2QHFJRraOtmx0JpIqkxhBhI/lJSl1nMpQ45hVarwNETOoWEimndZ4QK0RHxuxQ==", + "license": "MIT", + "engines": { + "node": ">=4" + } + }, + "node_modules/minimatch": { + "version": "9.0.5", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz", + "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==", + "license": "ISC", + "dependencies": { + "brace-expansion": "^2.0.1" + }, + "engines": { + "node": ">=16 || 14 >=14.17" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/minimist": { + "version": "1.2.8", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", + "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==", + "license": "MIT", + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/minipass": { + "version": "7.1.2", + "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz", + "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==", + "license": "ISC", + "engines": { + "node": ">=16 || 14 >=14.17" + } + }, + "node_modules/minipass-collect": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/minipass-collect/-/minipass-collect-2.0.1.tgz", + "integrity": "sha512-D7V8PO9oaz7PWGLbCACuI1qEOsq7UKfLotx/C0Aet43fCUB/wfQ7DYeq2oR/svFJGYDHPr38SHATeaj/ZoKHKw==", + "license": "ISC", + "dependencies": { + "minipass": "^7.0.3" + }, + "engines": { + "node": ">=16 || 14 >=14.17" + } + }, + "node_modules/minipass-fetch": { + "version": "3.0.5", + "resolved": "https://registry.npmjs.org/minipass-fetch/-/minipass-fetch-3.0.5.tgz", + "integrity": "sha512-2N8elDQAtSnFV0Dk7gt15KHsS0Fyz6CbYZ360h0WTYV1Ty46li3rAXVOQj1THMNLdmrD9Vt5pBPtWtVkpwGBqg==", + "license": "MIT", + "dependencies": { + "minipass": "^7.0.3", + "minipass-sized": "^1.0.3", + "minizlib": "^2.1.2" + }, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + }, + "optionalDependencies": { + "encoding": "^0.1.13" + } + }, + "node_modules/minipass-flush": { + "version": "1.0.5", + "resolved": "https://registry.npmjs.org/minipass-flush/-/minipass-flush-1.0.5.tgz", + "integrity": "sha512-JmQSYYpPUqX5Jyn1mXaRwOda1uQ8HP5KAT/oDSLCzt1BYRhQU0/hDtsB1ufZfEEzMZ9aAVmsBw8+FWsIXlClWw==", + "license": "ISC", + "dependencies": { + "minipass": "^3.0.0" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/minipass-flush/node_modules/minipass": { + "version": "3.3.6", + "resolved": "https://registry.npmjs.org/minipass/-/minipass-3.3.6.tgz", + "integrity": "sha512-DxiNidxSEK+tHG6zOIklvNOwm3hvCrbUrdtzY74U6HKTJxvIDfOUL5W5P2Ghd3DTkhhKPYGqeNUIh5qcM4YBfw==", + "license": "ISC", + "dependencies": { + "yallist": "^4.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/minipass-pipeline": { + "version": "1.2.4", + "resolved": "https://registry.npmjs.org/minipass-pipeline/-/minipass-pipeline-1.2.4.tgz", + "integrity": "sha512-xuIq7cIOt09RPRJ19gdi4b+RiNvDFYe5JH+ggNvBqGqpQXcru3PcRmOZuHBKWK1Txf9+cQ+HMVN4d6z46LZP7A==", + "license": "ISC", + "dependencies": { + "minipass": "^3.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/minipass-pipeline/node_modules/minipass": { + "version": "3.3.6", + "resolved": "https://registry.npmjs.org/minipass/-/minipass-3.3.6.tgz", + "integrity": "sha512-DxiNidxSEK+tHG6zOIklvNOwm3hvCrbUrdtzY74U6HKTJxvIDfOUL5W5P2Ghd3DTkhhKPYGqeNUIh5qcM4YBfw==", + "license": "ISC", + "dependencies": { + "yallist": "^4.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/minipass-sized": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/minipass-sized/-/minipass-sized-1.0.3.tgz", + "integrity": "sha512-MbkQQ2CTiBMlA2Dm/5cY+9SWFEN8pzzOXi6rlM5Xxq0Yqbda5ZQy9sU75a673FE9ZK0Zsbr6Y5iP6u9nktfg2g==", + "license": "ISC", + "dependencies": { + "minipass": "^3.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/minipass-sized/node_modules/minipass": { + "version": "3.3.6", + "resolved": "https://registry.npmjs.org/minipass/-/minipass-3.3.6.tgz", + "integrity": "sha512-DxiNidxSEK+tHG6zOIklvNOwm3hvCrbUrdtzY74U6HKTJxvIDfOUL5W5P2Ghd3DTkhhKPYGqeNUIh5qcM4YBfw==", + "license": "ISC", + "dependencies": { + "yallist": "^4.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/minizlib": { + "version": "2.1.2", + "resolved": "https://registry.npmjs.org/minizlib/-/minizlib-2.1.2.tgz", + "integrity": "sha512-bAxsR8BVfj60DWXHE3u30oHzfl4G7khkSuPW+qvpd7jFRHm7dLxOjUk1EHACJ/hxLY8phGJ0YhYHZo7jil7Qdg==", + "license": "MIT", + "dependencies": { + "minipass": "^3.0.0", + "yallist": "^4.0.0" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/minizlib/node_modules/minipass": { + "version": "3.3.6", + "resolved": "https://registry.npmjs.org/minipass/-/minipass-3.3.6.tgz", + "integrity": "sha512-DxiNidxSEK+tHG6zOIklvNOwm3hvCrbUrdtzY74U6HKTJxvIDfOUL5W5P2Ghd3DTkhhKPYGqeNUIh5qcM4YBfw==", + "license": "ISC", + "dependencies": { + "yallist": "^4.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/mkdirp": { + "version": "1.0.4", + "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-1.0.4.tgz", + "integrity": "sha512-vVqVZQyf3WLx2Shd0qJ9xuvqgAyKPLAiqITEtqW0oIUjzo3PePDd6fW9iFz30ef7Ysp/oiWqbhszeGWW2T6Gzw==", + "license": "MIT", + "bin": { + "mkdirp": "bin/cmd.js" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/module-details-from-path": { + "version": "1.0.4", + "resolved": "https://registry.npmjs.org/module-details-from-path/-/module-details-from-path-1.0.4.tgz", + "integrity": "sha512-EGWKgxALGMgzvxYF1UyGTy0HXX/2vHLkw6+NvDKW2jypWbHpjQuj4UMcqQWXHERJhVGKikolT06G3bcKe4fi7w==", + "license": "MIT" + }, + "node_modules/ms": { + "version": "2.1.3", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", + "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==", + "license": "MIT" + }, + "node_modules/negotiator": { + "version": "0.6.4", + "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.4.tgz", + "integrity": "sha512-myRT3DiWPHqho5PrJaIRyaMv2kgYf0mUVgBNOYMuCH5Ki1yEiQaf/ZJuQ62nvpc44wL5WDbTX7yGJi1Neevw8w==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/node-gyp": { + "version": "10.3.1", + "resolved": "https://registry.npmjs.org/node-gyp/-/node-gyp-10.3.1.tgz", + "integrity": "sha512-Pp3nFHBThHzVtNY7U6JfPjvT/DTE8+o/4xKsLQtBoU+j2HLsGlhcfzflAoUreaJbNmYnX+LlLi0qjV8kpyO6xQ==", + "license": "MIT", + "dependencies": { + "env-paths": "^2.2.0", + "exponential-backoff": "^3.1.1", + "glob": "^10.3.10", + "graceful-fs": "^4.2.6", + "make-fetch-happen": "^13.0.0", + "nopt": "^7.0.0", + "proc-log": "^4.1.0", + "semver": "^7.3.5", + "tar": "^6.2.1", + "which": "^4.0.0" + }, + "bin": { + "node-gyp": "bin/node-gyp.js" + }, + "engines": { + "node": "^16.14.0 || >=18.0.0" + } + }, + "node_modules/nopt": { + "version": "7.2.1", + "resolved": "https://registry.npmjs.org/nopt/-/nopt-7.2.1.tgz", + "integrity": "sha512-taM24ViiimT/XntxbPyJQzCG+p4EKOpgD3mxFwW38mGjVUrfERQOeY4EDHjdnptttfHuHQXFx+lTP08Q+mLa/w==", + "license": "ISC", + "dependencies": { + "abbrev": "^2.0.0" + }, + "bin": { + "nopt": "bin/nopt.js" + }, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/normalize-package-data": { + "version": "6.0.2", + "resolved": "https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-6.0.2.tgz", + "integrity": "sha512-V6gygoYb/5EmNI+MEGrWkC+e6+Rr7mTmfHrxDbLzxQogBkgzo76rkok0Am6thgSF7Mv2nLOajAJj5vDJZEFn7g==", + "license": "BSD-2-Clause", + "dependencies": { + "hosted-git-info": "^7.0.0", + "semver": "^7.3.5", + "validate-npm-package-license": "^3.0.4" + }, + "engines": { + "node": "^16.14.0 || >=18.0.0" + } + }, + "node_modules/normalize-url": { + "version": "6.1.0", + "resolved": "https://registry.npmjs.org/normalize-url/-/normalize-url-6.1.0.tgz", + "integrity": "sha512-DlL+XwOy3NxAQ8xuC0okPgK46iuVNAK01YN7RueYBqqFeGsBjV9XmCAzAdgt+667bCl5kPh9EqKKDwnaPG1I7A==", + "license": "MIT", + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/npm-bundled": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/npm-bundled/-/npm-bundled-3.0.1.tgz", + "integrity": "sha512-+AvaheE/ww1JEwRHOrn4WHNzOxGtVp+adrg2AeZS/7KuxGUYFuBta98wYpfHBbJp6Tg6j1NKSEVHNcfZzJHQwQ==", + "license": "ISC", + "dependencies": { + "npm-normalize-package-bin": "^3.0.0" + }, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/npm-install-checks": { + "version": "6.3.0", + "resolved": "https://registry.npmjs.org/npm-install-checks/-/npm-install-checks-6.3.0.tgz", + "integrity": "sha512-W29RiK/xtpCGqn6f3ixfRYGk+zRyr+Ew9F2E20BfXxT5/euLdA/Nm7fO7OeTGuAmTs30cpgInyJ0cYe708YTZw==", + "license": "BSD-2-Clause", + "dependencies": { + "semver": "^7.1.1" + }, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/npm-normalize-package-bin": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/npm-normalize-package-bin/-/npm-normalize-package-bin-3.0.1.tgz", + "integrity": "sha512-dMxCf+zZ+3zeQZXKxmyuCKlIDPGuv8EF940xbkC4kQVDTtqoh6rJFO+JTKSA6/Rwi0getWmtuy4Itup0AMcaDQ==", + "license": "ISC", + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/npm-package-arg": { + "version": "11.0.3", + "resolved": "https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-11.0.3.tgz", + "integrity": "sha512-sHGJy8sOC1YraBywpzQlIKBE4pBbGbiF95U6Auspzyem956E0+FtDtsx1ZxlOJkQCZ1AFXAY/yuvtFYrOxF+Bw==", + "license": "ISC", + "dependencies": { + "hosted-git-info": "^7.0.0", + "proc-log": "^4.0.0", + "semver": "^7.3.5", + "validate-npm-package-name": "^5.0.0" + }, + "engines": { + "node": "^16.14.0 || >=18.0.0" + } + }, + "node_modules/npm-packlist": { + "version": "8.0.2", + "resolved": "https://registry.npmjs.org/npm-packlist/-/npm-packlist-8.0.2.tgz", + "integrity": "sha512-shYrPFIS/JLP4oQmAwDyk5HcyysKW8/JLTEA32S0Z5TzvpaeeX2yMFfoK1fjEBnCBvVyIB/Jj/GBFdm0wsgzbA==", + "license": "ISC", + "dependencies": { + "ignore-walk": "^6.0.4" + }, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/npm-pick-manifest": { + "version": "9.1.0", + "resolved": "https://registry.npmjs.org/npm-pick-manifest/-/npm-pick-manifest-9.1.0.tgz", + "integrity": "sha512-nkc+3pIIhqHVQr085X9d2JzPzLyjzQS96zbruppqC9aZRm/x8xx6xhI98gHtsfELP2bE+loHq8ZaHFHhe+NauA==", + "license": "ISC", + "dependencies": { + "npm-install-checks": "^6.0.0", + "npm-normalize-package-bin": "^3.0.0", + "npm-package-arg": "^11.0.0", + "semver": "^7.3.5" + }, + "engines": { + "node": "^16.14.0 || >=18.0.0" + } + }, + "node_modules/npm-registry-fetch": { + "version": "17.1.0", + "resolved": "https://registry.npmjs.org/npm-registry-fetch/-/npm-registry-fetch-17.1.0.tgz", + "integrity": "sha512-5+bKQRH0J1xG1uZ1zMNvxW0VEyoNWgJpY9UDuluPFLKDfJ9u2JmmjmTJV1srBGQOROfdBMiVvnH2Zvpbm+xkVA==", + "license": "ISC", + "dependencies": { + "@npmcli/redact": "^2.0.0", + "jsonparse": "^1.3.1", + "make-fetch-happen": "^13.0.0", + "minipass": "^7.0.2", + "minipass-fetch": "^3.0.0", + "minizlib": "^2.1.2", + "npm-package-arg": "^11.0.0", + "proc-log": "^4.0.0" + }, + "engines": { + "node": "^16.14.0 || >=18.0.0" + } + }, + "node_modules/npm-run-path": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/npm-run-path/-/npm-run-path-4.0.1.tgz", + "integrity": "sha512-S48WzZW777zhNIrn7gxOlISNAqi9ZC/uQFnRdbeIHhZhCA6UqpkOT8T1G7BvfdgP4Er8gF4sUbaS0i7QvIfCWw==", + "license": "MIT", + "dependencies": { + "path-key": "^3.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/once": { + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", + "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", + "license": "ISC", + "dependencies": { + "wrappy": "1" + } + }, + "node_modules/onetime": { + "version": "5.1.2", + "resolved": "https://registry.npmjs.org/onetime/-/onetime-5.1.2.tgz", + "integrity": "sha512-kbpaSSGJTWdAY5KPVeMOKXSrPtr8C8C7wodJbcsd51jRnmD+GZu8Y0VoU6Dm5Z4vWr0Ig/1NKuWRKf7j5aaYSg==", + "license": "MIT", + "dependencies": { + "mimic-fn": "^2.1.0" + }, + "engines": { + "node": ">=6" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/p-cancelable": { + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/p-cancelable/-/p-cancelable-2.1.1.tgz", + "integrity": "sha512-BZOr3nRQHOntUjTrH8+Lh54smKHoHyur8We1V8DSMVrl5A2malOOwuJRnKRDjSnkoeBh4at6BwEnb5I7Jl31wg==", + "license": "MIT", + "engines": { + "node": ">=8" + } + }, + "node_modules/p-limit": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-4.0.0.tgz", + "integrity": "sha512-5b0R4txpzjPWVw/cXXUResoD4hb6U/x9BH08L7nw+GN1sezDzPdxeRvpc9c433fZhBan/wusjbCsqwqm4EIBIQ==", + "license": "MIT", + "dependencies": { + "yocto-queue": "^1.0.0" + }, + "engines": { + "node": "^12.20.0 || ^14.13.1 || >=16.0.0" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/p-locate": { + "version": "6.0.0", + "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-6.0.0.tgz", + "integrity": "sha512-wPrq66Llhl7/4AGC6I+cqxT07LhXvWL08LNXz1fENOw0Ap4sRZZ/gZpTTJ5jpurzzzfS2W/Ge9BY3LgLjCShcw==", + "license": "MIT", + "dependencies": { + "p-limit": "^4.0.0" + }, + "engines": { + "node": "^12.20.0 || ^14.13.1 || >=16.0.0" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/p-map": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/p-map/-/p-map-4.0.0.tgz", + "integrity": "sha512-/bjOqmgETBYB5BoEeGVea8dmvHb2m9GLy1E9W43yeyfP6QQCZGFNa+XRceJEuDB6zqr+gKpIAmlLebMpykw/MQ==", + "license": "MIT", + "dependencies": { + "aggregate-error": "^3.0.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/package-json-from-dist": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/package-json-from-dist/-/package-json-from-dist-1.0.1.tgz", + "integrity": "sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw==", + "license": "BlueOak-1.0.0" + }, + "node_modules/pacote": { + "version": "18.0.6", + "resolved": "https://registry.npmjs.org/pacote/-/pacote-18.0.6.tgz", + "integrity": "sha512-+eK3G27SMwsB8kLIuj4h1FUhHtwiEUo21Tw8wNjmvdlpOEr613edv+8FUsTj/4F/VN5ywGE19X18N7CC2EJk6A==", + "license": "ISC", + "dependencies": { + "@npmcli/git": "^5.0.0", + "@npmcli/installed-package-contents": "^2.0.1", + "@npmcli/package-json": "^5.1.0", + "@npmcli/promise-spawn": "^7.0.0", + "@npmcli/run-script": "^8.0.0", + "cacache": "^18.0.0", + "fs-minipass": "^3.0.0", + "minipass": "^7.0.2", + "npm-package-arg": "^11.0.0", + "npm-packlist": "^8.0.0", + "npm-pick-manifest": "^9.0.0", + "npm-registry-fetch": "^17.0.0", + "proc-log": "^4.0.0", + "promise-retry": "^2.0.1", + "sigstore": "^2.2.0", + "ssri": "^10.0.0", + "tar": "^6.1.11" + }, + "bin": { + "pacote": "bin/index.js" + }, + "engines": { + "node": "^16.14.0 || >=18.0.0" + } + }, + "node_modules/parse-conflict-json": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/parse-conflict-json/-/parse-conflict-json-3.0.1.tgz", + "integrity": "sha512-01TvEktc68vwbJOtWZluyWeVGWjP+bZwXtPDMQVbBKzbJ/vZBif0L69KH1+cHv1SZ6e0FKLvjyHe8mqsIqYOmw==", + "license": "ISC", + "dependencies": { + "json-parse-even-better-errors": "^3.0.0", + "just-diff": "^6.0.0", + "just-diff-apply": "^5.2.0" + }, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/path-exists": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-5.0.0.tgz", + "integrity": "sha512-RjhtfwJOxzcFmNOi6ltcbcu4Iu+FL3zEj83dk4kAS+fVpTxXLO1b38RvJgT/0QwvV/L3aY9TAnyv0EOqW4GoMQ==", + "license": "MIT", + "engines": { + "node": "^12.20.0 || ^14.13.1 || >=16.0.0" + } + }, + "node_modules/path-key": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/path-key/-/path-key-3.1.1.tgz", + "integrity": "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==", + "license": "MIT", + "engines": { + "node": ">=8" + } + }, + "node_modules/path-parse": { + "version": "1.0.7", + "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz", + "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==", + "license": "MIT" + }, + "node_modules/path-scurry": { + "version": "1.11.1", + "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-1.11.1.tgz", + "integrity": "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA==", + "license": "BlueOak-1.0.0", + "dependencies": { + "lru-cache": "^10.2.0", + "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0" + }, + "engines": { + "node": ">=16 || 14 >=14.18" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/picomatch": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-3.0.1.tgz", + "integrity": "sha512-I3EurrIQMlRc9IaAZnqRR044Phh2DXY+55o7uJ0V+hYZAcQYSuFWsc9q5PvyDHUSCe1Qxn/iBz+78s86zWnGag==", + "license": "MIT", + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/jonschlinkert" + } + }, + "node_modules/pkg-dir": { + "version": "7.0.0", + "resolved": "https://registry.npmjs.org/pkg-dir/-/pkg-dir-7.0.0.tgz", + "integrity": "sha512-Ie9z/WINcxxLp27BKOCHGde4ITq9UklYKDzVo1nhk5sqGEXU3FpkwP5GM2voTGJkGd9B3Otl+Q4uwSOeSUtOBA==", + "license": "MIT", + "dependencies": { + "find-up": "^6.3.0" + }, + "engines": { + "node": ">=14.16" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/postcss-selector-parser": { + "version": "6.1.2", + "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-6.1.2.tgz", + "integrity": "sha512-Q8qQfPiZ+THO/3ZrOrO0cJJKfpYCagtMUkXbnEfmgUjwXg6z/WBeOyS9APBBPCTSiDV+s4SwQGu8yFsiMRIudg==", + "license": "MIT", + "dependencies": { + "cssesc": "^3.0.0", + "util-deprecate": "^1.0.2" + }, + "engines": { + "node": ">=4" + } + }, + "node_modules/proc-log": { + "version": "4.2.0", + "resolved": "https://registry.npmjs.org/proc-log/-/proc-log-4.2.0.tgz", + "integrity": "sha512-g8+OnU/L2v+wyiVK+D5fA34J7EH8jZ8DDlvwhRCMxmMj7UCBvxiO1mGeN+36JXIKF4zevU4kRBd8lVgG9vLelA==", + "license": "ISC", + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/proggy": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/proggy/-/proggy-2.0.0.tgz", + "integrity": "sha512-69agxLtnI8xBs9gUGqEnK26UfiexpHy+KUpBQWabiytQjnn5wFY8rklAi7GRfABIuPNnQ/ik48+LGLkYYJcy4A==", + "license": "ISC", + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/promise-all-reject-late": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/promise-all-reject-late/-/promise-all-reject-late-1.0.1.tgz", + "integrity": "sha512-vuf0Lf0lOxyQREH7GDIOUMLS7kz+gs8i6B+Yi8dC68a2sychGrHTJYghMBD6k7eUcH0H5P73EckCA48xijWqXw==", + "license": "ISC", + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/promise-call-limit": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/promise-call-limit/-/promise-call-limit-3.0.2.tgz", + "integrity": "sha512-mRPQO2T1QQVw11E7+UdCJu7S61eJVWknzml9sC1heAdj1jxl0fWMBypIt9ZOcLFf8FkG995ZD7RnVk7HH72fZw==", + "license": "ISC", + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/promise-inflight": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/promise-inflight/-/promise-inflight-1.0.1.tgz", + "integrity": "sha512-6zWPyEOFaQBJYcGMHBKTKJ3u6TBsnMFOIZSa6ce1e/ZrrsOlnHRHbabMjLiBYKp+n44X9eUI6VUPaukCXHuG4g==", + "license": "ISC" + }, + "node_modules/promise-retry": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/promise-retry/-/promise-retry-2.0.1.tgz", + "integrity": "sha512-y+WKFlBR8BGXnsNlIHFGPZmyDf3DFMoLhaflAnyZgV6rG6xu+JwesTo2Q9R6XwYmtmwAFCkAk3e35jEdoeh/3g==", + "license": "MIT", + "dependencies": { + "err-code": "^2.0.2", + "retry": "^0.12.0" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/protobufjs": { + "version": "7.5.4", + "resolved": "https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.4.tgz", + "integrity": "sha512-CvexbZtbov6jW2eXAvLukXjXUW1TzFaivC46BpWc/3BpcCysb5Vffu+B3XHMm8lVEuy2Mm4XGex8hBSg1yapPg==", + "hasInstallScript": true, + "license": "BSD-3-Clause", + "dependencies": { + "@protobufjs/aspromise": "^1.1.2", + "@protobufjs/base64": "^1.1.2", + "@protobufjs/codegen": "^2.0.4", + "@protobufjs/eventemitter": "^1.1.0", + "@protobufjs/fetch": "^1.1.0", + "@protobufjs/float": "^1.0.2", + "@protobufjs/inquire": "^1.1.0", + "@protobufjs/path": "^1.1.2", + "@protobufjs/pool": "^1.1.0", + "@protobufjs/utf8": "^1.1.0", + "@types/node": ">=13.7.0", + "long": "^5.0.0" + }, + "engines": { + "node": ">=12.0.0" + } + }, + "node_modules/pulumi-extra-crds": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/pulumi-extra-crds/-/pulumi-extra-crds-1.0.0.tgz", + "integrity": "sha512-DM5/fLRpyhYlZ0bVZlc5imHhz4FjO+00OxCNYzieebZCE0W9L06T2D37MufKhyROppUL3MNLxE6zoa6n6Chaaw==", + "license": "Apache-2.0", + "dependencies": { + "@pulumi/kubernetes": "^4.23.0", + "@pulumi/pulumi": "^3.113.0" + } + }, + "node_modules/pump": { + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/pump/-/pump-3.0.3.tgz", + "integrity": "sha512-todwxLMY7/heScKmntwQG8CXVkWUOdYxIvY2s0VWAAMh/nd8SoYiRaKjlr7+iCs984f2P8zvrfWcDDYVb73NfA==", + "license": "MIT", + "dependencies": { + "end-of-stream": "^1.1.0", + "once": "^1.3.1" + } + }, + "node_modules/quick-lru": { + "version": "5.1.1", + "resolved": "https://registry.npmjs.org/quick-lru/-/quick-lru-5.1.1.tgz", + "integrity": "sha512-WuyALRjWPDGtt/wzJiadO5AXY+8hZ80hVpe6MyivgraREW751X3SbhRvG3eLKOYN+8VEvqLcf3wdnt44Z4S4SA==", + "license": "MIT", + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/read-cmd-shim": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/read-cmd-shim/-/read-cmd-shim-4.0.0.tgz", + "integrity": "sha512-yILWifhaSEEytfXI76kB9xEEiG1AiozaCJZ83A87ytjRiN+jVibXjedjCRNjoZviinhG+4UkalO3mWTd8u5O0Q==", + "license": "ISC", + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/read-package-json-fast": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/read-package-json-fast/-/read-package-json-fast-3.0.2.tgz", + "integrity": "sha512-0J+Msgym3vrLOUB3hzQCuZHII0xkNGCtz/HJH9xZshwv9DbDwkw1KaE3gx/e2J5rpEY5rtOy6cyhKOPrkP7FZw==", + "license": "ISC", + "dependencies": { + "json-parse-even-better-errors": "^3.0.0", + "npm-normalize-package-bin": "^3.0.0" + }, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/require-directory": { + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/require-directory/-/require-directory-2.1.1.tgz", + "integrity": "sha512-fGxEI7+wsG9xrvdjsrlmL22OMTTiHRwAMroiEeMgq8gzoLC/PQr7RsRDSTLUg/bZAZtF+TVIkHc6/4RIKrui+Q==", + "license": "MIT", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/require-from-string": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/require-from-string/-/require-from-string-2.0.2.tgz", + "integrity": "sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==", + "license": "MIT", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/require-in-the-middle": { + "version": "7.5.2", + "resolved": "https://registry.npmjs.org/require-in-the-middle/-/require-in-the-middle-7.5.2.tgz", + "integrity": "sha512-gAZ+kLqBdHarXB64XpAe2VCjB7rIRv+mU8tfRWziHRJ5umKsIHN2tLLv6EtMw7WCdP19S0ERVMldNvxYCHnhSQ==", + "license": "MIT", + "dependencies": { + "debug": "^4.3.5", + "module-details-from-path": "^1.0.3", + "resolve": "^1.22.8" + }, + "engines": { + "node": ">=8.6.0" + } + }, + "node_modules/resolve": { + "version": "1.22.11", + "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.11.tgz", + "integrity": "sha512-RfqAvLnMl313r7c9oclB1HhUEAezcpLjz95wFH4LVuhk9JF/r22qmVP9AMmOU4vMX7Q8pN8jwNg/CSpdFnMjTQ==", + "license": "MIT", + "dependencies": { + "is-core-module": "^2.16.1", + "path-parse": "^1.0.7", + "supports-preserve-symlinks-flag": "^1.0.0" + }, + "bin": { + "resolve": "bin/resolve" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/resolve-alpn": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/resolve-alpn/-/resolve-alpn-1.2.1.tgz", + "integrity": "sha512-0a1F4l73/ZFZOakJnQ3FvkJ2+gSTQWz/r2KE5OdDY0TxPm5h4GkqkWWfM47T7HsbnOtcJVEF4epCVy6u7Q3K+g==", + "license": "MIT" + }, + "node_modules/responselike": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/responselike/-/responselike-2.0.1.tgz", + "integrity": "sha512-4gl03wn3hj1HP3yzgdI7d3lCkF95F21Pz4BPGvKHinyQzALR5CapwC8yIi0Rh58DEMQ/SguC03wFj2k0M/mHhw==", + "license": "MIT", + "dependencies": { + "lowercase-keys": "^2.0.0" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/retry": { + "version": "0.12.0", + "resolved": "https://registry.npmjs.org/retry/-/retry-0.12.0.tgz", + "integrity": "sha512-9LkiTwjUh6rT555DtE9rTX+BKByPfrMzEAtnlEtdEwr3Nkffwiihqe2bWADg+OQRjt9gl6ICdmB/ZFDCGAtSow==", + "license": "MIT", + "engines": { + "node": ">= 4" + } + }, + "node_modules/safer-buffer": { + "version": "2.1.2", + "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", + "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==", + "license": "MIT", + "optional": true + }, + "node_modules/semver": { + "version": "7.7.3", + "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.3.tgz", + "integrity": "sha512-SdsKMrI9TdgjdweUSR9MweHA4EJ8YxHn8DFaDisvhVlUOe4BF1tLD7GAj0lIqWVl+dPb/rExr0Btby5loQm20Q==", + "license": "ISC", + "bin": { + "semver": "bin/semver.js" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/shebang-command": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz", + "integrity": "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==", + "license": "MIT", + "dependencies": { + "shebang-regex": "^3.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/shebang-regex": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/shebang-regex/-/shebang-regex-3.0.0.tgz", + "integrity": "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==", + "license": "MIT", + "engines": { + "node": ">=8" + } + }, + "node_modules/shell-quote": { + "version": "1.8.3", + "resolved": "https://registry.npmjs.org/shell-quote/-/shell-quote-1.8.3.tgz", + "integrity": "sha512-ObmnIF4hXNg1BqhnHmgbDETF8dLPCggZWBjkQfhZpbszZnYur5DUljTcCHii5LC3J5E0yeO/1LIMyH+UvHQgyw==", + "license": "MIT", + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/shimmer": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/shimmer/-/shimmer-1.2.1.tgz", + "integrity": "sha512-sQTKC1Re/rM6XyFM6fIAGHRPVGvyXfgzIDvzoq608vM+jeyVD0Tu1E6Np0Kc2zAIFWIj963V2800iF/9LPieQw==", + "license": "BSD-2-Clause" + }, + "node_modules/signal-exit": { + "version": "3.0.7", + "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.7.tgz", + "integrity": "sha512-wnD2ZE+l+SPC/uoS0vXeE9L1+0wuaMqKlfz9AMUo38JsyLSBWSFcHR1Rri62LZc12vLr1gb3jl7iwQhgwpAbGQ==", + "license": "ISC" + }, + "node_modules/sigstore": { + "version": "2.3.1", + "resolved": "https://registry.npmjs.org/sigstore/-/sigstore-2.3.1.tgz", + "integrity": "sha512-8G+/XDU8wNsJOQS5ysDVO0Etg9/2uA5gR9l4ZwijjlwxBcrU6RPfwi2+jJmbP+Ap1Hlp/nVAaEO4Fj22/SL2gQ==", + "license": "Apache-2.0", + "dependencies": { + "@sigstore/bundle": "^2.3.2", + "@sigstore/core": "^1.0.0", + "@sigstore/protobuf-specs": "^0.3.2", + "@sigstore/sign": "^2.3.2", + "@sigstore/tuf": "^2.3.4", + "@sigstore/verify": "^1.2.1" + }, + "engines": { + "node": "^16.14.0 || >=18.0.0" + } + }, + "node_modules/smart-buffer": { + "version": "4.2.0", + "resolved": "https://registry.npmjs.org/smart-buffer/-/smart-buffer-4.2.0.tgz", + "integrity": "sha512-94hK0Hh8rPqQl2xXc3HsaBoOXKV20MToPkcXvwbISWLEs+64sBq5kFgn2kJDHb1Pry9yrP0dxrCI9RRci7RXKg==", + "license": "MIT", + "engines": { + "node": ">= 6.0.0", + "npm": ">= 3.0.0" + } + }, + "node_modules/socks": { + "version": "2.8.7", + "resolved": "https://registry.npmjs.org/socks/-/socks-2.8.7.tgz", + "integrity": "sha512-HLpt+uLy/pxB+bum/9DzAgiKS8CX1EvbWxI4zlmgGCExImLdiad2iCwXT5Z4c9c3Eq8rP2318mPW2c+QbtjK8A==", + "license": "MIT", + "dependencies": { + "ip-address": "^10.0.1", + "smart-buffer": "^4.2.0" + }, + "engines": { + "node": ">= 10.0.0", + "npm": ">= 3.0.0" + } + }, + "node_modules/socks-proxy-agent": { + "version": "8.0.5", + "resolved": "https://registry.npmjs.org/socks-proxy-agent/-/socks-proxy-agent-8.0.5.tgz", + "integrity": "sha512-HehCEsotFqbPW9sJ8WVYB6UbmIMv7kUUORIF2Nncq4VQvBfNBLibW9YZR5dlYCSUhwcD628pRllm7n+E+YTzJw==", + "license": "MIT", + "dependencies": { + "agent-base": "^7.1.2", + "debug": "^4.3.4", + "socks": "^2.8.3" + }, + "engines": { + "node": ">= 14" + } + }, + "node_modules/source-map": { + "version": "0.6.1", + "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz", + "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==", + "license": "BSD-3-Clause", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/source-map-support": { + "version": "0.5.21", + "resolved": "https://registry.npmjs.org/source-map-support/-/source-map-support-0.5.21.tgz", + "integrity": "sha512-uBHU3L3czsIyYXKX88fdrGovxdSCoTGDRZ6SYXtSRxLZUzHg5P/66Ht6uoUlHu9EZod+inXhKo3qQgwXUT/y1w==", + "license": "MIT", + "dependencies": { + "buffer-from": "^1.0.0", + "source-map": "^0.6.0" + } + }, + "node_modules/spdx-correct": { + "version": "3.2.0", + "resolved": "https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz", + "integrity": "sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==", + "license": "Apache-2.0", + "dependencies": { + "spdx-expression-parse": "^3.0.0", + "spdx-license-ids": "^3.0.0" + } + }, + "node_modules/spdx-exceptions": { + "version": "2.5.0", + "resolved": "https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.5.0.tgz", + "integrity": "sha512-PiU42r+xO4UbUS1buo3LPJkjlO7430Xn5SVAhdpzzsPHsjbYVflnnFdATgabnLude+Cqu25p6N+g2lw/PFsa4w==", + "license": "CC-BY-3.0" + }, + "node_modules/spdx-expression-parse": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz", + "integrity": "sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==", + "license": "MIT", + "dependencies": { + "spdx-exceptions": "^2.1.0", + "spdx-license-ids": "^3.0.0" + } + }, + "node_modules/spdx-license-ids": { + "version": "3.0.22", + "resolved": "https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.22.tgz", + "integrity": "sha512-4PRT4nh1EImPbt2jASOKHX7PB7I+e4IWNLvkKFDxNhJlfjbYlleYQh285Z/3mPTHSAK/AvdMmw5BNNuYH8ShgQ==", + "license": "CC0-1.0" + }, + "node_modules/sprintf-js": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz", + "integrity": "sha512-D9cPgkvLlV3t3IzL0D0YLvGA9Ahk4PcvVwUbN0dSGr1aP0Nrt4AEnTUbuGvquEC0mA64Gqt1fzirlRs5ibXx8g==", + "license": "BSD-3-Clause" + }, + "node_modules/ssri": { + "version": "10.0.6", + "resolved": "https://registry.npmjs.org/ssri/-/ssri-10.0.6.tgz", + "integrity": "sha512-MGrFH9Z4NP9Iyhqn16sDtBpRRNJ0Y2hNa6D65h736fVSaPCHr4DM4sWUNvVaSuC+0OBGhwsrydQwmgfg5LncqQ==", + "license": "ISC", + "dependencies": { + "minipass": "^7.0.3" + }, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/string-width": { + "version": "5.1.2", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-5.1.2.tgz", + "integrity": "sha512-HnLOCR3vjcY8beoNLtcjZ5/nxn2afmME6lhrDrebokqMap+XbeW8n9TXpPDOqdGK5qcI3oT0GKTW6wC7EMiVqA==", + "license": "MIT", + "dependencies": { + "eastasianwidth": "^0.2.0", + "emoji-regex": "^9.2.2", + "strip-ansi": "^7.0.1" + }, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/string-width-cjs": { + "name": "string-width", + "version": "4.2.3", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", + "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", + "license": "MIT", + "dependencies": { + "emoji-regex": "^8.0.0", + "is-fullwidth-code-point": "^3.0.0", + "strip-ansi": "^6.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/string-width-cjs/node_modules/ansi-regex": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", + "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", + "license": "MIT", + "engines": { + "node": ">=8" + } + }, + "node_modules/string-width-cjs/node_modules/emoji-regex": { + "version": "8.0.0", + "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", + "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", + "license": "MIT" + }, + "node_modules/string-width-cjs/node_modules/strip-ansi": { + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", + "license": "MIT", + "dependencies": { + "ansi-regex": "^5.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/strip-ansi": { + "version": "7.1.2", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.1.2.tgz", + "integrity": "sha512-gmBGslpoQJtgnMAvOVqGZpEz9dyoKTCzy2nfz/n8aIFhN/jCE/rCmcxabB6jOOHV+0WNnylOxaxBQPSvcWklhA==", + "license": "MIT", + "dependencies": { + "ansi-regex": "^6.0.1" + }, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/strip-ansi?sponsor=1" + } + }, + "node_modules/strip-ansi-cjs": { + "name": "strip-ansi", + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", + "license": "MIT", + "dependencies": { + "ansi-regex": "^5.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/strip-ansi-cjs/node_modules/ansi-regex": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", + "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", + "license": "MIT", + "engines": { + "node": ">=8" + } + }, + "node_modules/strip-final-newline": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/strip-final-newline/-/strip-final-newline-2.0.0.tgz", + "integrity": "sha512-BrpvfNAE3dcvq7ll3xVumzjKjZQ5tI1sEUIKr3Uoks0XUl45St3FlatVqef9prk4jRDzhW6WZg+3bk93y6pLjA==", + "license": "MIT", + "engines": { + "node": ">=6" + } + }, + "node_modules/supports-preserve-symlinks-flag": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz", + "integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==", + "license": "MIT", + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/tar": { + "version": "6.2.1", + "resolved": "https://registry.npmjs.org/tar/-/tar-6.2.1.tgz", + "integrity": "sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==", + "license": "ISC", + "dependencies": { + "chownr": "^2.0.0", + "fs-minipass": "^2.0.0", + "minipass": "^5.0.0", + "minizlib": "^2.1.1", + "mkdirp": "^1.0.3", + "yallist": "^4.0.0" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/tar/node_modules/fs-minipass": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/fs-minipass/-/fs-minipass-2.1.0.tgz", + "integrity": "sha512-V/JgOLFCS+R6Vcq0slCuaeWEdNC3ouDlJMNIsacH2VtALiu9mV4LPrHc5cDl8k5aw6J8jwgWWpiTo5RYhmIzvg==", + "license": "ISC", + "dependencies": { + "minipass": "^3.0.0" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/tar/node_modules/fs-minipass/node_modules/minipass": { + "version": "3.3.6", + "resolved": "https://registry.npmjs.org/minipass/-/minipass-3.3.6.tgz", + "integrity": "sha512-DxiNidxSEK+tHG6zOIklvNOwm3hvCrbUrdtzY74U6HKTJxvIDfOUL5W5P2Ghd3DTkhhKPYGqeNUIh5qcM4YBfw==", + "license": "ISC", + "dependencies": { + "yallist": "^4.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/tar/node_modules/minipass": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/minipass/-/minipass-5.0.0.tgz", + "integrity": "sha512-3FnjYuehv9k6ovOEbyOswadCDPX1piCfhV8ncmYtHOjuPwylVWsghTLo7rabjC3Rx5xD4HDx8Wm1xnMF7S5qFQ==", + "license": "ISC", + "engines": { + "node": ">=8" + } + }, + "node_modules/tmp": { + "version": "0.2.5", + "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.5.tgz", + "integrity": "sha512-voyz6MApa1rQGUxT3E+BK7/ROe8itEx7vD8/HEvt4xwXucvQ5G5oeEiHkmHZJuBO21RpOf+YYm9MOivj709jow==", + "license": "MIT", + "engines": { + "node": ">=14.14" + } + }, + "node_modules/treeverse": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/treeverse/-/treeverse-3.0.0.tgz", + "integrity": "sha512-gcANaAnd2QDZFmHFEOF4k7uc1J/6a6z3DJMd/QwEyxLoKGiptJRwid582r7QIsFlFMIZ3SnxfS52S4hm2DHkuQ==", + "license": "ISC", + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/tuf-js": { + "version": "2.2.1", + "resolved": "https://registry.npmjs.org/tuf-js/-/tuf-js-2.2.1.tgz", + "integrity": "sha512-GwIJau9XaA8nLVbUXsN3IlFi7WmQ48gBUrl3FTkkL/XLu/POhBzfmX9hd33FNMX1qAsfl6ozO1iMmW9NC8YniA==", + "license": "MIT", + "dependencies": { + "@tufjs/models": "2.0.1", + "debug": "^4.3.4", + "make-fetch-happen": "^13.0.1" + }, + "engines": { + "node": "^16.14.0 || >=18.0.0" + } + }, + "node_modules/typescript": { + "version": "5.9.3", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz", + "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==", + "devOptional": true, + "license": "Apache-2.0", + "bin": { + "tsc": "bin/tsc", + "tsserver": "bin/tsserver" + }, + "engines": { + "node": ">=14.17" + } + }, + "node_modules/undici-types": { + "version": "6.21.0", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.21.0.tgz", + "integrity": "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==", + "license": "MIT" + }, + "node_modules/unique-filename": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/unique-filename/-/unique-filename-3.0.0.tgz", + "integrity": "sha512-afXhuC55wkAmZ0P18QsVE6kp8JaxrEokN2HGIoIVv2ijHQd419H0+6EigAFcIzXeMIkcIkNBpB3L/DXB3cTS/g==", + "license": "ISC", + "dependencies": { + "unique-slug": "^4.0.0" + }, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/unique-slug": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/unique-slug/-/unique-slug-4.0.0.tgz", + "integrity": "sha512-WrcA6AyEfqDX5bWige/4NQfPZMtASNVxdmWR76WESYQVAACSgWcR6e9i0mofqqBxYFtL4oAxPIptY73/0YE1DQ==", + "license": "ISC", + "dependencies": { + "imurmurhash": "^0.1.4" + }, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/upath": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/upath/-/upath-1.2.0.tgz", + "integrity": "sha512-aZwGpamFO61g3OlfT7OQCHqhGnW43ieH9WZeP7QxN/G/jS4jfqUkZxoryvJgVPEcrl5NL/ggHsSmLMHuH64Lhg==", + "license": "MIT", + "engines": { + "node": ">=4", + "yarn": "*" + } + }, + "node_modules/util-deprecate": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz", + "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==", + "license": "MIT" + }, + "node_modules/validate-npm-package-license": { + "version": "3.0.4", + "resolved": "https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz", + "integrity": "sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==", + "license": "Apache-2.0", + "dependencies": { + "spdx-correct": "^3.0.0", + "spdx-expression-parse": "^3.0.0" + } + }, + "node_modules/validate-npm-package-name": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/validate-npm-package-name/-/validate-npm-package-name-5.0.1.tgz", + "integrity": "sha512-OljLrQ9SQdOUqTaQxqL5dEfZWrXExyyWsozYlAWFawPVNuD83igl7uJD2RTkNMbniIYgt8l81eCJGIdQF7avLQ==", + "license": "ISC", + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/walk-up-path": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/walk-up-path/-/walk-up-path-3.0.1.tgz", + "integrity": "sha512-9YlCL/ynK3CTlrSRrDxZvUauLzAswPCrsaCgilqFevUYpeEW0/3ScEjaa3kbW/T0ghhkEr7mv+fpjqn1Y1YuTA==", + "license": "ISC" + }, + "node_modules/which": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/which/-/which-4.0.0.tgz", + "integrity": "sha512-GlaYyEb07DPxYCKhKzplCWBJtvxZcZMrL+4UkrTSJHHPyZU4mYYTv3qaOe77H7EODLSSopAUFAc6W8U4yqvscg==", + "license": "ISC", + "dependencies": { + "isexe": "^3.1.1" + }, + "bin": { + "node-which": "bin/which.js" + }, + "engines": { + "node": "^16.13.0 || >=18.0.0" + } + }, + "node_modules/wrap-ansi": { + "version": "8.1.0", + "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-8.1.0.tgz", + "integrity": "sha512-si7QWI6zUMq56bESFvagtmzMdGOtoxfR+Sez11Mobfc7tm+VkUckk9bW2UeffTGVUbOksxmSw0AA2gs8g71NCQ==", + "license": "MIT", + "dependencies": { + "ansi-styles": "^6.1.0", + "string-width": "^5.0.1", + "strip-ansi": "^7.0.1" + }, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/wrap-ansi?sponsor=1" + } + }, + "node_modules/wrap-ansi-cjs": { + "name": "wrap-ansi", + "version": "7.0.0", + "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz", + "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==", + "license": "MIT", + "dependencies": { + "ansi-styles": "^4.0.0", + "string-width": "^4.1.0", + "strip-ansi": "^6.0.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/chalk/wrap-ansi?sponsor=1" + } + }, + "node_modules/wrap-ansi-cjs/node_modules/ansi-regex": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", + "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", + "license": "MIT", + "engines": { + "node": ">=8" + } + }, + "node_modules/wrap-ansi-cjs/node_modules/ansi-styles": { + "version": "4.3.0", + "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz", + "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==", + "license": "MIT", + "dependencies": { + "color-convert": "^2.0.1" + }, + "engines": { + "node": ">=8" + }, + "funding": { + "url": "https://github.com/chalk/ansi-styles?sponsor=1" + } + }, + "node_modules/wrap-ansi-cjs/node_modules/emoji-regex": { + "version": "8.0.0", + "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", + "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", + "license": "MIT" + }, + "node_modules/wrap-ansi-cjs/node_modules/string-width": { + "version": "4.2.3", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", + "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", + "license": "MIT", + "dependencies": { + "emoji-regex": "^8.0.0", + "is-fullwidth-code-point": "^3.0.0", + "strip-ansi": "^6.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/wrap-ansi-cjs/node_modules/strip-ansi": { + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", + "license": "MIT", + "dependencies": { + "ansi-regex": "^5.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/wrappy": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", + "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==", + "license": "ISC" + }, + "node_modules/write-file-atomic": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/write-file-atomic/-/write-file-atomic-5.0.1.tgz", + "integrity": "sha512-+QU2zd6OTD8XWIJCbffaiQeH9U73qIqafo1x6V1snCWYGJf6cVE0cDR4D8xRzcEnfI21IFrUPzPGtcPf8AC+Rw==", + "license": "ISC", + "dependencies": { + "imurmurhash": "^0.1.4", + "signal-exit": "^4.0.1" + }, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/write-file-atomic/node_modules/signal-exit": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", + "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==", + "license": "ISC", + "engines": { + "node": ">=14" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/y18n": { + "version": "5.0.8", + "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz", + "integrity": "sha512-0pfFzegeDWJHJIAmTLRP2DwHjdF5s7jo9tuztdQxAhINCdvS+3nGINqPd00AphqJR/0LhANUS6/+7SCb98YOfA==", + "license": "ISC", + "engines": { + "node": ">=10" + } + }, + "node_modules/yallist": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/yallist/-/yallist-4.0.0.tgz", + "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==", + "license": "ISC" + }, + "node_modules/yargs": { + "version": "17.7.2", + "resolved": "https://registry.npmjs.org/yargs/-/yargs-17.7.2.tgz", + "integrity": "sha512-7dSzzRQ++CKnNI/krKnYRV7JKKPUXMEh61soaHKg9mrWEhzFWhFnxPxGl+69cD1Ou63C13NUPCnmIcrvqCuM6w==", + "license": "MIT", + "dependencies": { + "cliui": "^8.0.1", + "escalade": "^3.1.1", + "get-caller-file": "^2.0.5", + "require-directory": "^2.1.1", + "string-width": "^4.2.3", + "y18n": "^5.0.5", + "yargs-parser": "^21.1.1" + }, + "engines": { + "node": ">=12" + } + }, + "node_modules/yargs-parser": { + "version": "21.1.1", + "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-21.1.1.tgz", + "integrity": "sha512-tVpsJW7DdjecAiFpbIB1e3qxIQsE6NoPc5/eTdrbbIC4h0LVsWhnoa3g+m2HclBIujHzsxZ4VJVA+GUuc2/LBw==", + "license": "ISC", + "engines": { + "node": ">=12" + } + }, + "node_modules/yargs/node_modules/ansi-regex": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", + "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", + "license": "MIT", + "engines": { + "node": ">=8" + } + }, + "node_modules/yargs/node_modules/emoji-regex": { + "version": "8.0.0", + "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", + "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", + "license": "MIT" + }, + "node_modules/yargs/node_modules/string-width": { + "version": "4.2.3", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", + "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", + "license": "MIT", + "dependencies": { + "emoji-regex": "^8.0.0", + "is-fullwidth-code-point": "^3.0.0", + "strip-ansi": "^6.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/yargs/node_modules/strip-ansi": { + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", + "license": "MIT", + "dependencies": { + "ansi-regex": "^5.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/yocto-queue": { + "version": "1.2.2", + "resolved": "https://registry.npmjs.org/yocto-queue/-/yocto-queue-1.2.2.tgz", + "integrity": "sha512-4LCcse/U2MHZ63HAJVE+v71o7yOdIe4cZ70Wpf8D/IyjDKYQLV5GD46B+hSTjJsvV5PztjvHoU580EftxjDZFQ==", + "license": "MIT", + "engines": { + "node": ">=12.20" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + } + } +} diff --git a/package.json b/package.json index 2ac3b09..957f2c4 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "pulumi-extra-crds", - "version": "1.0.9", + "version": "1.0.10", "license": "Apache-2.0", "scripts": { "generate": "node scripts/generate-crds.js",