gitea_admin/k8s-and-chill
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
k8s-and-chill/rendered/envs/production/traefik/customresourcedefinition-backendtlspolicies.gateway.networking.k8s.io.yaml
Felix Wolf a094b7d70a feat: Wire ArgoCD to Forgejo for GitOps management 
Configure myks env-data with global repoURL pointing to Forgejo repo,
switch destination from cluster name to in-cluster server URL, and
disable placeholder cluster Secret generation. Add deploy key init Job
that generates an SSH keypair, registers it with Forgejo, and creates
the ArgoCD repository secret. Switch job images from bitnami/kubectl
to alpine/k8s.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-30 22:13:11 +02:00

1270 lines
74 KiB
YAML
Raw Blame History

apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
gateway.networking.k8s.io/bundle-version: v1.4.0
gateway.networking.k8s.io/channel: standard
labels:
gateway.networking.k8s.io/policy: Direct
name: backendtlspolicies.gateway.networking.k8s.io
namespace: traefik
spec:
group: gateway.networking.k8s.io
names:
categories:
- gateway-api
kind: BackendTLSPolicy
listKind: BackendTLSPolicyList
plural: backendtlspolicies
shortNames:
- btlspolicy
singular: backendtlspolicy
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
description: |-
BackendTLSPolicy provides a way to configure how a Gateway
connects to a Backend via TLS.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of BackendTLSPolicy.
properties:
options:
additionalProperties:
description: |-
AnnotationValue is the value of an annotation in Gateway API. This is used
for validation of maps such as TLS options. This roughly matches Kubernetes
annotation validation, although the length validation in that case is based
on the entire size of the annotations struct.
maxLength: 4096
minLength: 0
type: string
description: |-
Options are a list of key/value pairs to enable extended TLS
configuration for each implementation. For example, configuring the
minimum TLS version or supported cipher suites.
A set of common keys MAY be defined by the API in the future. To avoid
any ambiguity, implementation-specific definitions MUST use
domain-prefixed names, such as `example.com/my-custom-option`.
Un-prefixed names are reserved for key names defined by Gateway API.
Support: Implementation-specific
maxProperties: 16
type: object
targetRefs:
description: |-
TargetRefs identifies an API object to apply the policy to.
Only Services have Extended support. Implementations MAY support
additional objects, with Implementation Specific support.
Note that this config applies to the entire referenced resource
by default, but this default may change in the future to provide
a more granular application of the policy.
TargetRefs must be _distinct_. This means either that:
* They select different targets. If this is the case, then targetRef
entries are distinct. In terms of fields, this means that the
multi-part key defined by `group`, `kind`, and `name` must
be unique across all targetRef entries in the BackendTLSPolicy.
* They select different sectionNames in the same target.
When more than one BackendTLSPolicy selects the same target and
sectionName, implementations MUST determine precedence using the
following criteria, continuing on ties:
* The older policy by creation timestamp takes precedence. For
example, a policy with a creation timestamp of "2021-07-15
01:02:03" MUST be given precedence over a policy with a
creation timestamp of "2021-07-15 01:02:04".
* The policy appearing first in alphabetical order by {name}.
For example, a policy named `bar` is given precedence over a
policy named `baz`.
For any BackendTLSPolicy that does not take precedence, the
implementation MUST ensure the `Accepted` Condition is set to
`status: False`, with Reason `Conflicted`.
Support: Extended for Kubernetes Service
Support: Implementation-specific for any other resource
items:
description: |-
LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
direct policy to. This should be used as part of Policy resources that can
target single resources. For more information on how this policy attachment
mode works, and a sample Policy resource, refer to the policy attachment
documentation for Gateway API.
Note: This should only be used for direct policy attachment when references
to SectionName are actually needed. In all other cases,
LocalPolicyTargetReference should be used.
properties:
group:
description: Group is the group of the target resource.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is kind of the target resource.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the target resource.
maxLength: 253
minLength: 1
type: string
sectionName:
description: |-
SectionName is the name of a section within the target resource. When
unspecified, this targetRef targets the entire resource. In the following
resources, SectionName is interpreted as the following:
* Gateway: Listener name
* HTTPRoute: HTTPRouteRule name
* Service: Port name
If a SectionName is specified, but does not exist on the targeted object,
the Policy must fail to attach, and the policy implementation should record
a `ResolvedRefs` or similar Condition in the Policy's status.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- group
- kind
- name
type: object
maxItems: 16
minItems: 1
type: array
x-kubernetes-list-type: atomic
x-kubernetes-validations:
- message: sectionName must be specified when targetRefs includes 2 or more references to the same target
rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind == p2.kind && p1.name == p2.name ? ((!has(p1.sectionName) || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName == '''')) : true))'
- message: sectionName must be unique when targetRefs includes 2 or more references to the same target
rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind == p2.kind && p1.name == p2.name && (((!has(p1.sectionName) || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName == p2.sectionName))))
validation:
description: Validation contains backend TLS validation configuration.
properties:
caCertificateRefs:
description: |-
CACertificateRefs contains one or more references to Kubernetes objects that
contain a PEM-encoded TLS CA certificate bundle, which is used to
validate a TLS handshake between the Gateway and backend Pod.
If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
not both. If CACertificateRefs is empty or unspecified, the configuration for
WellKnownCACertificates MUST be honored instead if supported by the implementation.
A CACertificateRef is invalid if:
* It refers to a resource that cannot be resolved (e.g., the referenced resource
does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key
named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef`
and the Message of the Condition must indicate which reference is invalid and why.
* It refers to an unknown or unsupported kind of resource. In this case, the Reason
must be set to `InvalidKind` and the Message of the Condition must explain which
kind of resource is unknown or unsupported.
* It refers to a resource in another namespace. This may change in future
spec updates.
Implementations MAY choose to perform further validation of the certificate
content (e.g., checking expiry or enforcing specific formats). In such cases,
an implementation-specific Reason and Message must be set for the invalid reference.
In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on
the BackendTLSPolicy is set to `status: False`, with a Reason and Message
that indicate the cause of the error. Connections using an invalid
CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error
response. If ALL CACertificateRefs are invalid, the implementation MUST also
ensure the `Accepted` Condition on the BackendTLSPolicy is set to
`status: False`, with a Reason `NoValidCACertificate`.
A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support.
Implementations MAY choose to support attaching multiple certificates to
a backend, but this behavior is implementation-specific.
Support: Core - An optional single reference to a Kubernetes ConfigMap,
with the CA certificate in a key named `ca.crt`.
Support: Implementation-specific - More than one reference, other kinds
of resources, or a single reference that includes multiple certificates.
items:
description: |-
LocalObjectReference identifies an API object within the namespace of the
referrer.
The API object must be valid in the cluster; the Group and Kind must
be registered in the cluster for this reference to be valid.
References to objects with invalid Group and Kind are not valid, and must
be rejected by the implementation, with appropriate Conditions set
on the containing object.
properties:
group:
description: |-
Group is the group of the referent. For example, "gateway.networking.k8s.io".
When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is kind of the referent. For example "HTTPRoute" or "Service".
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
required:
- group
- kind
- name
type: object
maxItems: 8
type: array
x-kubernetes-list-type: atomic
hostname:
description: |-
Hostname is used for two purposes in the connection between Gateways and
backends:
1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
2. Hostname MUST be used for authentication and MUST match the certificate
served by the matching backend, unless SubjectAltNames is specified.
3. If SubjectAltNames are specified, Hostname can be used for certificate selection
but MUST NOT be used for authentication. If you want to use the value
of the Hostname field for authentication, you MUST add it to the SubjectAltNames list.
Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
subjectAltNames:
description: |-
SubjectAltNames contains one or more Subject Alternative Names.
When specified the certificate served from the backend MUST
have at least one Subject Alternate Name matching one of the specified SubjectAltNames.
Support: Extended
items:
description: SubjectAltName represents Subject Alternative Name.
properties:
hostname:
description: |-
Hostname contains Subject Alternative Name specified in DNS name format.
Required when Type is set to Hostname, ignored otherwise.
Support: Core
maxLength: 253
minLength: 1
pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
type:
description: |-
Type determines the format of the Subject Alternative Name. Always required.
Support: Core
enum:
- Hostname
- URI
type: string
uri:
description: |-
URI contains Subject Alternative Name specified in a full URI format.
It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part.
Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa".
Required when Type is set to URI, ignored otherwise.
Support: Core
maxLength: 253
minLength: 1
pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))?
type: string
required:
- type
type: object
x-kubernetes-validations:
- message: SubjectAltName element must contain Hostname, if Type is set to Hostname
rule: '!(self.type == "Hostname" && (!has(self.hostname) || self.hostname == ""))'
- message: SubjectAltName element must not contain Hostname, if Type is not set to Hostname
rule: '!(self.type != "Hostname" && has(self.hostname) && self.hostname != "")'
- message: SubjectAltName element must contain URI, if Type is set to URI
rule: '!(self.type == "URI" && (!has(self.uri) || self.uri == ""))'
- message: SubjectAltName element must not contain URI, if Type is not set to URI
rule: '!(self.type != "URI" && has(self.uri) && self.uri != "")'
maxItems: 5
type: array
x-kubernetes-list-type: atomic
wellKnownCACertificates:
description: |-
WellKnownCACertificates specifies whether system CA certificates may be used in
the TLS handshake between the gateway and backend pod.
If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
must be specified with at least one entry for a valid configuration. Only one of
CACertificateRefs or WellKnownCACertificates may be specified, not both.
If an implementation does not support the WellKnownCACertificates field, or
the supplied value is not recognized, the implementation MUST ensure the
`Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with
a Reason `Invalid`.
Support: Implementation-specific
enum:
- System
type: string
required:
- hostname
type: object
x-kubernetes-validations:
- message: must not contain both CACertificateRefs and WellKnownCACertificates
rule: '!(has(self.caCertificateRefs) && size(self.caCertificateRefs) > 0 && has(self.wellKnownCACertificates) && self.wellKnownCACertificates != "")'
- message: must specify either CACertificateRefs or WellKnownCACertificates
rule: (has(self.caCertificateRefs) && size(self.caCertificateRefs) > 0 || has(self.wellKnownCACertificates) && self.wellKnownCACertificates != "")
required:
- targetRefs
- validation
type: object
status:
description: Status defines the current state of BackendTLSPolicy.
properties:
ancestors:
description: |-
Ancestors is a list of ancestor resources (usually Gateways) that are
associated with the policy, and the status of the policy with respect to
each ancestor. When this policy attaches to a parent, the controller that
manages the parent and the ancestors MUST add an entry to this list when
the controller first sees the policy and SHOULD update the entry as
appropriate when the relevant ancestor is modified.
Note that choosing the relevant ancestor is left to the Policy designers;
an important part of Policy design is designing the right object level at
which to namespace this status.
Note also that implementations MUST ONLY populate ancestor status for
the Ancestor resources they are responsible for. Implementations MUST
use the ControllerName field to uniquely identify the entries in this list
that they are responsible for.
Note that to achieve this, the list of PolicyAncestorStatus structs
MUST be treated as a map with a composite key, made up of the AncestorRef
and ControllerName fields combined.
A maximum of 16 ancestors will be represented in this list. An empty list
means the Policy is not relevant for any ancestors.
If this slice is full, implementations MUST NOT add further entries.
Instead they MUST consider the policy unimplementable and signal that
on any related resources such as the ancestor that would be referenced
here. For example, if this list was full on BackendTLSPolicy, no
additional Gateways would be able to reference the Service targeted by
the BackendTLSPolicy.
items:
description: |-
PolicyAncestorStatus describes the status of a route with respect to an
associated Ancestor.
Ancestors refer to objects that are either the Target of a policy or above it
in terms of object hierarchy. For example, if a policy targets a Service, the
Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
useful object to place Policy status on, so we recommend that implementations
SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
have a _very_ good reason otherwise.
In the context of policy attachment, the Ancestor is used to distinguish which
resource results in a distinct application of this policy. For example, if a policy
targets a Service, it may have a distinct result per attached Gateway.
Policies targeting the same resource may have different effects depending on the
ancestors of those resources. For example, different Gateways targeting the same
Service may have different capabilities, especially if they have different underlying
implementations.
For example, in BackendTLSPolicy, the Policy attaches to a Service that is
used as a backend in a HTTPRoute that is itself attached to a Gateway.
In this case, the relevant object for status is the Gateway, and that is the
ancestor object referred to in this status.
Note that a parent is also an ancestor, so for objects where the parent is the
relevant object for status, this struct SHOULD still be used.
This struct is intended to be used in a slice that's effectively a map,
with a composite key made up of the AncestorRef and the ControllerName.
properties:
ancestorRef:
description: |-
AncestorRef corresponds with a ParentRef in the spec that this
PolicyAncestorStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
description: |-
Group is the group of the referent.
When unspecified, "gateway.networking.k8s.io" is inferred.
To set the core API group (such as for a "Service" kind referent),
Group must be explicitly set to "" (empty string).
Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
description: |-
Kind is kind of the referent.
There are two kinds of parent resources with "Core" support:
* Gateway (Gateway conformance profile)
* Service (Mesh conformance profile, ClusterIP Services only)
Support for other resources is Implementation-Specific.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: |-
Name is the name of the referent.
Support: Core
maxLength: 253
minLength: 1
type: string
namespace:
description: |-
Namespace is the namespace of the referent. When unspecified, this refers
to the local namespace of the Route.
Note that there are specific rules for ParentRefs which cross namespace
boundaries. Cross-namespace references are only valid if they are explicitly
allowed by something in the namespace they are referring to. For example:
Gateway has the AllowedRoutes field, and ReferenceGrant provides a
generic way to enable any other kind of cross-namespace reference.
Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: |-
Port is the network port this Route targets. It can be interpreted
differently based on the type of parent resource.
When the parent resource is a Gateway, this targets all listeners
listening on the specified port that also support this kind of Route(and
select this Route). It's not recommended to set `Port` unless the
networking behaviors specified in a Route must apply to a specific port
as opposed to a listener(s) whose port(s) may be changed. When both Port
and SectionName are specified, the name and port of the selected listener
must match both specified values.
Implementations MAY choose to support other parent resources.
Implementations supporting other types of parent resources MUST clearly
document how/if Port is interpreted.
For the purpose of status, an attachment is considered successful as
long as the parent resource accepts it partially. For example, Gateway
listeners can restrict which Routes can attach to them by Route kind,
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
from the referencing Route, the Route MUST be considered successfully
attached. If no Gateway listeners accept attachment from this Route,
the Route MUST be considered detached from the Gateway.
Support: Extended
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
description: |-
SectionName is the name of a section within the target resource. In the
following resources, SectionName is interpreted as the following:
* Gateway: Listener name. When both Port (experimental) and SectionName
are specified, the name and port of the selected listener must match
both specified values.
* Service: Port name. When both Port (experimental) and SectionName
are specified, the name and port of the selected listener must match
both specified values.
Implementations MAY choose to support attaching Routes to other resources.
If that is the case, they MUST clearly document how SectionName is
interpreted.
When unspecified (empty string), this will reference the entire resource.
For the purpose of status, an attachment is considered successful if at
least one section in the parent resource accepts it. For example, Gateway
listeners can restrict which Routes can attach to them by Route kind,
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
the referencing Route, the Route MUST be considered successfully
attached. If no Gateway listeners accept attachment from this Route, the
Route MUST be considered detached from the Gateway.
Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- name
type: object
conditions:
description: Conditions describes the status of the Policy with respect to the given Ancestor.
items:
description: Condition contains details for one aspect of the current state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
minItems: 1
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
controllerName:
description: |-
ControllerName is a domain/path string that indicates the name of the
controller that wrote this status. This corresponds with the
controllerName field on GatewayClass.
Example: "example.net/gateway-controller".
The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
valid Kubernetes names
(https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
Controllers MUST populate this field when writing status. Controllers should ensure that
entries to status populated with their ControllerName are cleaned up when they are no
longer necessary.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
required:
- ancestorRef
- conditions
- controllerName
type: object
maxItems: 16
type: array
x-kubernetes-list-type: atomic
required:
- ancestors
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
- deprecated: true
deprecationWarning: The v1alpha3 version of BackendTLSPolicy has been deprecated and will be removed in a future release of the API. Please upgrade to v1.
name: v1alpha3
schema:
openAPIV3Schema:
description: |-
BackendTLSPolicy provides a way to configure how a Gateway
connects to a Backend via TLS.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of BackendTLSPolicy.
properties:
options:
additionalProperties:
description: |-
AnnotationValue is the value of an annotation in Gateway API. This is used
for validation of maps such as TLS options. This roughly matches Kubernetes
annotation validation, although the length validation in that case is based
on the entire size of the annotations struct.
maxLength: 4096
minLength: 0
type: string
description: |-
Options are a list of key/value pairs to enable extended TLS
configuration for each implementation. For example, configuring the
minimum TLS version or supported cipher suites.
A set of common keys MAY be defined by the API in the future. To avoid
any ambiguity, implementation-specific definitions MUST use
domain-prefixed names, such as `example.com/my-custom-option`.
Un-prefixed names are reserved for key names defined by Gateway API.
Support: Implementation-specific
maxProperties: 16
type: object
targetRefs:
description: |-
TargetRefs identifies an API object to apply the policy to.
Only Services have Extended support. Implementations MAY support
additional objects, with Implementation Specific support.
Note that this config applies to the entire referenced resource
by default, but this default may change in the future to provide
a more granular application of the policy.
TargetRefs must be _distinct_. This means either that:
* They select different targets. If this is the case, then targetRef
entries are distinct. In terms of fields, this means that the
multi-part key defined by `group`, `kind`, and `name` must
be unique across all targetRef entries in the BackendTLSPolicy.
* They select different sectionNames in the same target.
When more than one BackendTLSPolicy selects the same target and
sectionName, implementations MUST determine precedence using the
following criteria, continuing on ties:
* The older policy by creation timestamp takes precedence. For
example, a policy with a creation timestamp of "2021-07-15
01:02:03" MUST be given precedence over a policy with a
creation timestamp of "2021-07-15 01:02:04".
* The policy appearing first in alphabetical order by {name}.
For example, a policy named `bar` is given precedence over a
policy named `baz`.
For any BackendTLSPolicy that does not take precedence, the
implementation MUST ensure the `Accepted` Condition is set to
`status: False`, with Reason `Conflicted`.
Support: Extended for Kubernetes Service
Support: Implementation-specific for any other resource
items:
description: |-
LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
direct policy to. This should be used as part of Policy resources that can
target single resources. For more information on how this policy attachment
mode works, and a sample Policy resource, refer to the policy attachment
documentation for Gateway API.
Note: This should only be used for direct policy attachment when references
to SectionName are actually needed. In all other cases,
LocalPolicyTargetReference should be used.
properties:
group:
description: Group is the group of the target resource.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is kind of the target resource.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the target resource.
maxLength: 253
minLength: 1
type: string
sectionName:
description: |-
SectionName is the name of a section within the target resource. When
unspecified, this targetRef targets the entire resource. In the following
resources, SectionName is interpreted as the following:
* Gateway: Listener name
* HTTPRoute: HTTPRouteRule name
* Service: Port name
If a SectionName is specified, but does not exist on the targeted object,
the Policy must fail to attach, and the policy implementation should record
a `ResolvedRefs` or similar Condition in the Policy's status.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- group
- kind
- name
type: object
maxItems: 16
minItems: 1
type: array
x-kubernetes-list-type: atomic
x-kubernetes-validations:
- message: sectionName must be specified when targetRefs includes 2 or more references to the same target
rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind == p2.kind && p1.name == p2.name ? ((!has(p1.sectionName) || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName == '''')) : true))'
- message: sectionName must be unique when targetRefs includes 2 or more references to the same target
rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind == p2.kind && p1.name == p2.name && (((!has(p1.sectionName) || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName == p2.sectionName))))
validation:
description: Validation contains backend TLS validation configuration.
properties:
caCertificateRefs:
description: |-
CACertificateRefs contains one or more references to Kubernetes objects that
contain a PEM-encoded TLS CA certificate bundle, which is used to
validate a TLS handshake between the Gateway and backend Pod.
If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
not both. If CACertificateRefs is empty or unspecified, the configuration for
WellKnownCACertificates MUST be honored instead if supported by the implementation.
A CACertificateRef is invalid if:
* It refers to a resource that cannot be resolved (e.g., the referenced resource
does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key
named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef`
and the Message of the Condition must indicate which reference is invalid and why.
* It refers to an unknown or unsupported kind of resource. In this case, the Reason
must be set to `InvalidKind` and the Message of the Condition must explain which
kind of resource is unknown or unsupported.
* It refers to a resource in another namespace. This may change in future
spec updates.
Implementations MAY choose to perform further validation of the certificate
content (e.g., checking expiry or enforcing specific formats). In such cases,
an implementation-specific Reason and Message must be set for the invalid reference.
In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on
the BackendTLSPolicy is set to `status: False`, with a Reason and Message
that indicate the cause of the error. Connections using an invalid
CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error
response. If ALL CACertificateRefs are invalid, the implementation MUST also
ensure the `Accepted` Condition on the BackendTLSPolicy is set to
`status: False`, with a Reason `NoValidCACertificate`.
A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support.
Implementations MAY choose to support attaching multiple certificates to
a backend, but this behavior is implementation-specific.
Support: Core - An optional single reference to a Kubernetes ConfigMap,
with the CA certificate in a key named `ca.crt`.
Support: Implementation-specific - More than one reference, other kinds
of resources, or a single reference that includes multiple certificates.
items:
description: |-
LocalObjectReference identifies an API object within the namespace of the
referrer.
The API object must be valid in the cluster; the Group and Kind must
be registered in the cluster for this reference to be valid.
References to objects with invalid Group and Kind are not valid, and must
be rejected by the implementation, with appropriate Conditions set
on the containing object.
properties:
group:
description: |-
Group is the group of the referent. For example, "gateway.networking.k8s.io".
When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: Kind is kind of the referent. For example "HTTPRoute" or "Service".
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
required:
- group
- kind
- name
type: object
maxItems: 8
type: array
x-kubernetes-list-type: atomic
hostname:
description: |-
Hostname is used for two purposes in the connection between Gateways and
backends:
1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
2. Hostname MUST be used for authentication and MUST match the certificate
served by the matching backend, unless SubjectAltNames is specified.
3. If SubjectAltNames are specified, Hostname can be used for certificate selection
but MUST NOT be used for authentication. If you want to use the value
of the Hostname field for authentication, you MUST add it to the SubjectAltNames list.
Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
subjectAltNames:
description: |-
SubjectAltNames contains one or more Subject Alternative Names.
When specified the certificate served from the backend MUST
have at least one Subject Alternate Name matching one of the specified SubjectAltNames.
Support: Extended
items:
description: SubjectAltName represents Subject Alternative Name.
properties:
hostname:
description: |-
Hostname contains Subject Alternative Name specified in DNS name format.
Required when Type is set to Hostname, ignored otherwise.
Support: Core
maxLength: 253
minLength: 1
pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
type:
description: |-
Type determines the format of the Subject Alternative Name. Always required.
Support: Core
enum:
- Hostname
- URI
type: string
uri:
description: |-
URI contains Subject Alternative Name specified in a full URI format.
It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part.
Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa".
Required when Type is set to URI, ignored otherwise.
Support: Core
maxLength: 253
minLength: 1
pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))?
type: string
required:
- type
type: object
x-kubernetes-validations:
- message: SubjectAltName element must contain Hostname, if Type is set to Hostname
rule: '!(self.type == "Hostname" && (!has(self.hostname) || self.hostname == ""))'
- message: SubjectAltName element must not contain Hostname, if Type is not set to Hostname
rule: '!(self.type != "Hostname" && has(self.hostname) && self.hostname != "")'
- message: SubjectAltName element must contain URI, if Type is set to URI
rule: '!(self.type == "URI" && (!has(self.uri) || self.uri == ""))'
- message: SubjectAltName element must not contain URI, if Type is not set to URI
rule: '!(self.type != "URI" && has(self.uri) && self.uri != "")'
maxItems: 5
type: array
x-kubernetes-list-type: atomic
wellKnownCACertificates:
description: |-
WellKnownCACertificates specifies whether system CA certificates may be used in
the TLS handshake between the gateway and backend pod.
If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
must be specified with at least one entry for a valid configuration. Only one of
CACertificateRefs or WellKnownCACertificates may be specified, not both.
If an implementation does not support the WellKnownCACertificates field, or
the supplied value is not recognized, the implementation MUST ensure the
`Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with
a Reason `Invalid`.
Support: Implementation-specific
enum:
- System
type: string
required:
- hostname
type: object
x-kubernetes-validations:
- message: must not contain both CACertificateRefs and WellKnownCACertificates
rule: '!(has(self.caCertificateRefs) && size(self.caCertificateRefs) > 0 && has(self.wellKnownCACertificates) && self.wellKnownCACertificates != "")'
- message: must specify either CACertificateRefs or WellKnownCACertificates
rule: (has(self.caCertificateRefs) && size(self.caCertificateRefs) > 0 || has(self.wellKnownCACertificates) && self.wellKnownCACertificates != "")
required:
- targetRefs
- validation
type: object
status:
description: Status defines the current state of BackendTLSPolicy.
properties:
ancestors:
description: |-
Ancestors is a list of ancestor resources (usually Gateways) that are
associated with the policy, and the status of the policy with respect to
each ancestor. When this policy attaches to a parent, the controller that
manages the parent and the ancestors MUST add an entry to this list when
the controller first sees the policy and SHOULD update the entry as
appropriate when the relevant ancestor is modified.
Note that choosing the relevant ancestor is left to the Policy designers;
an important part of Policy design is designing the right object level at
which to namespace this status.
Note also that implementations MUST ONLY populate ancestor status for
the Ancestor resources they are responsible for. Implementations MUST
use the ControllerName field to uniquely identify the entries in this list
that they are responsible for.
Note that to achieve this, the list of PolicyAncestorStatus structs
MUST be treated as a map with a composite key, made up of the AncestorRef
and ControllerName fields combined.
A maximum of 16 ancestors will be represented in this list. An empty list
means the Policy is not relevant for any ancestors.
If this slice is full, implementations MUST NOT add further entries.
Instead they MUST consider the policy unimplementable and signal that
on any related resources such as the ancestor that would be referenced
here. For example, if this list was full on BackendTLSPolicy, no
additional Gateways would be able to reference the Service targeted by
the BackendTLSPolicy.
items:
description: |-
PolicyAncestorStatus describes the status of a route with respect to an
associated Ancestor.
Ancestors refer to objects that are either the Target of a policy or above it
in terms of object hierarchy. For example, if a policy targets a Service, the
Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
useful object to place Policy status on, so we recommend that implementations
SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
have a _very_ good reason otherwise.
In the context of policy attachment, the Ancestor is used to distinguish which
resource results in a distinct application of this policy. For example, if a policy
targets a Service, it may have a distinct result per attached Gateway.
Policies targeting the same resource may have different effects depending on the
ancestors of those resources. For example, different Gateways targeting the same
Service may have different capabilities, especially if they have different underlying
implementations.
For example, in BackendTLSPolicy, the Policy attaches to a Service that is
used as a backend in a HTTPRoute that is itself attached to a Gateway.
In this case, the relevant object for status is the Gateway, and that is the
ancestor object referred to in this status.
Note that a parent is also an ancestor, so for objects where the parent is the
relevant object for status, this struct SHOULD still be used.
This struct is intended to be used in a slice that's effectively a map,
with a composite key made up of the AncestorRef and the ControllerName.
properties:
ancestorRef:
description: |-
AncestorRef corresponds with a ParentRef in the spec that this
PolicyAncestorStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
description: |-
Group is the group of the referent.
When unspecified, "gateway.networking.k8s.io" is inferred.
To set the core API group (such as for a "Service" kind referent),
Group must be explicitly set to "" (empty string).
Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
description: |-
Kind is kind of the referent.
There are two kinds of parent resources with "Core" support:
* Gateway (Gateway conformance profile)
* Service (Mesh conformance profile, ClusterIP Services only)
Support for other resources is Implementation-Specific.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: |-
Name is the name of the referent.
Support: Core
maxLength: 253
minLength: 1
type: string
namespace:
description: |-
Namespace is the namespace of the referent. When unspecified, this refers
to the local namespace of the Route.
Note that there are specific rules for ParentRefs which cross namespace
boundaries. Cross-namespace references are only valid if they are explicitly
allowed by something in the namespace they are referring to. For example:
Gateway has the AllowedRoutes field, and ReferenceGrant provides a
generic way to enable any other kind of cross-namespace reference.
Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: |-
Port is the network port this Route targets. It can be interpreted
differently based on the type of parent resource.
When the parent resource is a Gateway, this targets all listeners
listening on the specified port that also support this kind of Route(and
select this Route). It's not recommended to set `Port` unless the
networking behaviors specified in a Route must apply to a specific port
as opposed to a listener(s) whose port(s) may be changed. When both Port
and SectionName are specified, the name and port of the selected listener
must match both specified values.
Implementations MAY choose to support other parent resources.
Implementations supporting other types of parent resources MUST clearly
document how/if Port is interpreted.
For the purpose of status, an attachment is considered successful as
long as the parent resource accepts it partially. For example, Gateway
listeners can restrict which Routes can attach to them by Route kind,
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
from the referencing Route, the Route MUST be considered successfully
attached. If no Gateway listeners accept attachment from this Route,
the Route MUST be considered detached from the Gateway.
Support: Extended
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
description: |-
SectionName is the name of a section within the target resource. In the
following resources, SectionName is interpreted as the following:
* Gateway: Listener name. When both Port (experimental) and SectionName
are specified, the name and port of the selected listener must match
both specified values.
* Service: Port name. When both Port (experimental) and SectionName
are specified, the name and port of the selected listener must match
both specified values.
Implementations MAY choose to support attaching Routes to other resources.
If that is the case, they MUST clearly document how SectionName is
interpreted.
When unspecified (empty string), this will reference the entire resource.
For the purpose of status, an attachment is considered successful if at
least one section in the parent resource accepts it. For example, Gateway
listeners can restrict which Routes can attach to them by Route kind,
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
the referencing Route, the Route MUST be considered successfully
attached. If no Gateway listeners accept attachment from this Route, the
Route MUST be considered detached from the Gateway.
Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- name
type: object
conditions:
description: Conditions describes the status of the Policy with respect to the given Ancestor.
items:
description: Condition contains details for one aspect of the current state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
maxItems: 8
minItems: 1
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
controllerName:
description: |-
ControllerName is a domain/path string that indicates the name of the
controller that wrote this status. This corresponds with the
controllerName field on GatewayClass.
Example: "example.net/gateway-controller".
The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
valid Kubernetes names
(https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
Controllers MUST populate this field when writing status. Controllers should ensure that
entries to status populated with their ControllerName are cleaned up when they are no
longer necessary.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
required:
- ancestorRef
- conditions
- controllerName
type: object
maxItems: 16
type: array
x-kubernetes-list-type: atomic
required:
- ancestors
type: object
required:
- spec
type: object
served: false
storage: false
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null
Reference in a new issue View git blame Copy permalink