diff --git a/.editorconfig b/.editorconfig
index 26b3bc7..7608475 100644
--- a/.editorconfig
+++ b/.editorconfig
@@ -31,3 +31,4 @@ indent_size = unset
indent_style = unset
insert_final_newline = unset
trim_trailing_whitespace = unset
+
diff --git a/.gitignore b/.gitignore
index f6ff082..bf20945 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,3 +13,5 @@
/_public
# Additional entries
+/jsonnetfile.json
+/olm
diff --git a/.yamllint.yml b/.yamllint.yml
index 92aea6c..673f65a 100644
--- a/.yamllint.yml
+++ b/.yamllint.yml
@@ -22,3 +22,4 @@ ignore: |
manifests/
vendor/
compiled/
+ 00_gateway_api/
diff --git a/class/airlock-microgateway.yml b/class/airlock-microgateway.yml
index edeef20..1f8fc8d 100644
--- a/class/airlock-microgateway.yml
+++ b/class/airlock-microgateway.yml
@@ -1,11 +1,94 @@
parameters:
- kapitan:
- compile:
- - input_paths:
- - ${_base_directory}/component/app.jsonnet
- input_type: jsonnet
- output_path: .
- - input_paths:
- - ${_base_directory}/component/main.jsonnet
+ =_helm_chart_name: "microgateway"
+ =_release_name: "airlock-microgateway"
+ =_kapitan:
+ k8s_gw_api:
+ 'True':
+ input_paths:
+ - ${_base_directory}/dependencies/gateway-api/standard-install.yaml
+ input_type: copy
+ output_path: airlock-microgateway/00_prerequisites/00_gateway_api/
+ 'False':
+ input_paths: []
input_type: jsonnet
- output_path: airlock-microgateway/
+ output_path: ''
+ olm:
+ dependencies:
+ - type: https
+ source: ${airlock_microgateway:gateway_api:source}
+ output_path: ${_base_directory}/dependencies/gateway-api/standard-install.yaml
+ compile:
+ - input_paths:
+ - ${_base_directory}/component/app.jsonnet
+ input_type: jsonnet
+ output_path: .
+
+ - input_paths:
+ - ${_base_directory}/component/namespace.jsonnet
+ input_type: jsonnet
+ output_path: airlock-microgateway/00_prerequisites/
+
+ - input_paths:
+ - ${_base_directory}/component/olm.jsonnet
+ input_type: jsonnet
+ output_path: airlock-microgateway/01_olm/
+ # If multi-tenant:
+ # output_path: ${_instance}/olm/
+ - ${_kapitan:k8s_gw_api:${airlock_microgateway:gateway_api:enabled}}
+ - input_paths:
+ - ${_base_directory}/component/main.jsonnet
+ input_type: jsonnet
+ output_path: airlock-microgateway/00_prerequisites/
+
+ helm:
+ dependencies:
+ - type: https
+ source: ${airlock_microgateway:gateway_api:source}
+ output_path: ${_base_directory}/dependencies/gateway-api/standard-install.yaml
+ - type: helm
+ chart_name: ${_helm_chart_name}
+ version: ${airlock_microgateway:charts:${_helm_chart_name}:version}
+ source: ${airlock_microgateway:charts:${_helm_chart_name}:source}
+ output_path: ${_base_directory}/helmcharts/airlock-microgateway/${airlock_microgateway:charts:${_helm_chart_name}:version}/
+
+ compile:
+ - input_paths:
+ - ${_base_directory}/component/app.jsonnet
+ input_type: jsonnet
+ output_path: .
+
+ # - input_paths: ${_kapitan:jsonnet_input_paths}
+ # input_type: jsonnet
+ # output_path: ${_instance}/
+
+ - input_paths:
+ - ${_base_directory}/component/namespace.jsonnet
+ input_type: jsonnet
+ output_path: airlock-microgateway/00_prerequisites/
+ - ${_kapitan:k8s_gw_api:${airlock_microgateway:gateway_api:enabled}}
+ - input_paths:
+ - ${_base_directory}/component/render-helm-values.jsonnet
+ input_type: jsonnet
+ output_path: ${_base_directory}/helm_values/
+ - output_path: airlock-microgateway/01_airlock-microgateway_helmchart/
+ input_type: helm
+ output_type: yaml
+ input_paths:
+ - ${_base_directory}/helmcharts/airlock-microgateway/${airlock_microgateway:charts:${_helm_chart_name}:version}/
+ helm_params:
+ name: ${_release_name}
+ namespace: ${airlock_microgateway:namespace}
+ helm_values_files:
+ - ${_base_directory}/helm_values/values.yaml
+ - input_paths:
+ - ${_base_directory}/component/main.jsonnet
+ input_type: jsonnet
+ output_path: airlock-microgateway/00_prerequisites/
+ - input_paths:
+ - ${_base_directory}/helm_values/
+ input_type: remove
+ output_path: .
+
+
+ kapitan:
+ ${_kapitan:${airlock_microgateway:install_method}}
diff --git a/class/defaults.yml b/class/defaults.yml
index 327d848..fb427f4 100644
--- a/class/defaults.yml
+++ b/class/defaults.yml
@@ -1,5 +1,50 @@
parameters:
airlock_microgateway:
=_metadata:
- multi_tenant: true
+ multi_tenant: false
namespace: syn-airlock-microgateway
+
+ # Possible values: "helm", "olm"
+ install_method: helm
+
+ license: ""
+
+ network_policy:
+ namespace_selector:
+ matchLabels:
+ 'appuio.ch/waf': 'airlock'
+
+ gateway_api:
+ # Installs upstream Kubernetes Gateway API if true
+ enabled: true
+ # Kubernetes Gateway API version
+ version: "v1.2.1"
+ # Upstream Kubernetes Gateway API source
+ source: https://github.com/kubernetes-sigs/gateway-api/releases/download/${airlock_microgateway:gateway_api:version}/standard-install.yaml
+
+ # See Airlock docs: https://docs.airlock.com/microgateway/4.5/index/1726159368039.html
+ helm_values:
+ operator:
+ gatewayAPI:
+ enabled: true
+ podMonitor:
+ create: true
+ labels:
+ release: "kube-prometheus-stack"
+ serviceMonitor:
+ create: true
+ labels:
+ release: "kube-prometheus-stack"
+ dashboards:
+ create: true
+
+ olm:
+ version: "stable"
+ channel: "${airlock_microgateway:olm:version}"
+ config:
+ create_pod_monitor: true
+
+ charts:
+ microgateway:
+ version: "4.5.2"
+ source: "oci://quay.io/airlockcharts/microgateway"
diff --git a/component/main.jsonnet b/component/main.jsonnet
index d813449..fac2579 100644
--- a/component/main.jsonnet
+++ b/component/main.jsonnet
@@ -5,6 +5,31 @@ local inv = kap.inventory();
// The hiera parameters for the component
local params = inv.parameters.airlock_microgateway;
+local license_secret = kube.Secret('airlock-microgateway-license') {
+ metadata+: {
+ namespace: params.namespace,
+ },
+ data_: {
+ 'microgateway-license.txt': params.license,
+ },
+};
+
+local net_pol = kube.NetworkPolicy('allow-from-waf-namespaces') {
+ metadata+: {
+ namespace: params.namespace,
+ },
+ spec: {
+ ingress: [ {
+ from: [ {
+ namespaceSelector: params.network_policy.namespace_selector,
+ } ],
+ } ],
+ policyTypes: [ 'Ingress' ],
+ },
+};
+
// Define outputs below
{
+ '01_license_secret': license_secret,
+ '01_network_policy': net_pol,
}
diff --git a/component/namespace.jsonnet b/component/namespace.jsonnet
new file mode 100644
index 0000000..414130d
--- /dev/null
+++ b/component/namespace.jsonnet
@@ -0,0 +1,24 @@
+local kap = import 'lib/kapitan.libjsonnet';
+local kube = import 'lib/kube.libjsonnet';
+local util = import 'util.libsonnet';
+
+local inv = kap.inventory();
+// The hiera parameters for the component
+local params = inv.parameters.airlock_microgateway;
+
+local additionalOpenshiftMeta =
+ if util.isOpenshift then
+ {
+ labels+: {
+ 'openshift.io/cluster-monitoring': 'true',
+ },
+ }
+ else
+ {};
+
+// Define outputs below
+{
+ '00_namespace': kube.Namespace(params.namespace) {
+ metadata+: additionalOpenshiftMeta,
+ },
+}
diff --git a/component/olm.jsonnet b/component/olm.jsonnet
new file mode 100644
index 0000000..c453887
--- /dev/null
+++ b/component/olm.jsonnet
@@ -0,0 +1,44 @@
+local kap = import 'lib/kapitan.libjsonnet';
+local kube = import 'lib/kube.libjsonnet';
+local operatorlib = import 'lib/openshift4-operators.libsonnet';
+
+local inv = kap.inventory();
+// The hiera parameters for the component
+local params = inv.parameters.airlock_microgateway;
+
+local operator_group = operatorlib.OperatorGroup('airlock-microgateway') {
+ metadata+: {
+ annotations+: {
+ 'argocd.argoproj.io/sync-wave': '-90',
+ },
+ namespace: params.namespace,
+ },
+};
+
+local operator_subscription = operatorlib.namespacedSubscription(
+ params.namespace,
+ 'airlock-microgateway',
+ params.olm.channel,
+ 'certified-operators'
+) {
+ metadata+: {
+ annotations+: {
+ 'argocd.argoproj.io/sync-wave': '-80',
+ },
+ },
+ spec+: {
+ config+: {
+ env: [
+ {
+ name: 'GATEWAY_API_POD_MONITOR_CREATE',
+ value: '%s' % params.olm.config.create_pod_monitor,
+ },
+ ],
+ },
+ },
+};
+
+{
+ [if params.install_method == 'olm' then '10_operator_group']: operator_group,
+ [if params.install_method == 'olm' then '10_operator_subscription']: operator_subscription,
+}
diff --git a/component/render-helm-values.jsonnet b/component/render-helm-values.jsonnet
new file mode 100644
index 0000000..a42bc4c
--- /dev/null
+++ b/component/render-helm-values.jsonnet
@@ -0,0 +1,10 @@
+local com = import 'lib/commodore.libjsonnet';
+local kap = import 'lib/kapitan.libjsonnet';
+local inv = kap.inventory();
+local params = inv.parameters.airlock_microgateway;
+
+local helm_values = params.helm_values;
+
+{
+ values: helm_values,
+}
diff --git a/component/util.libsonnet b/component/util.libsonnet
new file mode 100644
index 0000000..7882086
--- /dev/null
+++ b/component/util.libsonnet
@@ -0,0 +1,11 @@
+local com = import 'lib/commodore.libjsonnet';
+local kap = import 'lib/kapitan.libjsonnet';
+local kube = import 'lib/kube.libjsonnet';
+
+local inv = kap.inventory();
+
+local isOpenshift = std.member([ 'openshift4', 'oke' ], inv.parameters.facts.distribution);
+
+{
+ isOpenshift: isOpenshift,
+}
diff --git a/docs/modules/ROOT/pages/index.adoc b/docs/modules/ROOT/pages/index.adoc
index f681aee..59740d3 100644
--- a/docs/modules/ROOT/pages/index.adoc
+++ b/docs/modules/ROOT/pages/index.adoc
@@ -1,4 +1,4 @@
-= airlock-microgateway
+= Airlock Microgateway
airlock-microgateway is a Commodore component to manage airlock-microgateway.
diff --git a/jsonnetfile.jsonnet b/jsonnetfile.jsonnet
new file mode 100644
index 0000000..882ced5
--- /dev/null
+++ b/jsonnetfile.jsonnet
@@ -0,0 +1,15 @@
+{
+ version: 1,
+ dependencies: [
+ {
+ source: {
+ git: {
+ remote: 'https://github.com/projectsyn/jsonnet-libs',
+ subdir: '',
+ },
+ },
+ version: 'main',
+ name: 'syn',
+ },
+ ],
+}
diff --git a/tests/disable-gateway-api.yml b/tests/disable-gateway-api.yml
new file mode 100644
index 0000000..57411ef
--- /dev/null
+++ b/tests/disable-gateway-api.yml
@@ -0,0 +1,6 @@
+# Overwrite parameters here
+
+parameters:
+ airlock_microgateway:
+ gateway_api:
+ enabled: false
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/00_prerequisites/00_gateway_api/standard-install.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/00_prerequisites/00_gateway_api/standard-install.yaml
new file mode 100644
index 0000000..5bf4f30
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/00_prerequisites/00_gateway_api/standard-install.yaml
@@ -0,0 +1,10345 @@
+# Copyright 2024 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#
+# Gateway API Standard channel install
+#
+---
+#
+# config/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.2.1
+ gateway.networking.k8s.io/channel: standard
+ creationTimestamp: null
+ name: gatewayclasses.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: GatewayClass
+ listKind: GatewayClassList
+ plural: gatewayclasses
+ shortNames:
+ - gc
+ singular: gatewayclass
+ scope: Cluster
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.controllerName
+ name: Controller
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Accepted")].status
+ name: Accepted
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - jsonPath: .spec.description
+ name: Description
+ priority: 1
+ type: string
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ GatewayClass describes a class of Gateways available to the user for creating
+ Gateway resources.
+
+ It is recommended that this resource be used as a template for Gateways. This
+ means that a Gateway is based on the state of the GatewayClass at the time it
+ was created and changes to the GatewayClass or associated parameters are not
+ propagated down to existing Gateways. This recommendation is intended to
+ limit the blast radius of changes to GatewayClass or associated parameters.
+ If implementations choose to propagate GatewayClass changes to existing
+ Gateways, that MUST be clearly documented by the implementation.
+
+ Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+ add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+ associated GatewayClass. This ensures that a GatewayClass associated with a
+ Gateway is not deleted while in use.
+
+ GatewayClass is a Cluster level resource.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of GatewayClass.
+ properties:
+ controllerName:
+ description: |-
+ ControllerName is the name of the controller that is managing Gateways of
+ this class. The value of this field MUST be a domain prefixed path.
+
+ Example: "example.net/gateway-controller".
+
+ This field is not mutable and cannot be empty.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ x-kubernetes-validations:
+ - message: Value is immutable
+ rule: self == oldSelf
+ description:
+ description: Description helps describe a GatewayClass with more details.
+ maxLength: 64
+ type: string
+ parametersRef:
+ description: |-
+ ParametersRef is a reference to a resource that contains the configuration
+ parameters corresponding to the GatewayClass. This is optional if the
+ controller does not require any additional configuration.
+
+ ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
+ or an implementation-specific custom resource. The resource can be
+ cluster-scoped or namespace-scoped.
+
+ If the referent cannot be found, refers to an unsupported kind, or when
+ the data within that resource is malformed, the GatewayClass SHOULD be
+ rejected with the "Accepted" status condition set to "False" and an
+ "InvalidParameters" reason.
+
+ A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
+ the merging behavior is implementation specific.
+ It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+
+ Support: Implementation-specific
+ properties:
+ group:
+ description: Group is the group of the referent.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent.
+ This field is required when referring to a Namespace-scoped resource and
+ MUST be unset when referring to a Cluster-scoped resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ required:
+ - controllerName
+ type: object
+ status:
+ default:
+ conditions:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ description: |-
+ Status defines the current state of GatewayClass.
+
+ Implementations MUST populate status on all GatewayClass resources which
+ specify their controller name.
+ properties:
+ conditions:
+ default:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ description: |-
+ Conditions is the current status from the controller for
+ this GatewayClass.
+
+ Controllers should prefer to publish conditions using values
+ of GatewayClassConditionType for the type of each Condition.
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .spec.controllerName
+ name: Controller
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Accepted")].status
+ name: Accepted
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - jsonPath: .spec.description
+ name: Description
+ priority: 1
+ type: string
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ GatewayClass describes a class of Gateways available to the user for creating
+ Gateway resources.
+
+ It is recommended that this resource be used as a template for Gateways. This
+ means that a Gateway is based on the state of the GatewayClass at the time it
+ was created and changes to the GatewayClass or associated parameters are not
+ propagated down to existing Gateways. This recommendation is intended to
+ limit the blast radius of changes to GatewayClass or associated parameters.
+ If implementations choose to propagate GatewayClass changes to existing
+ Gateways, that MUST be clearly documented by the implementation.
+
+ Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+ add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+ associated GatewayClass. This ensures that a GatewayClass associated with a
+ Gateway is not deleted while in use.
+
+ GatewayClass is a Cluster level resource.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of GatewayClass.
+ properties:
+ controllerName:
+ description: |-
+ ControllerName is the name of the controller that is managing Gateways of
+ this class. The value of this field MUST be a domain prefixed path.
+
+ Example: "example.net/gateway-controller".
+
+ This field is not mutable and cannot be empty.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ x-kubernetes-validations:
+ - message: Value is immutable
+ rule: self == oldSelf
+ description:
+ description: Description helps describe a GatewayClass with more details.
+ maxLength: 64
+ type: string
+ parametersRef:
+ description: |-
+ ParametersRef is a reference to a resource that contains the configuration
+ parameters corresponding to the GatewayClass. This is optional if the
+ controller does not require any additional configuration.
+
+ ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
+ or an implementation-specific custom resource. The resource can be
+ cluster-scoped or namespace-scoped.
+
+ If the referent cannot be found, refers to an unsupported kind, or when
+ the data within that resource is malformed, the GatewayClass SHOULD be
+ rejected with the "Accepted" status condition set to "False" and an
+ "InvalidParameters" reason.
+
+ A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
+ the merging behavior is implementation specific.
+ It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+
+ Support: Implementation-specific
+ properties:
+ group:
+ description: Group is the group of the referent.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent.
+ This field is required when referring to a Namespace-scoped resource and
+ MUST be unset when referring to a Cluster-scoped resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ required:
+ - controllerName
+ type: object
+ status:
+ default:
+ conditions:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ description: |-
+ Status defines the current state of GatewayClass.
+
+ Implementations MUST populate status on all GatewayClass resources which
+ specify their controller name.
+ properties:
+ conditions:
+ default:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ description: |-
+ Conditions is the current status from the controller for
+ this GatewayClass.
+
+ Controllers should prefer to publish conditions using values
+ of GatewayClassConditionType for the type of each Condition.
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
+# config/crd/standard/gateway.networking.k8s.io_gateways.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.2.1
+ gateway.networking.k8s.io/channel: standard
+ creationTimestamp: null
+ name: gateways.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: Gateway
+ listKind: GatewayList
+ plural: gateways
+ shortNames:
+ - gtw
+ singular: gateway
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.gatewayClassName
+ name: Class
+ type: string
+ - jsonPath: .status.addresses[*].value
+ name: Address
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Programmed")].status
+ name: Programmed
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ Gateway represents an instance of a service-traffic handling infrastructure
+ by binding Listeners to a set of IP addresses.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of Gateway.
+ properties:
+ addresses:
+ description: |+
+ Addresses requested for this Gateway. This is optional and behavior can
+ depend on the implementation. If a value is set in the spec and the
+ requested address is invalid or unavailable, the implementation MUST
+ indicate this in the associated entry in GatewayStatus.Addresses.
+
+ The Addresses field represents a request for the address(es) on the
+ "outside of the Gateway", that traffic bound for this Gateway will use.
+ This could be the IP address or hostname of an external load balancer or
+ other networking infrastructure, or some other address that traffic will
+ be sent to.
+
+ If no Addresses are specified, the implementation MAY schedule the
+ Gateway in an implementation-specific manner, assigning an appropriate
+ set of Addresses.
+
+ The implementation MUST bind all Listeners to every GatewayAddress that
+ it assigns to the Gateway and add a corresponding entry in
+ GatewayStatus.Addresses.
+
+ Support: Extended
+
+ items:
+ description: GatewayAddress describes an address that can be bound
+ to a Gateway.
+ oneOf:
+ - properties:
+ type:
+ enum:
+ - IPAddress
+ value:
+ anyOf:
+ - format: ipv4
+ - format: ipv6
+ - properties:
+ type:
+ not:
+ enum:
+ - IPAddress
+ properties:
+ type:
+ default: IPAddress
+ description: Type of the address.
+ maxLength: 253
+ minLength: 1
+ pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ value:
+ description: |-
+ Value of the address. The validity of the values will depend
+ on the type and support by the controller.
+
+ Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ x-kubernetes-validations:
+ - message: Hostname value must only contain valid characters (matching
+ ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
+ rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):
+ true'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: IPAddress values must be unique
+ rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2,
+ a2.type == a1.type && a2.value == a1.value) : true )'
+ - message: Hostname values must be unique
+ rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2,
+ a2.type == a1.type && a2.value == a1.value) : true )'
+ gatewayClassName:
+ description: |-
+ GatewayClassName used for this Gateway. This is the name of a
+ GatewayClass resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ infrastructure:
+ description: |-
+ Infrastructure defines infrastructure level attributes about this Gateway instance.
+
+ Support: Extended
+ properties:
+ annotations:
+ additionalProperties:
+ description: |-
+ AnnotationValue is the value of an annotation in Gateway API. This is used
+ for validation of maps such as TLS options. This roughly matches Kubernetes
+ annotation validation, although the length validation in that case is based
+ on the entire size of the annotations struct.
+ maxLength: 4096
+ minLength: 0
+ type: string
+ description: |-
+ Annotations that SHOULD be applied to any resources created in response to this Gateway.
+
+ For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
+ For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
+
+ An implementation may chose to add additional implementation-specific annotations as they see fit.
+
+ Support: Extended
+ maxProperties: 8
+ type: object
+ x-kubernetes-validations:
+ - message: Annotation keys must be in the form of an optional
+ DNS subdomain prefix followed by a required name segment of
+ up to 63 characters.
+ rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))
+ - message: If specified, the annotation key's prefix must be a
+ DNS subdomain not longer than 253 characters in total.
+ rule: self.all(key, key.split("/")[0].size() < 253)
+ labels:
+ additionalProperties:
+ description: |-
+ LabelValue is the value of a label in the Gateway API. This is used for validation
+ of maps such as Gateway infrastructure labels. This matches the Kubernetes
+ label validation rules:
+ * must be 63 characters or less (can be empty),
+ * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]),
+ * could contain dashes (-), underscores (_), dots (.), and alphanumerics between.
+
+ Valid values include:
+
+ * MyValue
+ * my.name
+ * 123-my-value
+ maxLength: 63
+ minLength: 0
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ Labels that SHOULD be applied to any resources created in response to this Gateway.
+
+ For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
+ For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
+
+ An implementation may chose to add additional implementation-specific labels as they see fit.
+
+ If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
+ change, it SHOULD clearly warn about this behavior in documentation.
+
+ Support: Extended
+ maxProperties: 8
+ type: object
+ x-kubernetes-validations:
+ - message: Label keys must be in the form of an optional DNS subdomain
+ prefix followed by a required name segment of up to 63 characters.
+ rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))
+ - message: If specified, the label key's prefix must be a DNS
+ subdomain not longer than 253 characters in total.
+ rule: self.all(key, key.split("/")[0].size() < 253)
+ parametersRef:
+ description: |-
+ ParametersRef is a reference to a resource that contains the configuration
+ parameters corresponding to the Gateway. This is optional if the
+ controller does not require any additional configuration.
+
+ This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
+
+ The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
+ the merging behavior is implementation specific.
+ It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+
+ Support: Implementation-specific
+ properties:
+ group:
+ description: Group is the group of the referent.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ type: object
+ listeners:
+ description: |-
+ Listeners associated with this Gateway. Listeners define
+ logical endpoints that are bound on this Gateway's addresses.
+ At least one Listener MUST be specified.
+
+ Each Listener in a set of Listeners (for example, in a single Gateway)
+ MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
+ exactly one listener. (This section uses "set of Listeners" rather than
+ "Listeners in a single Gateway" because implementations MAY merge configuration
+ from multiple Gateways onto a single data plane, and these rules _also_
+ apply in that case).
+
+ Practically, this means that each listener in a set MUST have a unique
+ combination of Port, Protocol, and, if supported by the protocol, Hostname.
+
+ Some combinations of port, protocol, and TLS settings are considered
+ Core support and MUST be supported by implementations based on their
+ targeted conformance profile:
+
+ HTTP Profile
+
+ 1. HTTPRoute, Port: 80, Protocol: HTTP
+ 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
+
+ TLS Profile
+
+ 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
+
+ "Distinct" Listeners have the following property:
+
+ The implementation can match inbound requests to a single distinct
+ Listener. When multiple Listeners share values for fields (for
+ example, two Listeners with the same Port value), the implementation
+ can match requests to only one of the Listeners using other
+ Listener fields.
+
+ For example, the following Listener scenarios are distinct:
+
+ 1. Multiple Listeners with the same Port that all use the "HTTP"
+ Protocol that all have unique Hostname values.
+ 2. Multiple Listeners with the same Port that use either the "HTTPS" or
+ "TLS" Protocol that all have unique Hostname values.
+ 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener
+ with the same Protocol has the same Port value.
+
+ Some fields in the Listener struct have possible values that affect
+ whether the Listener is distinct. Hostname is particularly relevant
+ for HTTP or HTTPS protocols.
+
+ When using the Hostname value to select between same-Port, same-Protocol
+ Listeners, the Hostname value must be different on each Listener for the
+ Listener to be distinct.
+
+ When the Listeners are distinct based on Hostname, inbound request
+ hostnames MUST match from the most specific to least specific Hostname
+ values to choose the correct Listener and its associated set of Routes.
+
+ Exact matches must be processed before wildcard matches, and wildcard
+ matches must be processed before fallback (empty Hostname value)
+ matches. For example, `"foo.example.com"` takes precedence over
+ `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
+
+ Additionally, if there are multiple wildcard entries, more specific
+ wildcard entries must be processed before less specific wildcard entries.
+ For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
+ The precise definition here is that the higher the number of dots in the
+ hostname to the right of the wildcard character, the higher the precedence.
+
+ The wildcard character will match any number of characters _and dots_ to
+ the left, however, so `"*.example.com"` will match both
+ `"foo.bar.example.com"` _and_ `"bar.example.com"`.
+
+ If a set of Listeners contains Listeners that are not distinct, then those
+ Listeners are Conflicted, and the implementation MUST set the "Conflicted"
+ condition in the Listener Status to "True".
+
+ Implementations MAY choose to accept a Gateway with some Conflicted
+ Listeners only if they only accept the partial Listener set that contains
+ no Conflicted Listeners. To put this another way, implementations may
+ accept a partial Listener set only if they throw out *all* the conflicting
+ Listeners. No picking one of the conflicting listeners as the winner.
+ This also means that the Gateway must have at least one non-conflicting
+ Listener in this case, otherwise it violates the requirement that at
+ least one Listener must be present.
+
+ The implementation MUST set a "ListenersNotValid" condition on the
+ Gateway Status when the Gateway contains Conflicted Listeners whether or
+ not they accept the Gateway. That Condition SHOULD clearly
+ indicate in the Message which Listeners are conflicted, and which are
+ Accepted. Additionally, the Listener status for those listeners SHOULD
+ indicate which Listeners are conflicted and not Accepted.
+
+ A Gateway's Listeners are considered "compatible" if:
+
+ 1. They are distinct.
+ 2. The implementation can serve them in compliance with the Addresses
+ requirement that all Listeners are available on all assigned
+ addresses.
+
+ Compatible combinations in Extended support are expected to vary across
+ implementations. A combination that is compatible for one implementation
+ may not be compatible for another.
+
+ For example, an implementation that cannot serve both TCP and UDP listeners
+ on the same address, or cannot mix HTTPS and generic TLS listens on the same port
+ would not consider those cases compatible, even though they are distinct.
+
+ Note that requests SHOULD match at most one Listener. For example, if
+ Listeners are defined for "foo.example.com" and "*.example.com", a
+ request to "foo.example.com" SHOULD only be routed using routes attached
+ to the "foo.example.com" Listener (and not the "*.example.com" Listener).
+ This concept is known as "Listener Isolation". Implementations that do
+ not support Listener Isolation MUST clearly document this.
+
+ Implementations MAY merge separate Gateways onto a single set of
+ Addresses if all Listeners across all Gateways are compatible.
+
+ Support: Core
+ items:
+ description: |-
+ Listener embodies the concept of a logical endpoint where a Gateway accepts
+ network connections.
+ properties:
+ allowedRoutes:
+ default:
+ namespaces:
+ from: Same
+ description: |-
+ AllowedRoutes defines the types of routes that MAY be attached to a
+ Listener and the trusted namespaces where those Route resources MAY be
+ present.
+
+ Although a client request may match multiple route rules, only one rule
+ may ultimately receive the request. Matching precedence MUST be
+ determined in order of the following criteria:
+
+ * The most specific match as defined by the Route type.
+ * The oldest Route based on creation timestamp. For example, a Route with
+ a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+ a Route with a creation timestamp of "2020-09-08 01:02:04".
+ * If everything else is equivalent, the Route appearing first in
+ alphabetical order (namespace/name) should be given precedence. For
+ example, foo/bar is given precedence over foo/baz.
+
+ All valid rules within a Route attached to this Listener should be
+ implemented. Invalid Route rules can be ignored (sometimes that will mean
+ the full Route). If a Route rule transitions from valid to invalid,
+ support for that Route rule should be dropped to ensure consistency. For
+ example, even if a filter specified by a Route rule is invalid, the rest
+ of the rules within that Route should still be supported.
+
+ Support: Core
+ properties:
+ kinds:
+ description: |-
+ Kinds specifies the groups and kinds of Routes that are allowed to bind
+ to this Gateway Listener. When unspecified or empty, the kinds of Routes
+ selected are determined using the Listener protocol.
+
+ A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+ with the application protocol specified in the Listener's Protocol field.
+ If an implementation does not support or recognize this resource type, it
+ MUST set the "ResolvedRefs" condition to False for this Listener with the
+ "InvalidRouteKinds" reason.
+
+ Support: Core
+ items:
+ description: RouteGroupKind indicates the group and kind
+ of a Route resource.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group of the Route.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the kind of the Route.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ required:
+ - kind
+ type: object
+ maxItems: 8
+ type: array
+ namespaces:
+ default:
+ from: Same
+ description: |-
+ Namespaces indicates namespaces from which Routes may be attached to this
+ Listener. This is restricted to the namespace of this Gateway by default.
+
+ Support: Core
+ properties:
+ from:
+ default: Same
+ description: |-
+ From indicates where Routes will be selected for this Gateway. Possible
+ values are:
+
+ * All: Routes in all namespaces may be used by this Gateway.
+ * Selector: Routes in namespaces selected by the selector may be used by
+ this Gateway.
+ * Same: Only Routes in the same namespace may be used by this Gateway.
+
+ Support: Core
+ enum:
+ - All
+ - Selector
+ - Same
+ type: string
+ selector:
+ description: |-
+ Selector must be specified when From is set to "Selector". In that case,
+ only Routes in Namespaces matching this Selector will be selected by this
+ Gateway. This field is ignored for other values of "From".
+
+ Support: Core
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: object
+ hostname:
+ description: |-
+ Hostname specifies the virtual hostname to match for protocol types that
+ define this concept. When unspecified, all hostnames are matched. This
+ field is ignored for protocols that don't require hostname based
+ matching.
+
+ Implementations MUST apply Hostname matching appropriately for each of
+ the following protocols:
+
+ * TLS: The Listener Hostname MUST match the SNI.
+ * HTTP: The Listener Hostname MUST match the Host header of the request.
+ * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP
+ protocol layers as described above. If an implementation does not
+ ensure that both the SNI and Host header match the Listener hostname,
+ it MUST clearly document that.
+
+ For HTTPRoute and TLSRoute resources, there is an interaction with the
+ `spec.hostnames` array. When both listener and route specify hostnames,
+ there MUST be an intersection between the values for a Route to be
+ accepted. For more information, refer to the Route specific Hostnames
+ documentation.
+
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+ as a suffix match. That means that a match for `*.example.com` would match
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ name:
+ description: |-
+ Name is the name of the Listener. This name MUST be unique within a
+ Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ port:
+ description: |-
+ Port is the network port. Multiple listeners may use the
+ same port, subject to the Listener compatibility rules.
+
+ Support: Core
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ protocol:
+ description: |-
+ Protocol specifies the network protocol this listener expects to receive.
+
+ Support: Core
+ maxLength: 255
+ minLength: 1
+ pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$
+ type: string
+ tls:
+ description: |-
+ TLS is the TLS configuration for the Listener. This field is required if
+ the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+ if the Protocol field is "HTTP", "TCP", or "UDP".
+
+ The association of SNIs to Certificate defined in GatewayTLSConfig is
+ defined based on the Hostname field for this listener.
+
+ The GatewayClass MUST use the longest matching SNI out of all
+ available certificates for any TLS handshake.
+
+ Support: Core
+ properties:
+ certificateRefs:
+ description: |-
+ CertificateRefs contains a series of references to Kubernetes objects that
+ contains TLS certificates and private keys. These certificates are used to
+ establish a TLS handshake for requests that match the hostname of the
+ associated listener.
+
+ A single CertificateRef to a Kubernetes Secret has "Core" support.
+ Implementations MAY choose to support attaching multiple certificates to
+ a Listener, but this behavior is implementation-specific.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+
+ This field is required to have at least one element when the mode is set
+ to "Terminate" (default) and is optional otherwise.
+
+ CertificateRefs can reference to standard Kubernetes resources, i.e.
+ Secret, or implementation-specific custom resources.
+
+ Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+
+ Support: Implementation-specific (More than one reference or other resource types)
+ items:
+ description: |-
+ SecretObjectReference identifies an API object including its namespace,
+ defaulting to Secret.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+
+ References to objects with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate Conditions set
+ on the containing object.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example
+ "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 64
+ type: array
+ mode:
+ default: Terminate
+ description: |-
+ Mode defines the TLS behavior for the TLS session initiated by the client.
+ There are two possible modes:
+
+ - Terminate: The TLS session between the downstream client and the
+ Gateway is terminated at the Gateway. This mode requires certificates
+ to be specified in some way, such as populating the certificateRefs
+ field.
+ - Passthrough: The TLS session is NOT terminated by the Gateway. This
+ implies that the Gateway can't decipher the TLS stream except for
+ the ClientHello message of the TLS protocol. The certificateRefs field
+ is ignored in this mode.
+
+ Support: Core
+ enum:
+ - Terminate
+ - Passthrough
+ type: string
+ options:
+ additionalProperties:
+ description: |-
+ AnnotationValue is the value of an annotation in Gateway API. This is used
+ for validation of maps such as TLS options. This roughly matches Kubernetes
+ annotation validation, although the length validation in that case is based
+ on the entire size of the annotations struct.
+ maxLength: 4096
+ minLength: 0
+ type: string
+ description: |-
+ Options are a list of key/value pairs to enable extended TLS
+ configuration for each implementation. For example, configuring the
+ minimum TLS version or supported cipher suites.
+
+ A set of common keys MAY be defined by the API in the future. To avoid
+ any ambiguity, implementation-specific definitions MUST use
+ domain-prefixed names, such as `example.com/my-custom-option`.
+ Un-prefixed names are reserved for key names defined by Gateway API.
+
+ Support: Implementation-specific
+ maxProperties: 16
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: certificateRefs or options must be specified when
+ mode is Terminate
+ rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs)
+ > 0 || size(self.options) > 0 : true'
+ required:
+ - name
+ - port
+ - protocol
+ type: object
+ maxItems: 64
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: tls must not be specified for protocols ['HTTP', 'TCP',
+ 'UDP']
+ rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ?
+ !has(l.tls) : true)'
+ - message: tls mode must be Terminate for protocol HTTPS
+ rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode
+ == '''' || l.tls.mode == ''Terminate'') : true)'
+ - message: hostname must not be specified for protocols ['TCP', 'UDP']
+ rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname)
+ || l.hostname == '''') : true)'
+ - message: Listener name must be unique within the Gateway
+ rule: self.all(l1, self.exists_one(l2, l1.name == l2.name))
+ - message: Combination of port, protocol and hostname must be unique
+ for each listener
+ rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol
+ == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname
+ == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))'
+ required:
+ - gatewayClassName
+ - listeners
+ type: object
+ status:
+ default:
+ conditions:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Programmed
+ description: Status defines the current state of Gateway.
+ properties:
+ addresses:
+ description: |+
+ Addresses lists the network addresses that have been bound to the
+ Gateway.
+
+ This list may differ from the addresses provided in the spec under some
+ conditions:
+
+ * no addresses are specified, all addresses are dynamically assigned
+ * a combination of specified and dynamic addresses are assigned
+ * a specified address was unusable (e.g. already in use)
+
+ items:
+ description: GatewayStatusAddress describes a network address that
+ is bound to a Gateway.
+ oneOf:
+ - properties:
+ type:
+ enum:
+ - IPAddress
+ value:
+ anyOf:
+ - format: ipv4
+ - format: ipv6
+ - properties:
+ type:
+ not:
+ enum:
+ - IPAddress
+ properties:
+ type:
+ default: IPAddress
+ description: Type of the address.
+ maxLength: 253
+ minLength: 1
+ pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ value:
+ description: |-
+ Value of the address. The validity of the values will depend
+ on the type and support by the controller.
+
+ Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ x-kubernetes-validations:
+ - message: Hostname value must only contain valid characters (matching
+ ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
+ rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):
+ true'
+ maxItems: 16
+ type: array
+ conditions:
+ default:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Programmed
+ description: |-
+ Conditions describe the current conditions of the Gateway.
+
+ Implementations should prefer to express Gateway conditions
+ using the `GatewayConditionType` and `GatewayConditionReason`
+ constants so that operators and tools can converge on a common
+ vocabulary to describe Gateway state.
+
+ Known condition types are:
+
+ * "Accepted"
+ * "Programmed"
+ * "Ready"
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ listeners:
+ description: Listeners provide status for each unique listener port
+ defined in the Spec.
+ items:
+ description: ListenerStatus is the status associated with a Listener.
+ properties:
+ attachedRoutes:
+ description: |-
+ AttachedRoutes represents the total number of Routes that have been
+ successfully attached to this Listener.
+
+ Successful attachment of a Route to a Listener is based solely on the
+ combination of the AllowedRoutes field on the corresponding Listener
+ and the Route's ParentRefs field. A Route is successfully attached to
+ a Listener when it is selected by the Listener's AllowedRoutes field
+ AND the Route has a valid ParentRef selecting the whole Gateway
+ resource or a specific Listener as a parent resource (more detail on
+ attachment semantics can be found in the documentation on the various
+ Route kinds ParentRefs fields). Listener or Route status does not impact
+ successful attachment, i.e. the AttachedRoutes field count MUST be set
+ for Listeners with condition Accepted: false and MUST count successfully
+ attached Routes that may themselves have Accepted: false conditions.
+
+ Uses for this field include troubleshooting Route attachment and
+ measuring blast radius/impact of changes to a Listener.
+ format: int32
+ type: integer
+ conditions:
+ description: Conditions describe the current condition of this
+ listener.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ name:
+ description: Name is the name of the Listener that this status
+ corresponds to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ supportedKinds:
+ description: |-
+ SupportedKinds is the list indicating the Kinds supported by this
+ listener. This MUST represent the kinds an implementation supports for
+ that Listener configuration.
+
+ If kinds are specified in Spec that are not supported, they MUST NOT
+ appear in this list and an implementation MUST set the "ResolvedRefs"
+ condition to "False" with the "InvalidRouteKinds" reason. If both valid
+ and invalid Route kinds are specified, the implementation MUST
+ reference the valid Route kinds that have been specified.
+ items:
+ description: RouteGroupKind indicates the group and kind of
+ a Route resource.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group of the Route.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the kind of the Route.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ required:
+ - kind
+ type: object
+ maxItems: 8
+ type: array
+ required:
+ - attachedRoutes
+ - conditions
+ - name
+ - supportedKinds
+ type: object
+ maxItems: 64
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .spec.gatewayClassName
+ name: Class
+ type: string
+ - jsonPath: .status.addresses[*].value
+ name: Address
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Programmed")].status
+ name: Programmed
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ Gateway represents an instance of a service-traffic handling infrastructure
+ by binding Listeners to a set of IP addresses.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of Gateway.
+ properties:
+ addresses:
+ description: |+
+ Addresses requested for this Gateway. This is optional and behavior can
+ depend on the implementation. If a value is set in the spec and the
+ requested address is invalid or unavailable, the implementation MUST
+ indicate this in the associated entry in GatewayStatus.Addresses.
+
+ The Addresses field represents a request for the address(es) on the
+ "outside of the Gateway", that traffic bound for this Gateway will use.
+ This could be the IP address or hostname of an external load balancer or
+ other networking infrastructure, or some other address that traffic will
+ be sent to.
+
+ If no Addresses are specified, the implementation MAY schedule the
+ Gateway in an implementation-specific manner, assigning an appropriate
+ set of Addresses.
+
+ The implementation MUST bind all Listeners to every GatewayAddress that
+ it assigns to the Gateway and add a corresponding entry in
+ GatewayStatus.Addresses.
+
+ Support: Extended
+
+ items:
+ description: GatewayAddress describes an address that can be bound
+ to a Gateway.
+ oneOf:
+ - properties:
+ type:
+ enum:
+ - IPAddress
+ value:
+ anyOf:
+ - format: ipv4
+ - format: ipv6
+ - properties:
+ type:
+ not:
+ enum:
+ - IPAddress
+ properties:
+ type:
+ default: IPAddress
+ description: Type of the address.
+ maxLength: 253
+ minLength: 1
+ pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ value:
+ description: |-
+ Value of the address. The validity of the values will depend
+ on the type and support by the controller.
+
+ Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ x-kubernetes-validations:
+ - message: Hostname value must only contain valid characters (matching
+ ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
+ rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):
+ true'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: IPAddress values must be unique
+ rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2,
+ a2.type == a1.type && a2.value == a1.value) : true )'
+ - message: Hostname values must be unique
+ rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2,
+ a2.type == a1.type && a2.value == a1.value) : true )'
+ gatewayClassName:
+ description: |-
+ GatewayClassName used for this Gateway. This is the name of a
+ GatewayClass resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ infrastructure:
+ description: |-
+ Infrastructure defines infrastructure level attributes about this Gateway instance.
+
+ Support: Extended
+ properties:
+ annotations:
+ additionalProperties:
+ description: |-
+ AnnotationValue is the value of an annotation in Gateway API. This is used
+ for validation of maps such as TLS options. This roughly matches Kubernetes
+ annotation validation, although the length validation in that case is based
+ on the entire size of the annotations struct.
+ maxLength: 4096
+ minLength: 0
+ type: string
+ description: |-
+ Annotations that SHOULD be applied to any resources created in response to this Gateway.
+
+ For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
+ For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
+
+ An implementation may chose to add additional implementation-specific annotations as they see fit.
+
+ Support: Extended
+ maxProperties: 8
+ type: object
+ x-kubernetes-validations:
+ - message: Annotation keys must be in the form of an optional
+ DNS subdomain prefix followed by a required name segment of
+ up to 63 characters.
+ rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))
+ - message: If specified, the annotation key's prefix must be a
+ DNS subdomain not longer than 253 characters in total.
+ rule: self.all(key, key.split("/")[0].size() < 253)
+ labels:
+ additionalProperties:
+ description: |-
+ LabelValue is the value of a label in the Gateway API. This is used for validation
+ of maps such as Gateway infrastructure labels. This matches the Kubernetes
+ label validation rules:
+ * must be 63 characters or less (can be empty),
+ * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]),
+ * could contain dashes (-), underscores (_), dots (.), and alphanumerics between.
+
+ Valid values include:
+
+ * MyValue
+ * my.name
+ * 123-my-value
+ maxLength: 63
+ minLength: 0
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ Labels that SHOULD be applied to any resources created in response to this Gateway.
+
+ For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
+ For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
+
+ An implementation may chose to add additional implementation-specific labels as they see fit.
+
+ If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
+ change, it SHOULD clearly warn about this behavior in documentation.
+
+ Support: Extended
+ maxProperties: 8
+ type: object
+ x-kubernetes-validations:
+ - message: Label keys must be in the form of an optional DNS subdomain
+ prefix followed by a required name segment of up to 63 characters.
+ rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))
+ - message: If specified, the label key's prefix must be a DNS
+ subdomain not longer than 253 characters in total.
+ rule: self.all(key, key.split("/")[0].size() < 253)
+ parametersRef:
+ description: |-
+ ParametersRef is a reference to a resource that contains the configuration
+ parameters corresponding to the Gateway. This is optional if the
+ controller does not require any additional configuration.
+
+ This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
+
+ The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
+ the merging behavior is implementation specific.
+ It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+
+ Support: Implementation-specific
+ properties:
+ group:
+ description: Group is the group of the referent.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ type: object
+ listeners:
+ description: |-
+ Listeners associated with this Gateway. Listeners define
+ logical endpoints that are bound on this Gateway's addresses.
+ At least one Listener MUST be specified.
+
+ Each Listener in a set of Listeners (for example, in a single Gateway)
+ MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
+ exactly one listener. (This section uses "set of Listeners" rather than
+ "Listeners in a single Gateway" because implementations MAY merge configuration
+ from multiple Gateways onto a single data plane, and these rules _also_
+ apply in that case).
+
+ Practically, this means that each listener in a set MUST have a unique
+ combination of Port, Protocol, and, if supported by the protocol, Hostname.
+
+ Some combinations of port, protocol, and TLS settings are considered
+ Core support and MUST be supported by implementations based on their
+ targeted conformance profile:
+
+ HTTP Profile
+
+ 1. HTTPRoute, Port: 80, Protocol: HTTP
+ 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
+
+ TLS Profile
+
+ 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
+
+ "Distinct" Listeners have the following property:
+
+ The implementation can match inbound requests to a single distinct
+ Listener. When multiple Listeners share values for fields (for
+ example, two Listeners with the same Port value), the implementation
+ can match requests to only one of the Listeners using other
+ Listener fields.
+
+ For example, the following Listener scenarios are distinct:
+
+ 1. Multiple Listeners with the same Port that all use the "HTTP"
+ Protocol that all have unique Hostname values.
+ 2. Multiple Listeners with the same Port that use either the "HTTPS" or
+ "TLS" Protocol that all have unique Hostname values.
+ 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener
+ with the same Protocol has the same Port value.
+
+ Some fields in the Listener struct have possible values that affect
+ whether the Listener is distinct. Hostname is particularly relevant
+ for HTTP or HTTPS protocols.
+
+ When using the Hostname value to select between same-Port, same-Protocol
+ Listeners, the Hostname value must be different on each Listener for the
+ Listener to be distinct.
+
+ When the Listeners are distinct based on Hostname, inbound request
+ hostnames MUST match from the most specific to least specific Hostname
+ values to choose the correct Listener and its associated set of Routes.
+
+ Exact matches must be processed before wildcard matches, and wildcard
+ matches must be processed before fallback (empty Hostname value)
+ matches. For example, `"foo.example.com"` takes precedence over
+ `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
+
+ Additionally, if there are multiple wildcard entries, more specific
+ wildcard entries must be processed before less specific wildcard entries.
+ For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
+ The precise definition here is that the higher the number of dots in the
+ hostname to the right of the wildcard character, the higher the precedence.
+
+ The wildcard character will match any number of characters _and dots_ to
+ the left, however, so `"*.example.com"` will match both
+ `"foo.bar.example.com"` _and_ `"bar.example.com"`.
+
+ If a set of Listeners contains Listeners that are not distinct, then those
+ Listeners are Conflicted, and the implementation MUST set the "Conflicted"
+ condition in the Listener Status to "True".
+
+ Implementations MAY choose to accept a Gateway with some Conflicted
+ Listeners only if they only accept the partial Listener set that contains
+ no Conflicted Listeners. To put this another way, implementations may
+ accept a partial Listener set only if they throw out *all* the conflicting
+ Listeners. No picking one of the conflicting listeners as the winner.
+ This also means that the Gateway must have at least one non-conflicting
+ Listener in this case, otherwise it violates the requirement that at
+ least one Listener must be present.
+
+ The implementation MUST set a "ListenersNotValid" condition on the
+ Gateway Status when the Gateway contains Conflicted Listeners whether or
+ not they accept the Gateway. That Condition SHOULD clearly
+ indicate in the Message which Listeners are conflicted, and which are
+ Accepted. Additionally, the Listener status for those listeners SHOULD
+ indicate which Listeners are conflicted and not Accepted.
+
+ A Gateway's Listeners are considered "compatible" if:
+
+ 1. They are distinct.
+ 2. The implementation can serve them in compliance with the Addresses
+ requirement that all Listeners are available on all assigned
+ addresses.
+
+ Compatible combinations in Extended support are expected to vary across
+ implementations. A combination that is compatible for one implementation
+ may not be compatible for another.
+
+ For example, an implementation that cannot serve both TCP and UDP listeners
+ on the same address, or cannot mix HTTPS and generic TLS listens on the same port
+ would not consider those cases compatible, even though they are distinct.
+
+ Note that requests SHOULD match at most one Listener. For example, if
+ Listeners are defined for "foo.example.com" and "*.example.com", a
+ request to "foo.example.com" SHOULD only be routed using routes attached
+ to the "foo.example.com" Listener (and not the "*.example.com" Listener).
+ This concept is known as "Listener Isolation". Implementations that do
+ not support Listener Isolation MUST clearly document this.
+
+ Implementations MAY merge separate Gateways onto a single set of
+ Addresses if all Listeners across all Gateways are compatible.
+
+ Support: Core
+ items:
+ description: |-
+ Listener embodies the concept of a logical endpoint where a Gateway accepts
+ network connections.
+ properties:
+ allowedRoutes:
+ default:
+ namespaces:
+ from: Same
+ description: |-
+ AllowedRoutes defines the types of routes that MAY be attached to a
+ Listener and the trusted namespaces where those Route resources MAY be
+ present.
+
+ Although a client request may match multiple route rules, only one rule
+ may ultimately receive the request. Matching precedence MUST be
+ determined in order of the following criteria:
+
+ * The most specific match as defined by the Route type.
+ * The oldest Route based on creation timestamp. For example, a Route with
+ a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+ a Route with a creation timestamp of "2020-09-08 01:02:04".
+ * If everything else is equivalent, the Route appearing first in
+ alphabetical order (namespace/name) should be given precedence. For
+ example, foo/bar is given precedence over foo/baz.
+
+ All valid rules within a Route attached to this Listener should be
+ implemented. Invalid Route rules can be ignored (sometimes that will mean
+ the full Route). If a Route rule transitions from valid to invalid,
+ support for that Route rule should be dropped to ensure consistency. For
+ example, even if a filter specified by a Route rule is invalid, the rest
+ of the rules within that Route should still be supported.
+
+ Support: Core
+ properties:
+ kinds:
+ description: |-
+ Kinds specifies the groups and kinds of Routes that are allowed to bind
+ to this Gateway Listener. When unspecified or empty, the kinds of Routes
+ selected are determined using the Listener protocol.
+
+ A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+ with the application protocol specified in the Listener's Protocol field.
+ If an implementation does not support or recognize this resource type, it
+ MUST set the "ResolvedRefs" condition to False for this Listener with the
+ "InvalidRouteKinds" reason.
+
+ Support: Core
+ items:
+ description: RouteGroupKind indicates the group and kind
+ of a Route resource.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group of the Route.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the kind of the Route.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ required:
+ - kind
+ type: object
+ maxItems: 8
+ type: array
+ namespaces:
+ default:
+ from: Same
+ description: |-
+ Namespaces indicates namespaces from which Routes may be attached to this
+ Listener. This is restricted to the namespace of this Gateway by default.
+
+ Support: Core
+ properties:
+ from:
+ default: Same
+ description: |-
+ From indicates where Routes will be selected for this Gateway. Possible
+ values are:
+
+ * All: Routes in all namespaces may be used by this Gateway.
+ * Selector: Routes in namespaces selected by the selector may be used by
+ this Gateway.
+ * Same: Only Routes in the same namespace may be used by this Gateway.
+
+ Support: Core
+ enum:
+ - All
+ - Selector
+ - Same
+ type: string
+ selector:
+ description: |-
+ Selector must be specified when From is set to "Selector". In that case,
+ only Routes in Namespaces matching this Selector will be selected by this
+ Gateway. This field is ignored for other values of "From".
+
+ Support: Core
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: object
+ hostname:
+ description: |-
+ Hostname specifies the virtual hostname to match for protocol types that
+ define this concept. When unspecified, all hostnames are matched. This
+ field is ignored for protocols that don't require hostname based
+ matching.
+
+ Implementations MUST apply Hostname matching appropriately for each of
+ the following protocols:
+
+ * TLS: The Listener Hostname MUST match the SNI.
+ * HTTP: The Listener Hostname MUST match the Host header of the request.
+ * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP
+ protocol layers as described above. If an implementation does not
+ ensure that both the SNI and Host header match the Listener hostname,
+ it MUST clearly document that.
+
+ For HTTPRoute and TLSRoute resources, there is an interaction with the
+ `spec.hostnames` array. When both listener and route specify hostnames,
+ there MUST be an intersection between the values for a Route to be
+ accepted. For more information, refer to the Route specific Hostnames
+ documentation.
+
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+ as a suffix match. That means that a match for `*.example.com` would match
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ name:
+ description: |-
+ Name is the name of the Listener. This name MUST be unique within a
+ Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ port:
+ description: |-
+ Port is the network port. Multiple listeners may use the
+ same port, subject to the Listener compatibility rules.
+
+ Support: Core
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ protocol:
+ description: |-
+ Protocol specifies the network protocol this listener expects to receive.
+
+ Support: Core
+ maxLength: 255
+ minLength: 1
+ pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$
+ type: string
+ tls:
+ description: |-
+ TLS is the TLS configuration for the Listener. This field is required if
+ the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+ if the Protocol field is "HTTP", "TCP", or "UDP".
+
+ The association of SNIs to Certificate defined in GatewayTLSConfig is
+ defined based on the Hostname field for this listener.
+
+ The GatewayClass MUST use the longest matching SNI out of all
+ available certificates for any TLS handshake.
+
+ Support: Core
+ properties:
+ certificateRefs:
+ description: |-
+ CertificateRefs contains a series of references to Kubernetes objects that
+ contains TLS certificates and private keys. These certificates are used to
+ establish a TLS handshake for requests that match the hostname of the
+ associated listener.
+
+ A single CertificateRef to a Kubernetes Secret has "Core" support.
+ Implementations MAY choose to support attaching multiple certificates to
+ a Listener, but this behavior is implementation-specific.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+
+ This field is required to have at least one element when the mode is set
+ to "Terminate" (default) and is optional otherwise.
+
+ CertificateRefs can reference to standard Kubernetes resources, i.e.
+ Secret, or implementation-specific custom resources.
+
+ Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+
+ Support: Implementation-specific (More than one reference or other resource types)
+ items:
+ description: |-
+ SecretObjectReference identifies an API object including its namespace,
+ defaulting to Secret.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+
+ References to objects with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate Conditions set
+ on the containing object.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example
+ "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 64
+ type: array
+ mode:
+ default: Terminate
+ description: |-
+ Mode defines the TLS behavior for the TLS session initiated by the client.
+ There are two possible modes:
+
+ - Terminate: The TLS session between the downstream client and the
+ Gateway is terminated at the Gateway. This mode requires certificates
+ to be specified in some way, such as populating the certificateRefs
+ field.
+ - Passthrough: The TLS session is NOT terminated by the Gateway. This
+ implies that the Gateway can't decipher the TLS stream except for
+ the ClientHello message of the TLS protocol. The certificateRefs field
+ is ignored in this mode.
+
+ Support: Core
+ enum:
+ - Terminate
+ - Passthrough
+ type: string
+ options:
+ additionalProperties:
+ description: |-
+ AnnotationValue is the value of an annotation in Gateway API. This is used
+ for validation of maps such as TLS options. This roughly matches Kubernetes
+ annotation validation, although the length validation in that case is based
+ on the entire size of the annotations struct.
+ maxLength: 4096
+ minLength: 0
+ type: string
+ description: |-
+ Options are a list of key/value pairs to enable extended TLS
+ configuration for each implementation. For example, configuring the
+ minimum TLS version or supported cipher suites.
+
+ A set of common keys MAY be defined by the API in the future. To avoid
+ any ambiguity, implementation-specific definitions MUST use
+ domain-prefixed names, such as `example.com/my-custom-option`.
+ Un-prefixed names are reserved for key names defined by Gateway API.
+
+ Support: Implementation-specific
+ maxProperties: 16
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: certificateRefs or options must be specified when
+ mode is Terminate
+ rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs)
+ > 0 || size(self.options) > 0 : true'
+ required:
+ - name
+ - port
+ - protocol
+ type: object
+ maxItems: 64
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: tls must not be specified for protocols ['HTTP', 'TCP',
+ 'UDP']
+ rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ?
+ !has(l.tls) : true)'
+ - message: tls mode must be Terminate for protocol HTTPS
+ rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode
+ == '''' || l.tls.mode == ''Terminate'') : true)'
+ - message: hostname must not be specified for protocols ['TCP', 'UDP']
+ rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname)
+ || l.hostname == '''') : true)'
+ - message: Listener name must be unique within the Gateway
+ rule: self.all(l1, self.exists_one(l2, l1.name == l2.name))
+ - message: Combination of port, protocol and hostname must be unique
+ for each listener
+ rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol
+ == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname
+ == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))'
+ required:
+ - gatewayClassName
+ - listeners
+ type: object
+ status:
+ default:
+ conditions:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Programmed
+ description: Status defines the current state of Gateway.
+ properties:
+ addresses:
+ description: |+
+ Addresses lists the network addresses that have been bound to the
+ Gateway.
+
+ This list may differ from the addresses provided in the spec under some
+ conditions:
+
+ * no addresses are specified, all addresses are dynamically assigned
+ * a combination of specified and dynamic addresses are assigned
+ * a specified address was unusable (e.g. already in use)
+
+ items:
+ description: GatewayStatusAddress describes a network address that
+ is bound to a Gateway.
+ oneOf:
+ - properties:
+ type:
+ enum:
+ - IPAddress
+ value:
+ anyOf:
+ - format: ipv4
+ - format: ipv6
+ - properties:
+ type:
+ not:
+ enum:
+ - IPAddress
+ properties:
+ type:
+ default: IPAddress
+ description: Type of the address.
+ maxLength: 253
+ minLength: 1
+ pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ value:
+ description: |-
+ Value of the address. The validity of the values will depend
+ on the type and support by the controller.
+
+ Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ x-kubernetes-validations:
+ - message: Hostname value must only contain valid characters (matching
+ ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
+ rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):
+ true'
+ maxItems: 16
+ type: array
+ conditions:
+ default:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Programmed
+ description: |-
+ Conditions describe the current conditions of the Gateway.
+
+ Implementations should prefer to express Gateway conditions
+ using the `GatewayConditionType` and `GatewayConditionReason`
+ constants so that operators and tools can converge on a common
+ vocabulary to describe Gateway state.
+
+ Known condition types are:
+
+ * "Accepted"
+ * "Programmed"
+ * "Ready"
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ listeners:
+ description: Listeners provide status for each unique listener port
+ defined in the Spec.
+ items:
+ description: ListenerStatus is the status associated with a Listener.
+ properties:
+ attachedRoutes:
+ description: |-
+ AttachedRoutes represents the total number of Routes that have been
+ successfully attached to this Listener.
+
+ Successful attachment of a Route to a Listener is based solely on the
+ combination of the AllowedRoutes field on the corresponding Listener
+ and the Route's ParentRefs field. A Route is successfully attached to
+ a Listener when it is selected by the Listener's AllowedRoutes field
+ AND the Route has a valid ParentRef selecting the whole Gateway
+ resource or a specific Listener as a parent resource (more detail on
+ attachment semantics can be found in the documentation on the various
+ Route kinds ParentRefs fields). Listener or Route status does not impact
+ successful attachment, i.e. the AttachedRoutes field count MUST be set
+ for Listeners with condition Accepted: false and MUST count successfully
+ attached Routes that may themselves have Accepted: false conditions.
+
+ Uses for this field include troubleshooting Route attachment and
+ measuring blast radius/impact of changes to a Listener.
+ format: int32
+ type: integer
+ conditions:
+ description: Conditions describe the current condition of this
+ listener.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ name:
+ description: Name is the name of the Listener that this status
+ corresponds to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ supportedKinds:
+ description: |-
+ SupportedKinds is the list indicating the Kinds supported by this
+ listener. This MUST represent the kinds an implementation supports for
+ that Listener configuration.
+
+ If kinds are specified in Spec that are not supported, they MUST NOT
+ appear in this list and an implementation MUST set the "ResolvedRefs"
+ condition to "False" with the "InvalidRouteKinds" reason. If both valid
+ and invalid Route kinds are specified, the implementation MUST
+ reference the valid Route kinds that have been specified.
+ items:
+ description: RouteGroupKind indicates the group and kind of
+ a Route resource.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group of the Route.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the kind of the Route.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ required:
+ - kind
+ type: object
+ maxItems: 8
+ type: array
+ required:
+ - attachedRoutes
+ - conditions
+ - name
+ - supportedKinds
+ type: object
+ maxItems: 64
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
+# config/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.2.1
+ gateway.networking.k8s.io/channel: standard
+ creationTimestamp: null
+ name: grpcroutes.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: GRPCRoute
+ listKind: GRPCRouteList
+ plural: grpcroutes
+ singular: grpcroute
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.hostnames
+ name: Hostnames
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ GRPCRoute provides a way to route gRPC requests. This includes the capability
+ to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header.
+ Filters can be used to specify additional processing steps. Backends specify
+ where matching requests will be routed.
+
+ GRPCRoute falls under extended support within the Gateway API. Within the
+ following specification, the word "MUST" indicates that an implementation
+ supporting GRPCRoute must conform to the indicated requirement, but an
+ implementation not supporting this route type need not follow the requirement
+ unless explicitly indicated.
+
+ Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST
+ accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via
+ ALPN. If the implementation does not support this, then it MUST set the
+ "Accepted" condition to "False" for the affected listener with a reason of
+ "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections
+ with an upgrade from HTTP/1.
+
+ Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST
+ support HTTP/2 over cleartext TCP (h2c,
+ https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial
+ upgrade from HTTP/1.1, i.e. with prior knowledge
+ (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation
+ does not support this, then it MUST set the "Accepted" condition to "False"
+ for the affected listener with a reason of "UnsupportedProtocol".
+ Implementations MAY also accept HTTP/2 connections with an upgrade from
+ HTTP/1, i.e. without prior knowledge.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of GRPCRoute.
+ properties:
+ hostnames:
+ description: |-
+ Hostnames defines a set of hostnames to match against the GRPC
+ Host header to select a GRPCRoute to process the request. This matches
+ the RFC 1123 definition of a hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label MUST appear by itself as the first label.
+
+ If a hostname is specified by both the Listener and GRPCRoute, there
+ MUST be at least one intersecting hostname for the GRPCRoute to be
+ attached to the Listener. For example:
+
+ * A Listener with `test.example.com` as the hostname matches GRPCRoutes
+ that have either not specified any hostnames, or have specified at
+ least one of `test.example.com` or `*.example.com`.
+ * A Listener with `*.example.com` as the hostname matches GRPCRoutes
+ that have either not specified any hostnames or have specified at least
+ one hostname that matches the Listener hostname. For example,
+ `test.example.com` and `*.example.com` would both match. On the other
+ hand, `example.com` and `test.example.net` would not match.
+
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+ as a suffix match. That means that a match for `*.example.com` would match
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+
+ If both the Listener and GRPCRoute have specified hostnames, any
+ GRPCRoute hostnames that do not match the Listener hostname MUST be
+ ignored. For example, if a Listener specified `*.example.com`, and the
+ GRPCRoute specified `test.example.com` and `test.example.net`,
+ `test.example.net` MUST NOT be considered for a match.
+
+ If both the Listener and GRPCRoute have specified hostnames, and none
+ match with the criteria above, then the GRPCRoute MUST NOT be accepted by
+ the implementation. The implementation MUST raise an 'Accepted' Condition
+ with a status of `False` in the corresponding RouteParentStatus.
+
+ If a Route (A) of type HTTPRoute or GRPCRoute is attached to a
+ Listener and that listener already has another Route (B) of the other
+ type attached and the intersection of the hostnames of A and B is
+ non-empty, then the implementation MUST accept exactly one of these two
+ routes, determined by the following criteria, in order:
+
+ * The oldest Route based on creation timestamp.
+ * The Route appearing first in alphabetical order by
+ "{namespace}/{name}".
+
+ The rejected Route MUST raise an 'Accepted' condition with a status of
+ 'False' in the corresponding RouteParentStatus.
+
+ Support: Core
+ items:
+ description: |-
+ Hostname is the fully qualified domain name of a network host. This matches
+ the RFC 1123 definition of a hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+
+ Hostname can be "precise" which is a domain name without the terminating
+ dot of a network host (e.g. "foo.example.com") or "wildcard", which is a
+ domain name prefixed with a single wildcard label (e.g. `*.example.com`).
+
+ Note that as per RFC1035 and RFC1123, a *label* must consist of lower case
+ alphanumeric characters or '-', and must start and end with an alphanumeric
+ character. No other punctuation is allowed.
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ maxItems: 16
+ type: array
+ parentRefs:
+ description: |+
+ ParentRefs references the resources (usually Gateways) that a Route wants
+ to be attached to. Note that the referenced parent resource needs to
+ allow this for the attachment to be complete. For Gateways, that means
+ the Gateway needs to allow attachment from Routes of this kind and
+ namespace. For Services, that means the Service must either be in the same
+ namespace for a "producer" route, or the mesh implementation must support
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is
+ not applicable for governing ParentRefs to Services - it is not possible to
+ create a "producer" route for a Service in a different namespace from the
+ Route.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ ParentRefs must be _distinct_. This means either that:
+
+ * They select different objects. If this is the case, then parentRef
+ entries are distinct. In terms of fields, this means that the
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+ be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field used,
+ each ParentRef that selects the same object must set the same set of
+ optional fields to different values. If one ParentRef sets a
+ combination of optional fields, all must set the same combination.
+
+ Some examples:
+
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+ same object must also set `sectionName`.
+ * If one ParentRef sets `port`, all ParentRefs referencing the same
+ object must also set `port`.
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+ referencing the same object must also set `sectionName` and `port`.
+
+ It is possible to separately reference multiple distinct objects that may
+ be collapsed by an implementation. For example, some implementations may
+ choose to merge compatible Gateway Listeners together. If that is the
+ case, the list of routes attached to those resources should also be
+ merged.
+
+ Note that for ParentRefs that cross namespace boundaries, there are specific
+ rules. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example,
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable other kinds of cross-namespace reference.
+
+
+
+
+
+
+ items:
+ description: |-
+ ParentReference identifies an API object (usually a Gateway) that can be considered
+ a parent of this resource (usually a route). There are two kinds of parent resources
+ with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 32
+ type: array
+ x-kubernetes-validations:
+ - message: sectionName must be specified when parentRefs includes
+ 2 or more references to the same parent
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName)
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
+ == '''')) : true))'
+ - message: sectionName must be unique when parentRefs includes 2 or
+ more references to the same parent
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName
+ == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName
+ == p2.sectionName))))
+ rules:
+ description: |+
+ Rules are a list of GRPC matchers, filters and actions.
+
+ items:
+ description: |-
+ GRPCRouteRule defines the semantics for matching a gRPC request based on
+ conditions (matches), processing it (filters), and forwarding the request to
+ an API object (backendRefs).
+ properties:
+ backendRefs:
+ description: |-
+ BackendRefs defines the backend(s) where matching requests should be
+ sent.
+
+ Failure behavior here depends on how many BackendRefs are specified and
+ how many are invalid.
+
+ If *all* entries in BackendRefs are invalid, and there are also no filters
+ specified in this route rule, *all* traffic which matches this rule MUST
+ receive an `UNAVAILABLE` status.
+
+ See the GRPCBackendRef definition for the rules about what makes a single
+ GRPCBackendRef invalid.
+
+ When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for
+ requests that would have otherwise been routed to an invalid backend. If
+ multiple backends are specified, and some are invalid, the proportion of
+ requests that would otherwise have been routed to an invalid backend
+ MUST receive an `UNAVAILABLE` status.
+
+ For example, if two backends are specified with equal weights, and one is
+ invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status.
+ Implementations may choose how that 50 percent is determined.
+
+ Support: Core for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
+
+ Support for weight: Core
+ items:
+ description: |-
+ GRPCBackendRef defines how a GRPCRoute forwards a gRPC request.
+
+ Note that when a namespace different than the local namespace is specified, a
+ ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+
+
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD
+ honor the appProtocol field if it is set for the target Service Port.
+
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes
+ Standard Application Protocols defined in KEP-3726.
+
+ If a Service appProtocol isn't specified, an implementation MAY infer the
+ backend protocol through its own means. Implementations MAY infer the
+ protocol from the Route type referring to the backend Service.
+
+ If a Route is not able to send traffic to the backend using the specified
+ protocol then the backend is considered invalid. Implementations MUST set the
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+
+
+ properties:
+ filters:
+ description: |-
+ Filters defined at this level MUST be executed if and only if the
+ request is being forwarded to the backend defined here.
+
+ Support: Implementation-specific (For broader support of filters, use the
+ Filters field in GRPCRouteRule.)
+ items:
+ description: |-
+ GRPCRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. GRPCRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
+ properties:
+ extensionRef:
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
+
+ Support: Implementation-specific
+
+ This filter can be used multiple times within the same rule.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For
+ example "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ requestHeaderModifier:
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
+
+ Support: Core
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: |+
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
+
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
+
+ Support: Extended
+
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
+
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
+
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
+ this backend in the underlying implementation.
+
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
+
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
+
+ Support: Extended for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind
+ == ''Service'') ? has(self.port) : true'
+ required:
+ - backendRef
+ type: object
+ responseHeaderModifier:
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
+
+ Support: Extended
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: |+
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
+
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations supporting GRPCRoute MUST support core filters.
+
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
+
+ - Implementation-specific: Filters that are defined and supported by specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` MUST be set to
+ "ExtensionRef" for custom filters.
+
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
+
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
+
+ enum:
+ - ResponseHeaderModifier
+ - RequestHeaderModifier
+ - RequestMirror
+ - ExtensionRef
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: filter.requestHeaderModifier must be nil
+ if the filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type
+ != ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type
+ == ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil
+ if the filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type
+ != ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for
+ RequestMirror filter.type
+ rule: '!(!has(self.requestMirror) && self.type ==
+ ''RequestMirror'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for
+ ExtensionRef filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
+
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
+
+ Support for this field varies based on the context where used.
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ filters:
+ description: |-
+ Filters define the filters that are applied to requests that match
+ this rule.
+
+ The effects of ordering of multiple behaviors are currently unspecified.
+ This can change in the future based on feedback during the alpha stage.
+
+ Conformance-levels at this level are defined based on the type of filter:
+
+ - ALL core filters MUST be supported by all implementations that support
+ GRPCRoute.
+ - Implementers are encouraged to support extended filters.
+ - Implementation-specific custom filters have no API guarantees across
+ implementations.
+
+ Specifying the same filter multiple times is not supported unless explicitly
+ indicated in the filter.
+
+ If an implementation can not support a combination of filters, it must clearly
+ document that limitation. In cases where incompatible or unsupported
+ filters are specified and cause the `Accepted` condition to be set to status
+ `False`, implementations may use the `IncompatibleFilters` reason to specify
+ this configuration error.
+
+ Support: Core
+ items:
+ description: |-
+ GRPCRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. GRPCRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
+ properties:
+ extensionRef:
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
+
+ Support: Implementation-specific
+
+ This filter can be used multiple times within the same rule.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For example
+ "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ requestHeaderModifier:
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
+
+ Support: Core
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: |+
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
+
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
+
+ Support: Extended
+
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
+
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
+
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
+ this backend in the underlying implementation.
+
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
+
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
+
+ Support: Extended for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ required:
+ - backendRef
+ type: object
+ responseHeaderModifier:
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
+
+ Support: Extended
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: |+
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
+
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations supporting GRPCRoute MUST support core filters.
+
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
+
+ - Implementation-specific: Filters that are defined and supported by specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` MUST be set to
+ "ExtensionRef" for custom filters.
+
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
+
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
+
+ enum:
+ - ResponseHeaderModifier
+ - RequestHeaderModifier
+ - RequestMirror
+ - ExtensionRef
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: filter.requestHeaderModifier must be nil if the
+ filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type !=
+ ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type ==
+ ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil if the
+ filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type !=
+ ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for RequestMirror
+ filter.type
+ rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for ExtensionRef
+ filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ matches:
+ description: |-
+ Matches define conditions used for matching the rule against incoming
+ gRPC requests. Each match is independent, i.e. this rule will be matched
+ if **any** one of the matches is satisfied.
+
+ For example, take the following matches configuration:
+
+ ```
+ matches:
+ - method:
+ service: foo.bar
+ headers:
+ values:
+ version: 2
+ - method:
+ service: foo.bar.v2
+ ```
+
+ For a request to match against this rule, it MUST satisfy
+ EITHER of the two conditions:
+
+ - service of foo.bar AND contains the header `version: 2`
+ - service of foo.bar.v2
+
+ See the documentation for GRPCRouteMatch on how to specify multiple
+ match conditions to be ANDed together.
+
+ If no matches are specified, the implementation MUST match every gRPC request.
+
+ Proxy or Load Balancer routing configuration generated from GRPCRoutes
+ MUST prioritize rules based on the following criteria, continuing on
+ ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes.
+ Precedence MUST be given to the rule with the largest number of:
+
+ * Characters in a matching non-wildcard hostname.
+ * Characters in a matching hostname.
+ * Characters in a matching service.
+ * Characters in a matching method.
+ * Header matches.
+
+ If ties still exist across multiple Routes, matching precedence MUST be
+ determined in order of the following criteria, continuing on ties:
+
+ * The oldest Route based on creation timestamp.
+ * The Route appearing first in alphabetical order by
+ "{namespace}/{name}".
+
+ If ties still exist within the Route that has been given precedence,
+ matching precedence MUST be granted to the first matching rule meeting
+ the above criteria.
+ items:
+ description: |-
+ GRPCRouteMatch defines the predicate used to match requests to a given
+ action. Multiple match types are ANDed together, i.e. the match will
+ evaluate to true only if all conditions are satisfied.
+
+ For example, the match below will match a gRPC request only if its service
+ is `foo` AND it contains the `version: v1` header:
+
+ ```
+ matches:
+ - method:
+ type: Exact
+ service: "foo"
+ headers:
+ - name: "version"
+ value "v1"
+
+ ```
+ properties:
+ headers:
+ description: |-
+ Headers specifies gRPC request header matchers. Multiple match values are
+ ANDed together, meaning, a request MUST match all the specified headers
+ to select the route.
+ items:
+ description: |-
+ GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request
+ headers.
+ properties:
+ name:
+ description: |-
+ Name is the name of the gRPC Header to be matched.
+
+ If multiple entries specify equivalent header names, only the first
+ entry with an equivalent name MUST be considered for a match. Subsequent
+ entries with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ type:
+ default: Exact
+ description: Type specifies how to match against
+ the value of the header.
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ value:
+ description: Value is the value of the gRPC Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ method:
+ description: |-
+ Method specifies a gRPC request service/method matcher. If this field is
+ not specified, all services and methods will match.
+ properties:
+ method:
+ description: |-
+ Value of the method to match against. If left empty or omitted, will
+ match all services.
+
+ At least one of Service and Method MUST be a non-empty string.
+ maxLength: 1024
+ type: string
+ service:
+ description: |-
+ Value of the service to match against. If left empty or omitted, will
+ match any service.
+
+ At least one of Service and Method MUST be a non-empty string.
+ maxLength: 1024
+ type: string
+ type:
+ default: Exact
+ description: |-
+ Type specifies how to match against the service and/or method.
+ Support: Core (Exact with service and method specified)
+
+ Support: Implementation-specific (Exact with method specified but no service specified)
+
+ Support: Implementation-specific (RegularExpression)
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: One or both of 'service' or 'method' must be
+ specified
+ rule: 'has(self.type) ? has(self.service) || has(self.method)
+ : true'
+ - message: service must only contain valid characters
+ (matching ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$)
+ rule: '(!has(self.type) || self.type == ''Exact'') &&
+ has(self.service) ? self.service.matches(r"""^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$"""):
+ true'
+ - message: method must only contain valid characters (matching
+ ^[A-Za-z_][A-Za-z_0-9]*$)
+ rule: '(!has(self.type) || self.type == ''Exact'') &&
+ has(self.method) ? self.method.matches(r"""^[A-Za-z_][A-Za-z_0-9]*$"""):
+ true'
+ type: object
+ maxItems: 8
+ type: array
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: While 16 rules and 64 matches per rule are allowed, the
+ total number of matches across all rules in a route must be less
+ than 128
+ rule: '(self.size() > 0 ? (has(self[0].matches) ? self[0].matches.size()
+ : 0) : 0) + (self.size() > 1 ? (has(self[1].matches) ? self[1].matches.size()
+ : 0) : 0) + (self.size() > 2 ? (has(self[2].matches) ? self[2].matches.size()
+ : 0) : 0) + (self.size() > 3 ? (has(self[3].matches) ? self[3].matches.size()
+ : 0) : 0) + (self.size() > 4 ? (has(self[4].matches) ? self[4].matches.size()
+ : 0) : 0) + (self.size() > 5 ? (has(self[5].matches) ? self[5].matches.size()
+ : 0) : 0) + (self.size() > 6 ? (has(self[6].matches) ? self[6].matches.size()
+ : 0) : 0) + (self.size() > 7 ? (has(self[7].matches) ? self[7].matches.size()
+ : 0) : 0) + (self.size() > 8 ? (has(self[8].matches) ? self[8].matches.size()
+ : 0) : 0) + (self.size() > 9 ? (has(self[9].matches) ? self[9].matches.size()
+ : 0) : 0) + (self.size() > 10 ? (has(self[10].matches) ? self[10].matches.size()
+ : 0) : 0) + (self.size() > 11 ? (has(self[11].matches) ? self[11].matches.size()
+ : 0) : 0) + (self.size() > 12 ? (has(self[12].matches) ? self[12].matches.size()
+ : 0) : 0) + (self.size() > 13 ? (has(self[13].matches) ? self[13].matches.size()
+ : 0) : 0) + (self.size() > 14 ? (has(self[14].matches) ? self[14].matches.size()
+ : 0) : 0) + (self.size() > 15 ? (has(self[15].matches) ? self[15].matches.size()
+ : 0) : 0) <= 128'
+ type: object
+ status:
+ description: Status defines the current state of GRPCRoute.
+ properties:
+ parents:
+ description: |-
+ Parents is a list of parent resources (usually Gateways) that are
+ associated with the route, and the status of the route with respect to
+ each parent. When this route attaches to a parent, the controller that
+ manages the parent must add an entry to this list when the controller
+ first sees the route and should update the entry as appropriate when the
+ route or gateway is modified.
+
+ Note that parent references that cannot be resolved by an implementation
+ of this API will not be added to this list. Implementations of this API
+ can only populate Route status for the Gateways/parent resources they are
+ responsible for.
+
+ A maximum of 32 Gateways will be represented in this list. An empty list
+ means the route has not been attached to any Gateway.
+ items:
+ description: |-
+ RouteParentStatus describes the status of a route with respect to an
+ associated Parent.
+ properties:
+ conditions:
+ description: |-
+ Conditions describes the status of the route with respect to the Gateway.
+ Note that the route's availability is also subject to the Gateway's own
+ status conditions and listener status.
+
+ If the Route's ParentRef specifies an existing Gateway that supports
+ Routes of this kind AND that Gateway's controller has sufficient access,
+ then that Gateway's controller MUST set the "Accepted" condition on the
+ Route, to indicate whether the route has been accepted or rejected by the
+ Gateway, and why.
+
+ A Route MUST be considered "Accepted" if at least one of the Route's
+ rules is implemented by the Gateway.
+
+ There are a number of cases where the "Accepted" condition may not be set
+ due to lack of controller visibility, that includes when:
+
+ * The Route refers to a non-existent parent.
+ * The Route is of a type that the controller does not support.
+ * The Route is in a namespace the controller does not have access to.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ parentRef:
+ description: |-
+ ParentRef corresponds with a ParentRef in the spec that this
+ RouteParentStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - controllerName
+ - parentRef
+ type: object
+ maxItems: 32
+ type: array
+ required:
+ - parents
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
+# config/crd/standard/gateway.networking.k8s.io_httproutes.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.2.1
+ gateway.networking.k8s.io/channel: standard
+ creationTimestamp: null
+ name: httproutes.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: HTTPRoute
+ listKind: HTTPRouteList
+ plural: httproutes
+ singular: httproute
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.hostnames
+ name: Hostnames
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ HTTPRoute provides a way to route HTTP requests. This includes the capability
+ to match requests by hostname, path, header, or query param. Filters can be
+ used to specify additional processing steps. Backends specify where matching
+ requests should be routed.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of HTTPRoute.
+ properties:
+ hostnames:
+ description: |-
+ Hostnames defines a set of hostnames that should match against the HTTP Host
+ header to select a HTTPRoute used to process the request. Implementations
+ MUST ignore any port value specified in the HTTP Host header while
+ performing a match and (absent of any applicable header modification
+ configuration) MUST forward this header unmodified to the backend.
+
+ Valid values for Hostnames are determined by RFC 1123 definition of a
+ hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+
+ If a hostname is specified by both the Listener and HTTPRoute, there
+ must be at least one intersecting hostname for the HTTPRoute to be
+ attached to the Listener. For example:
+
+ * A Listener with `test.example.com` as the hostname matches HTTPRoutes
+ that have either not specified any hostnames, or have specified at
+ least one of `test.example.com` or `*.example.com`.
+ * A Listener with `*.example.com` as the hostname matches HTTPRoutes
+ that have either not specified any hostnames or have specified at least
+ one hostname that matches the Listener hostname. For example,
+ `*.example.com`, `test.example.com`, and `foo.test.example.com` would
+ all match. On the other hand, `example.com` and `test.example.net` would
+ not match.
+
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+ as a suffix match. That means that a match for `*.example.com` would match
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+
+ If both the Listener and HTTPRoute have specified hostnames, any
+ HTTPRoute hostnames that do not match the Listener hostname MUST be
+ ignored. For example, if a Listener specified `*.example.com`, and the
+ HTTPRoute specified `test.example.com` and `test.example.net`,
+ `test.example.net` must not be considered for a match.
+
+ If both the Listener and HTTPRoute have specified hostnames, and none
+ match with the criteria above, then the HTTPRoute is not accepted. The
+ implementation must raise an 'Accepted' Condition with a status of
+ `False` in the corresponding RouteParentStatus.
+
+ In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.
+ overlapping wildcard matching and exact matching hostnames), precedence must
+ be given to rules from the HTTPRoute with the largest number of:
+
+ * Characters in a matching non-wildcard hostname.
+ * Characters in a matching hostname.
+
+ If ties exist across multiple Routes, the matching precedence rules for
+ HTTPRouteMatches takes over.
+
+ Support: Core
+ items:
+ description: |-
+ Hostname is the fully qualified domain name of a network host. This matches
+ the RFC 1123 definition of a hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+
+ Hostname can be "precise" which is a domain name without the terminating
+ dot of a network host (e.g. "foo.example.com") or "wildcard", which is a
+ domain name prefixed with a single wildcard label (e.g. `*.example.com`).
+
+ Note that as per RFC1035 and RFC1123, a *label* must consist of lower case
+ alphanumeric characters or '-', and must start and end with an alphanumeric
+ character. No other punctuation is allowed.
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ maxItems: 16
+ type: array
+ parentRefs:
+ description: |+
+ ParentRefs references the resources (usually Gateways) that a Route wants
+ to be attached to. Note that the referenced parent resource needs to
+ allow this for the attachment to be complete. For Gateways, that means
+ the Gateway needs to allow attachment from Routes of this kind and
+ namespace. For Services, that means the Service must either be in the same
+ namespace for a "producer" route, or the mesh implementation must support
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is
+ not applicable for governing ParentRefs to Services - it is not possible to
+ create a "producer" route for a Service in a different namespace from the
+ Route.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ ParentRefs must be _distinct_. This means either that:
+
+ * They select different objects. If this is the case, then parentRef
+ entries are distinct. In terms of fields, this means that the
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+ be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field used,
+ each ParentRef that selects the same object must set the same set of
+ optional fields to different values. If one ParentRef sets a
+ combination of optional fields, all must set the same combination.
+
+ Some examples:
+
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+ same object must also set `sectionName`.
+ * If one ParentRef sets `port`, all ParentRefs referencing the same
+ object must also set `port`.
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+ referencing the same object must also set `sectionName` and `port`.
+
+ It is possible to separately reference multiple distinct objects that may
+ be collapsed by an implementation. For example, some implementations may
+ choose to merge compatible Gateway Listeners together. If that is the
+ case, the list of routes attached to those resources should also be
+ merged.
+
+ Note that for ParentRefs that cross namespace boundaries, there are specific
+ rules. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example,
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable other kinds of cross-namespace reference.
+
+
+
+
+
+
+ items:
+ description: |-
+ ParentReference identifies an API object (usually a Gateway) that can be considered
+ a parent of this resource (usually a route). There are two kinds of parent resources
+ with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 32
+ type: array
+ x-kubernetes-validations:
+ - message: sectionName must be specified when parentRefs includes
+ 2 or more references to the same parent
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName)
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
+ == '''')) : true))'
+ - message: sectionName must be unique when parentRefs includes 2 or
+ more references to the same parent
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName
+ == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName
+ == p2.sectionName))))
+ rules:
+ default:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /
+ description: |+
+ Rules are a list of HTTP matchers, filters and actions.
+
+ items:
+ description: |-
+ HTTPRouteRule defines semantics for matching an HTTP request based on
+ conditions (matches), processing it (filters), and forwarding the request to
+ an API object (backendRefs).
+ properties:
+ backendRefs:
+ description: |-
+ BackendRefs defines the backend(s) where matching requests should be
+ sent.
+
+ Failure behavior here depends on how many BackendRefs are specified and
+ how many are invalid.
+
+ If *all* entries in BackendRefs are invalid, and there are also no filters
+ specified in this route rule, *all* traffic which matches this rule MUST
+ receive a 500 status code.
+
+ See the HTTPBackendRef definition for the rules about what makes a single
+ HTTPBackendRef invalid.
+
+ When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
+ requests that would have otherwise been routed to an invalid backend. If
+ multiple backends are specified, and some are invalid, the proportion of
+ requests that would otherwise have been routed to an invalid backend
+ MUST receive a 500 status code.
+
+ For example, if two backends are specified with equal weights, and one is
+ invalid, 50 percent of traffic must receive a 500. Implementations may
+ choose how that 50 percent is determined.
+
+ When a HTTPBackendRef refers to a Service that has no ready endpoints,
+ implementations SHOULD return a 503 for requests to that backend instead.
+ If an implementation chooses to do this, all of the above rules for 500 responses
+ MUST also apply for responses that return a 503.
+
+ Support: Core for Kubernetes Service
+
+ Support: Extended for Kubernetes ServiceImport
+
+ Support: Implementation-specific for any other resource
+
+ Support for weight: Core
+ items:
+ description: |-
+ HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.
+
+ Note that when a namespace different than the local namespace is specified, a
+ ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+
+
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD
+ honor the appProtocol field if it is set for the target Service Port.
+
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes
+ Standard Application Protocols defined in KEP-3726.
+
+ If a Service appProtocol isn't specified, an implementation MAY infer the
+ backend protocol through its own means. Implementations MAY infer the
+ protocol from the Route type referring to the backend Service.
+
+ If a Route is not able to send traffic to the backend using the specified
+ protocol then the backend is considered invalid. Implementations MUST set the
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+
+
+ properties:
+ filters:
+ description: |-
+ Filters defined at this level should be executed if and only if the
+ request is being forwarded to the backend defined here.
+
+ Support: Implementation-specific (For broader support of filters, use the
+ Filters field in HTTPRouteRule.)
+ items:
+ description: |-
+ HTTPRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. HTTPRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
+ properties:
+ extensionRef:
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
+
+ This filter can be used multiple times within the same rule.
+
+ Support: Implementation-specific
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For
+ example "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ requestHeaderModifier:
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
+
+ Support: Core
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: |+
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
+
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
+
+ Support: Extended
+
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
+
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
+
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
+ this backend in the underlying implementation.
+
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
+
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
+
+ Support: Extended for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind
+ == ''Service'') ? has(self.port) : true'
+ required:
+ - backendRef
+ type: object
+ requestRedirect:
+ description: |-
+ RequestRedirect defines a schema for a filter that responds to the
+ request with an HTTP redirection.
+
+ Support: Core
+ properties:
+ hostname:
+ description: |-
+ Hostname is the hostname to be used in the value of the `Location`
+ header in the response.
+ When empty, the hostname in the `Host` header of the request is used.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines parameters used to modify the path of the incoming request.
+ The modified path is then used to construct the `Location` header. When
+ empty, the request path is used as-is.
+
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified
+ when type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ?
+ has(self.replaceFullPath) : true'
+ - message: type must be 'ReplaceFullPath' when
+ replaceFullPath is set
+ rule: 'has(self.replaceFullPath) ? self.type
+ == ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified
+ when type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch''
+ ? has(self.replacePrefixMatch) : true'
+ - message: type must be 'ReplacePrefixMatch'
+ when replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ port:
+ description: |-
+ Port is the port to be used in the value of the `Location`
+ header in the response.
+
+ If no port is specified, the redirect port MUST be derived using the
+ following rules:
+
+ * If redirect scheme is not-empty, the redirect port MUST be the well-known
+ port associated with the redirect scheme. Specifically "http" to port 80
+ and "https" to port 443. If the redirect scheme does not have a
+ well-known port, the listener port of the Gateway SHOULD be used.
+ * If redirect scheme is empty, the redirect port MUST be the Gateway
+ Listener port.
+
+ Implementations SHOULD NOT add the port number in the 'Location'
+ header in the following cases:
+
+ * A Location header that will use HTTP (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 80.
+ * A Location header that will use HTTPS (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 443.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ scheme:
+ description: |-
+ Scheme is the scheme to be used in the value of the `Location` header in
+ the response. When empty, the scheme of the request is used.
+
+ Scheme redirects can affect the port of the redirect, for more information,
+ refer to the documentation for the port field of this filter.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Extended
+ enum:
+ - http
+ - https
+ type: string
+ statusCode:
+ default: 302
+ description: |-
+ StatusCode is the HTTP status code to be used in response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Core
+ enum:
+ - 301
+ - 302
+ type: integer
+ type: object
+ responseHeaderModifier:
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
+
+ Support: Extended
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: |-
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
+
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations must support core filters.
+
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
+
+ - Implementation-specific: Filters that are defined and supported by
+ specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` should be set to
+ "ExtensionRef" for custom filters.
+
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
+
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - RequestHeaderModifier
+ - ResponseHeaderModifier
+ - RequestMirror
+ - RequestRedirect
+ - URLRewrite
+ - ExtensionRef
+ type: string
+ urlRewrite:
+ description: |-
+ URLRewrite defines a schema for a filter that modifies a request during forwarding.
+
+ Support: Extended
+ properties:
+ hostname:
+ description: |-
+ Hostname is the value to be used to replace the Host header value during
+ forwarding.
+
+ Support: Extended
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines a path rewrite.
+
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified
+ when type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ?
+ has(self.replaceFullPath) : true'
+ - message: type must be 'ReplaceFullPath' when
+ replaceFullPath is set
+ rule: 'has(self.replaceFullPath) ? self.type
+ == ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified
+ when type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch''
+ ? has(self.replacePrefixMatch) : true'
+ - message: type must be 'ReplacePrefixMatch'
+ when replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: filter.requestHeaderModifier must be nil
+ if the filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type
+ != ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type
+ == ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil
+ if the filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type
+ != ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for
+ RequestMirror filter.type
+ rule: '!(!has(self.requestMirror) && self.type ==
+ ''RequestMirror'')'
+ - message: filter.requestRedirect must be nil if the
+ filter.type is not RequestRedirect
+ rule: '!(has(self.requestRedirect) && self.type !=
+ ''RequestRedirect'')'
+ - message: filter.requestRedirect must be specified
+ for RequestRedirect filter.type
+ rule: '!(!has(self.requestRedirect) && self.type ==
+ ''RequestRedirect'')'
+ - message: filter.urlRewrite must be nil if the filter.type
+ is not URLRewrite
+ rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'
+ - message: filter.urlRewrite must be specified for URLRewrite
+ filter.type
+ rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for
+ ExtensionRef filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: May specify either httpRouteFilterRequestRedirect
+ or httpRouteFilterRequestRewrite, but not both
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'')
+ && self.exists(f, f.type == ''URLRewrite''))'
+ - message: May specify either httpRouteFilterRequestRedirect
+ or httpRouteFilterRequestRewrite, but not both
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'')
+ && self.exists(f, f.type == ''URLRewrite''))'
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ - message: RequestRedirect filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestRedirect').size()
+ <= 1
+ - message: URLRewrite filter cannot be repeated
+ rule: self.filter(f, f.type == 'URLRewrite').size()
+ <= 1
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
+
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
+
+ Support for this field varies based on the context where used.
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ filters:
+ description: |-
+ Filters define the filters that are applied to requests that match
+ this rule.
+
+ Wherever possible, implementations SHOULD implement filters in the order
+ they are specified.
+
+ Implementations MAY choose to implement this ordering strictly, rejecting
+ any combination or order of filters that can not be supported. If implementations
+ choose a strict interpretation of filter ordering, they MUST clearly document
+ that behavior.
+
+ To reject an invalid combination or order of filters, implementations SHOULD
+ consider the Route Rules with this configuration invalid. If all Route Rules
+ in a Route are invalid, the entire Route would be considered invalid. If only
+ a portion of Route Rules are invalid, implementations MUST set the
+ "PartiallyInvalid" condition for the Route.
+
+ Conformance-levels at this level are defined based on the type of filter:
+
+ - ALL core filters MUST be supported by all implementations.
+ - Implementers are encouraged to support extended filters.
+ - Implementation-specific custom filters have no API guarantees across
+ implementations.
+
+ Specifying the same filter multiple times is not supported unless explicitly
+ indicated in the filter.
+
+ All filters are expected to be compatible with each other except for the
+ URLRewrite and RequestRedirect filters, which may not be combined. If an
+ implementation can not support other combinations of filters, they must clearly
+ document that limitation. In cases where incompatible or unsupported
+ filters are specified and cause the `Accepted` condition to be set to status
+ `False`, implementations may use the `IncompatibleFilters` reason to specify
+ this configuration error.
+
+ Support: Core
+ items:
+ description: |-
+ HTTPRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. HTTPRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
+ properties:
+ extensionRef:
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
+
+ This filter can be used multiple times within the same rule.
+
+ Support: Implementation-specific
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For example
+ "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ requestHeaderModifier:
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
+
+ Support: Core
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: |+
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
+
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
+
+ Support: Extended
+
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
+
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
+
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
+ this backend in the underlying implementation.
+
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
+
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
+
+ Support: Extended for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ required:
+ - backendRef
+ type: object
+ requestRedirect:
+ description: |-
+ RequestRedirect defines a schema for a filter that responds to the
+ request with an HTTP redirection.
+
+ Support: Core
+ properties:
+ hostname:
+ description: |-
+ Hostname is the hostname to be used in the value of the `Location`
+ header in the response.
+ When empty, the hostname in the `Host` header of the request is used.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines parameters used to modify the path of the incoming request.
+ The modified path is then used to construct the `Location` header. When
+ empty, the request path is used as-is.
+
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified when
+ type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)
+ : true'
+ - message: type must be 'ReplaceFullPath' when replaceFullPath
+ is set
+ rule: 'has(self.replaceFullPath) ? self.type ==
+ ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified when
+ type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)
+ : true'
+ - message: type must be 'ReplacePrefixMatch' when
+ replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ port:
+ description: |-
+ Port is the port to be used in the value of the `Location`
+ header in the response.
+
+ If no port is specified, the redirect port MUST be derived using the
+ following rules:
+
+ * If redirect scheme is not-empty, the redirect port MUST be the well-known
+ port associated with the redirect scheme. Specifically "http" to port 80
+ and "https" to port 443. If the redirect scheme does not have a
+ well-known port, the listener port of the Gateway SHOULD be used.
+ * If redirect scheme is empty, the redirect port MUST be the Gateway
+ Listener port.
+
+ Implementations SHOULD NOT add the port number in the 'Location'
+ header in the following cases:
+
+ * A Location header that will use HTTP (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 80.
+ * A Location header that will use HTTPS (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 443.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ scheme:
+ description: |-
+ Scheme is the scheme to be used in the value of the `Location` header in
+ the response. When empty, the scheme of the request is used.
+
+ Scheme redirects can affect the port of the redirect, for more information,
+ refer to the documentation for the port field of this filter.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Extended
+ enum:
+ - http
+ - https
+ type: string
+ statusCode:
+ default: 302
+ description: |-
+ StatusCode is the HTTP status code to be used in response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Core
+ enum:
+ - 301
+ - 302
+ type: integer
+ type: object
+ responseHeaderModifier:
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
+
+ Support: Extended
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: |-
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
+
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations must support core filters.
+
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
+
+ - Implementation-specific: Filters that are defined and supported by
+ specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` should be set to
+ "ExtensionRef" for custom filters.
+
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
+
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - RequestHeaderModifier
+ - ResponseHeaderModifier
+ - RequestMirror
+ - RequestRedirect
+ - URLRewrite
+ - ExtensionRef
+ type: string
+ urlRewrite:
+ description: |-
+ URLRewrite defines a schema for a filter that modifies a request during forwarding.
+
+ Support: Extended
+ properties:
+ hostname:
+ description: |-
+ Hostname is the value to be used to replace the Host header value during
+ forwarding.
+
+ Support: Extended
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines a path rewrite.
+
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified when
+ type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)
+ : true'
+ - message: type must be 'ReplaceFullPath' when replaceFullPath
+ is set
+ rule: 'has(self.replaceFullPath) ? self.type ==
+ ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified when
+ type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)
+ : true'
+ - message: type must be 'ReplacePrefixMatch' when
+ replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: filter.requestHeaderModifier must be nil if the
+ filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type !=
+ ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type ==
+ ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil if the
+ filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type !=
+ ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for RequestMirror
+ filter.type
+ rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')'
+ - message: filter.requestRedirect must be nil if the filter.type
+ is not RequestRedirect
+ rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')'
+ - message: filter.requestRedirect must be specified for RequestRedirect
+ filter.type
+ rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')'
+ - message: filter.urlRewrite must be nil if the filter.type
+ is not URLRewrite
+ rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'
+ - message: filter.urlRewrite must be specified for URLRewrite
+ filter.type
+ rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for ExtensionRef
+ filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: May specify either httpRouteFilterRequestRedirect
+ or httpRouteFilterRequestRewrite, but not both
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'') &&
+ self.exists(f, f.type == ''URLRewrite''))'
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ - message: RequestRedirect filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestRedirect').size() <=
+ 1
+ - message: URLRewrite filter cannot be repeated
+ rule: self.filter(f, f.type == 'URLRewrite').size() <= 1
+ matches:
+ default:
+ - path:
+ type: PathPrefix
+ value: /
+ description: |-
+ Matches define conditions used for matching the rule against incoming
+ HTTP requests. Each match is independent, i.e. this rule will be matched
+ if **any** one of the matches is satisfied.
+
+ For example, take the following matches configuration:
+
+ ```
+ matches:
+ - path:
+ value: "/foo"
+ headers:
+ - name: "version"
+ value: "v2"
+ - path:
+ value: "/v2/foo"
+ ```
+
+ For a request to match against this rule, a request must satisfy
+ EITHER of the two conditions:
+
+ - path prefixed with `/foo` AND contains the header `version: v2`
+ - path prefix of `/v2/foo`
+
+ See the documentation for HTTPRouteMatch on how to specify multiple
+ match conditions that should be ANDed together.
+
+ If no matches are specified, the default is a prefix
+ path match on "/", which has the effect of matching every
+ HTTP request.
+
+ Proxy or Load Balancer routing configuration generated from HTTPRoutes
+ MUST prioritize matches based on the following criteria, continuing on
+ ties. Across all rules specified on applicable Routes, precedence must be
+ given to the match having:
+
+ * "Exact" path match.
+ * "Prefix" path match with largest number of characters.
+ * Method match.
+ * Largest number of header matches.
+ * Largest number of query param matches.
+
+ Note: The precedence of RegularExpression path matches are implementation-specific.
+
+ If ties still exist across multiple Routes, matching precedence MUST be
+ determined in order of the following criteria, continuing on ties:
+
+ * The oldest Route based on creation timestamp.
+ * The Route appearing first in alphabetical order by
+ "{namespace}/{name}".
+
+ If ties still exist within an HTTPRoute, matching precedence MUST be granted
+ to the FIRST matching rule (in list order) with a match meeting the above
+ criteria.
+
+ When no rules matching a request have been successfully attached to the
+ parent a request is coming from, a HTTP 404 status code MUST be returned.
+ items:
+ description: "HTTPRouteMatch defines the predicate used to
+ match requests to a given\naction. Multiple match types
+ are ANDed together, i.e. the match will\nevaluate to true
+ only if all conditions are satisfied.\n\nFor example, the
+ match below will match a HTTP request only if its path\nstarts
+ with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t
+ \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t
+ \ value \"v1\"\n\n```"
+ properties:
+ headers:
+ description: |-
+ Headers specifies HTTP request header matchers. Multiple match values are
+ ANDed together, meaning, a request must match all the specified headers
+ to select the route.
+ items:
+ description: |-
+ HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request
+ headers.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, only the first
+ entry with an equivalent name MUST be considered for a match. Subsequent
+ entries with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+
+ When a header is repeated in an HTTP request, it is
+ implementation-specific behavior as to how this is represented.
+ Generally, proxies should follow the guidance from the RFC:
+ https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
+ processing a repeated header, with special handling for "Set-Cookie".
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ type:
+ default: Exact
+ description: |-
+ Type specifies how to match against the value of the header.
+
+ Support: Core (Exact)
+
+ Support: Implementation-specific (RegularExpression)
+
+ Since RegularExpression HeaderMatchType has implementation-specific
+ conformance, implementations can support POSIX, PCRE or any other dialects
+ of regular expressions. Please read the implementation's documentation to
+ determine the supported dialect.
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ value:
+ description: Value is the value of HTTP Header to
+ be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ method:
+ description: |-
+ Method specifies HTTP method matcher.
+ When specified, this route will be matched only if the request has the
+ specified method.
+
+ Support: Extended
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ - PATCH
+ type: string
+ path:
+ default:
+ type: PathPrefix
+ value: /
+ description: |-
+ Path specifies a HTTP request path matcher. If this field is not
+ specified, a default prefix match on the "/" path is provided.
+ properties:
+ type:
+ default: PathPrefix
+ description: |-
+ Type specifies how to match against the path Value.
+
+ Support: Core (Exact, PathPrefix)
+
+ Support: Implementation-specific (RegularExpression)
+ enum:
+ - Exact
+ - PathPrefix
+ - RegularExpression
+ type: string
+ value:
+ default: /
+ description: Value of the HTTP path to match against.
+ maxLength: 1024
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: value must be an absolute path and start with
+ '/' when type one of ['Exact', 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'')
+ : true'
+ - message: must not contain '//' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'')
+ : true'
+ - message: must not contain '/./' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'')
+ : true'
+ - message: must not contain '/../' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'')
+ : true'
+ - message: must not contain '%2f' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'')
+ : true'
+ - message: must not contain '%2F' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'')
+ : true'
+ - message: must not contain '#' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'')
+ : true'
+ - message: must not end with '/..' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'')
+ : true'
+ - message: must not end with '/.' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'')
+ : true'
+ - message: type must be one of ['Exact', 'PathPrefix',
+ 'RegularExpression']
+ rule: self.type in ['Exact','PathPrefix'] || self.type
+ == 'RegularExpression'
+ - message: must only contain valid characters (matching
+ ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$)
+ for types ['Exact', 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""")
+ : true'
+ queryParams:
+ description: |-
+ QueryParams specifies HTTP query parameter matchers. Multiple match
+ values are ANDed together, meaning, a request must match all the
+ specified query parameters to select the route.
+
+ Support: Extended
+ items:
+ description: |-
+ HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP
+ query parameters.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP query param to be matched. This must be an
+ exact string match. (See
+ https://tools.ietf.org/html/rfc7230#section-2.7.3).
+
+ If multiple entries specify equivalent query param names, only the first
+ entry with an equivalent name MUST be considered for a match. Subsequent
+ entries with an equivalent query param name MUST be ignored.
+
+ If a query param is repeated in an HTTP request, the behavior is
+ purposely left undefined, since different data planes have different
+ capabilities. However, it is *recommended* that implementations should
+ match against the first value of the param if the data plane supports it,
+ as this behavior is expected in other load balancing contexts outside of
+ the Gateway API.
+
+ Users SHOULD NOT route traffic based on repeated query params to guard
+ themselves against potential differences in the implementations.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ type:
+ default: Exact
+ description: |-
+ Type specifies how to match against the value of the query parameter.
+
+ Support: Extended (Exact)
+
+ Support: Implementation-specific (RegularExpression)
+
+ Since RegularExpression QueryParamMatchType has Implementation-specific
+ conformance, implementations can support POSIX, PCRE or any other
+ dialects of regular expressions. Please read the implementation's
+ documentation to determine the supported dialect.
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ value:
+ description: Value is the value of HTTP query param
+ to be matched.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ maxItems: 64
+ type: array
+ timeouts:
+ description: |-
+ Timeouts defines the timeouts that can be configured for an HTTP request.
+
+ Support: Extended
+ properties:
+ backendRequest:
+ description: |-
+ BackendRequest specifies a timeout for an individual request from the gateway
+ to a backend. This covers the time from when the request first starts being
+ sent from the gateway to when the full response has been received from the backend.
+
+ Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+ completely. Implementations that cannot completely disable the timeout MUST
+ instead interpret the zero duration as the longest possible value to which
+ the timeout can be set.
+
+ An entire client HTTP transaction with a gateway, covered by the Request timeout,
+ may result in more than one call from the gateway to the destination backend,
+ for example, if automatic retries are supported.
+
+ The value of BackendRequest must be a Gateway API Duration string as defined by
+ GEP-2257. When this field is unspecified, its behavior is implementation-specific;
+ when specified, the value of BackendRequest must be no more than the value of the
+ Request timeout (since the Request timeout encompasses the BackendRequest timeout).
+
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ request:
+ description: |-
+ Request specifies the maximum duration for a gateway to respond to an HTTP request.
+ If the gateway has not been able to respond before this deadline is met, the gateway
+ MUST return a timeout error.
+
+ For example, setting the `rules.timeouts.request` field to the value `10s` in an
+ `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds
+ to complete.
+
+ Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+ completely. Implementations that cannot completely disable the timeout MUST
+ instead interpret the zero duration as the longest possible value to which
+ the timeout can be set.
+
+ This timeout is intended to cover as close to the whole request-response transaction
+ as possible although an implementation MAY choose to start the timeout after the entire
+ request stream has been received instead of immediately after the transaction is
+ initiated by the client.
+
+ The value of Request is a Gateway API Duration string as defined by GEP-2257. When this
+ field is unspecified, request timeout behavior is implementation-specific.
+
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: backendRequest timeout cannot be longer than request
+ timeout
+ rule: '!(has(self.request) && has(self.backendRequest) &&
+ duration(self.request) != duration(''0s'') && duration(self.backendRequest)
+ > duration(self.request))'
+ type: object
+ x-kubernetes-validations:
+ - message: RequestRedirect filter must not be used together with
+ backendRefs
+ rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ?
+ (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))):
+ true'
+ - message: When using RequestRedirect filter with path.replacePrefixMatch,
+ exactly one PathPrefix match must be specified
+ rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect)
+ && has(f.requestRedirect.path) && f.requestRedirect.path.type
+ == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))
+ ? ((size(self.matches) != 1 || !has(self.matches[0].path) ||
+ self.matches[0].path.type != ''PathPrefix'') ? false : true)
+ : true'
+ - message: When using URLRewrite filter with path.replacePrefixMatch,
+ exactly one PathPrefix match must be specified
+ rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite)
+ && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''
+ && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches)
+ != 1 || !has(self.matches[0].path) || self.matches[0].path.type
+ != ''PathPrefix'') ? false : true) : true'
+ - message: Within backendRefs, when using RequestRedirect filter
+ with path.replacePrefixMatch, exactly one PathPrefix match must
+ be specified
+ rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,
+ (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect)
+ && has(f.requestRedirect.path) && f.requestRedirect.path.type
+ == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))
+ )) ? ((size(self.matches) != 1 || !has(self.matches[0].path)
+ || self.matches[0].path.type != ''PathPrefix'') ? false : true)
+ : true'
+ - message: Within backendRefs, When using URLRewrite filter with
+ path.replacePrefixMatch, exactly one PathPrefix match must be
+ specified
+ rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,
+ (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite)
+ && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''
+ && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches)
+ != 1 || !has(self.matches[0].path) || self.matches[0].path.type
+ != ''PathPrefix'') ? false : true) : true'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: While 16 rules and 64 matches per rule are allowed, the
+ total number of matches across all rules in a route must be less
+ than 128
+ rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size()
+ > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size()
+ : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size()
+ > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size()
+ : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size()
+ > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size()
+ : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size()
+ > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size()
+ : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size()
+ > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size()
+ : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128'
+ type: object
+ status:
+ description: Status defines the current state of HTTPRoute.
+ properties:
+ parents:
+ description: |-
+ Parents is a list of parent resources (usually Gateways) that are
+ associated with the route, and the status of the route with respect to
+ each parent. When this route attaches to a parent, the controller that
+ manages the parent must add an entry to this list when the controller
+ first sees the route and should update the entry as appropriate when the
+ route or gateway is modified.
+
+ Note that parent references that cannot be resolved by an implementation
+ of this API will not be added to this list. Implementations of this API
+ can only populate Route status for the Gateways/parent resources they are
+ responsible for.
+
+ A maximum of 32 Gateways will be represented in this list. An empty list
+ means the route has not been attached to any Gateway.
+ items:
+ description: |-
+ RouteParentStatus describes the status of a route with respect to an
+ associated Parent.
+ properties:
+ conditions:
+ description: |-
+ Conditions describes the status of the route with respect to the Gateway.
+ Note that the route's availability is also subject to the Gateway's own
+ status conditions and listener status.
+
+ If the Route's ParentRef specifies an existing Gateway that supports
+ Routes of this kind AND that Gateway's controller has sufficient access,
+ then that Gateway's controller MUST set the "Accepted" condition on the
+ Route, to indicate whether the route has been accepted or rejected by the
+ Gateway, and why.
+
+ A Route MUST be considered "Accepted" if at least one of the Route's
+ rules is implemented by the Gateway.
+
+ There are a number of cases where the "Accepted" condition may not be set
+ due to lack of controller visibility, that includes when:
+
+ * The Route refers to a non-existent parent.
+ * The Route is of a type that the controller does not support.
+ * The Route is in a namespace the controller does not have access to.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ parentRef:
+ description: |-
+ ParentRef corresponds with a ParentRef in the spec that this
+ RouteParentStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - controllerName
+ - parentRef
+ type: object
+ maxItems: 32
+ type: array
+ required:
+ - parents
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .spec.hostnames
+ name: Hostnames
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ HTTPRoute provides a way to route HTTP requests. This includes the capability
+ to match requests by hostname, path, header, or query param. Filters can be
+ used to specify additional processing steps. Backends specify where matching
+ requests should be routed.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of HTTPRoute.
+ properties:
+ hostnames:
+ description: |-
+ Hostnames defines a set of hostnames that should match against the HTTP Host
+ header to select a HTTPRoute used to process the request. Implementations
+ MUST ignore any port value specified in the HTTP Host header while
+ performing a match and (absent of any applicable header modification
+ configuration) MUST forward this header unmodified to the backend.
+
+ Valid values for Hostnames are determined by RFC 1123 definition of a
+ hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+
+ If a hostname is specified by both the Listener and HTTPRoute, there
+ must be at least one intersecting hostname for the HTTPRoute to be
+ attached to the Listener. For example:
+
+ * A Listener with `test.example.com` as the hostname matches HTTPRoutes
+ that have either not specified any hostnames, or have specified at
+ least one of `test.example.com` or `*.example.com`.
+ * A Listener with `*.example.com` as the hostname matches HTTPRoutes
+ that have either not specified any hostnames or have specified at least
+ one hostname that matches the Listener hostname. For example,
+ `*.example.com`, `test.example.com`, and `foo.test.example.com` would
+ all match. On the other hand, `example.com` and `test.example.net` would
+ not match.
+
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+ as a suffix match. That means that a match for `*.example.com` would match
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+
+ If both the Listener and HTTPRoute have specified hostnames, any
+ HTTPRoute hostnames that do not match the Listener hostname MUST be
+ ignored. For example, if a Listener specified `*.example.com`, and the
+ HTTPRoute specified `test.example.com` and `test.example.net`,
+ `test.example.net` must not be considered for a match.
+
+ If both the Listener and HTTPRoute have specified hostnames, and none
+ match with the criteria above, then the HTTPRoute is not accepted. The
+ implementation must raise an 'Accepted' Condition with a status of
+ `False` in the corresponding RouteParentStatus.
+
+ In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.
+ overlapping wildcard matching and exact matching hostnames), precedence must
+ be given to rules from the HTTPRoute with the largest number of:
+
+ * Characters in a matching non-wildcard hostname.
+ * Characters in a matching hostname.
+
+ If ties exist across multiple Routes, the matching precedence rules for
+ HTTPRouteMatches takes over.
+
+ Support: Core
+ items:
+ description: |-
+ Hostname is the fully qualified domain name of a network host. This matches
+ the RFC 1123 definition of a hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+
+ Hostname can be "precise" which is a domain name without the terminating
+ dot of a network host (e.g. "foo.example.com") or "wildcard", which is a
+ domain name prefixed with a single wildcard label (e.g. `*.example.com`).
+
+ Note that as per RFC1035 and RFC1123, a *label* must consist of lower case
+ alphanumeric characters or '-', and must start and end with an alphanumeric
+ character. No other punctuation is allowed.
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ maxItems: 16
+ type: array
+ parentRefs:
+ description: |+
+ ParentRefs references the resources (usually Gateways) that a Route wants
+ to be attached to. Note that the referenced parent resource needs to
+ allow this for the attachment to be complete. For Gateways, that means
+ the Gateway needs to allow attachment from Routes of this kind and
+ namespace. For Services, that means the Service must either be in the same
+ namespace for a "producer" route, or the mesh implementation must support
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is
+ not applicable for governing ParentRefs to Services - it is not possible to
+ create a "producer" route for a Service in a different namespace from the
+ Route.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ ParentRefs must be _distinct_. This means either that:
+
+ * They select different objects. If this is the case, then parentRef
+ entries are distinct. In terms of fields, this means that the
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+ be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field used,
+ each ParentRef that selects the same object must set the same set of
+ optional fields to different values. If one ParentRef sets a
+ combination of optional fields, all must set the same combination.
+
+ Some examples:
+
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+ same object must also set `sectionName`.
+ * If one ParentRef sets `port`, all ParentRefs referencing the same
+ object must also set `port`.
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+ referencing the same object must also set `sectionName` and `port`.
+
+ It is possible to separately reference multiple distinct objects that may
+ be collapsed by an implementation. For example, some implementations may
+ choose to merge compatible Gateway Listeners together. If that is the
+ case, the list of routes attached to those resources should also be
+ merged.
+
+ Note that for ParentRefs that cross namespace boundaries, there are specific
+ rules. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example,
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable other kinds of cross-namespace reference.
+
+
+
+
+
+
+ items:
+ description: |-
+ ParentReference identifies an API object (usually a Gateway) that can be considered
+ a parent of this resource (usually a route). There are two kinds of parent resources
+ with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 32
+ type: array
+ x-kubernetes-validations:
+ - message: sectionName must be specified when parentRefs includes
+ 2 or more references to the same parent
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName)
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
+ == '''')) : true))'
+ - message: sectionName must be unique when parentRefs includes 2 or
+ more references to the same parent
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName
+ == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName
+ == p2.sectionName))))
+ rules:
+ default:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /
+ description: |+
+ Rules are a list of HTTP matchers, filters and actions.
+
+ items:
+ description: |-
+ HTTPRouteRule defines semantics for matching an HTTP request based on
+ conditions (matches), processing it (filters), and forwarding the request to
+ an API object (backendRefs).
+ properties:
+ backendRefs:
+ description: |-
+ BackendRefs defines the backend(s) where matching requests should be
+ sent.
+
+ Failure behavior here depends on how many BackendRefs are specified and
+ how many are invalid.
+
+ If *all* entries in BackendRefs are invalid, and there are also no filters
+ specified in this route rule, *all* traffic which matches this rule MUST
+ receive a 500 status code.
+
+ See the HTTPBackendRef definition for the rules about what makes a single
+ HTTPBackendRef invalid.
+
+ When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
+ requests that would have otherwise been routed to an invalid backend. If
+ multiple backends are specified, and some are invalid, the proportion of
+ requests that would otherwise have been routed to an invalid backend
+ MUST receive a 500 status code.
+
+ For example, if two backends are specified with equal weights, and one is
+ invalid, 50 percent of traffic must receive a 500. Implementations may
+ choose how that 50 percent is determined.
+
+ When a HTTPBackendRef refers to a Service that has no ready endpoints,
+ implementations SHOULD return a 503 for requests to that backend instead.
+ If an implementation chooses to do this, all of the above rules for 500 responses
+ MUST also apply for responses that return a 503.
+
+ Support: Core for Kubernetes Service
+
+ Support: Extended for Kubernetes ServiceImport
+
+ Support: Implementation-specific for any other resource
+
+ Support for weight: Core
+ items:
+ description: |-
+ HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.
+
+ Note that when a namespace different than the local namespace is specified, a
+ ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+
+
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD
+ honor the appProtocol field if it is set for the target Service Port.
+
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes
+ Standard Application Protocols defined in KEP-3726.
+
+ If a Service appProtocol isn't specified, an implementation MAY infer the
+ backend protocol through its own means. Implementations MAY infer the
+ protocol from the Route type referring to the backend Service.
+
+ If a Route is not able to send traffic to the backend using the specified
+ protocol then the backend is considered invalid. Implementations MUST set the
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+
+
+ properties:
+ filters:
+ description: |-
+ Filters defined at this level should be executed if and only if the
+ request is being forwarded to the backend defined here.
+
+ Support: Implementation-specific (For broader support of filters, use the
+ Filters field in HTTPRouteRule.)
+ items:
+ description: |-
+ HTTPRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. HTTPRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
+ properties:
+ extensionRef:
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
+
+ This filter can be used multiple times within the same rule.
+
+ Support: Implementation-specific
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For
+ example "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ requestHeaderModifier:
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
+
+ Support: Core
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: |+
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
+
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
+
+ Support: Extended
+
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
+
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
+
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
+ this backend in the underlying implementation.
+
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
+
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
+
+ Support: Extended for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind
+ == ''Service'') ? has(self.port) : true'
+ required:
+ - backendRef
+ type: object
+ requestRedirect:
+ description: |-
+ RequestRedirect defines a schema for a filter that responds to the
+ request with an HTTP redirection.
+
+ Support: Core
+ properties:
+ hostname:
+ description: |-
+ Hostname is the hostname to be used in the value of the `Location`
+ header in the response.
+ When empty, the hostname in the `Host` header of the request is used.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines parameters used to modify the path of the incoming request.
+ The modified path is then used to construct the `Location` header. When
+ empty, the request path is used as-is.
+
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified
+ when type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ?
+ has(self.replaceFullPath) : true'
+ - message: type must be 'ReplaceFullPath' when
+ replaceFullPath is set
+ rule: 'has(self.replaceFullPath) ? self.type
+ == ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified
+ when type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch''
+ ? has(self.replacePrefixMatch) : true'
+ - message: type must be 'ReplacePrefixMatch'
+ when replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ port:
+ description: |-
+ Port is the port to be used in the value of the `Location`
+ header in the response.
+
+ If no port is specified, the redirect port MUST be derived using the
+ following rules:
+
+ * If redirect scheme is not-empty, the redirect port MUST be the well-known
+ port associated with the redirect scheme. Specifically "http" to port 80
+ and "https" to port 443. If the redirect scheme does not have a
+ well-known port, the listener port of the Gateway SHOULD be used.
+ * If redirect scheme is empty, the redirect port MUST be the Gateway
+ Listener port.
+
+ Implementations SHOULD NOT add the port number in the 'Location'
+ header in the following cases:
+
+ * A Location header that will use HTTP (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 80.
+ * A Location header that will use HTTPS (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 443.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ scheme:
+ description: |-
+ Scheme is the scheme to be used in the value of the `Location` header in
+ the response. When empty, the scheme of the request is used.
+
+ Scheme redirects can affect the port of the redirect, for more information,
+ refer to the documentation for the port field of this filter.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Extended
+ enum:
+ - http
+ - https
+ type: string
+ statusCode:
+ default: 302
+ description: |-
+ StatusCode is the HTTP status code to be used in response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Core
+ enum:
+ - 301
+ - 302
+ type: integer
+ type: object
+ responseHeaderModifier:
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
+
+ Support: Extended
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: |-
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
+
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations must support core filters.
+
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
+
+ - Implementation-specific: Filters that are defined and supported by
+ specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` should be set to
+ "ExtensionRef" for custom filters.
+
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
+
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - RequestHeaderModifier
+ - ResponseHeaderModifier
+ - RequestMirror
+ - RequestRedirect
+ - URLRewrite
+ - ExtensionRef
+ type: string
+ urlRewrite:
+ description: |-
+ URLRewrite defines a schema for a filter that modifies a request during forwarding.
+
+ Support: Extended
+ properties:
+ hostname:
+ description: |-
+ Hostname is the value to be used to replace the Host header value during
+ forwarding.
+
+ Support: Extended
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines a path rewrite.
+
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified
+ when type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ?
+ has(self.replaceFullPath) : true'
+ - message: type must be 'ReplaceFullPath' when
+ replaceFullPath is set
+ rule: 'has(self.replaceFullPath) ? self.type
+ == ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified
+ when type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch''
+ ? has(self.replacePrefixMatch) : true'
+ - message: type must be 'ReplacePrefixMatch'
+ when replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: filter.requestHeaderModifier must be nil
+ if the filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type
+ != ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type
+ == ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil
+ if the filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type
+ != ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for
+ RequestMirror filter.type
+ rule: '!(!has(self.requestMirror) && self.type ==
+ ''RequestMirror'')'
+ - message: filter.requestRedirect must be nil if the
+ filter.type is not RequestRedirect
+ rule: '!(has(self.requestRedirect) && self.type !=
+ ''RequestRedirect'')'
+ - message: filter.requestRedirect must be specified
+ for RequestRedirect filter.type
+ rule: '!(!has(self.requestRedirect) && self.type ==
+ ''RequestRedirect'')'
+ - message: filter.urlRewrite must be nil if the filter.type
+ is not URLRewrite
+ rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'
+ - message: filter.urlRewrite must be specified for URLRewrite
+ filter.type
+ rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for
+ ExtensionRef filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: May specify either httpRouteFilterRequestRedirect
+ or httpRouteFilterRequestRewrite, but not both
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'')
+ && self.exists(f, f.type == ''URLRewrite''))'
+ - message: May specify either httpRouteFilterRequestRedirect
+ or httpRouteFilterRequestRewrite, but not both
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'')
+ && self.exists(f, f.type == ''URLRewrite''))'
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ - message: RequestRedirect filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestRedirect').size()
+ <= 1
+ - message: URLRewrite filter cannot be repeated
+ rule: self.filter(f, f.type == 'URLRewrite').size()
+ <= 1
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
+
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
+
+ Support for this field varies based on the context where used.
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ filters:
+ description: |-
+ Filters define the filters that are applied to requests that match
+ this rule.
+
+ Wherever possible, implementations SHOULD implement filters in the order
+ they are specified.
+
+ Implementations MAY choose to implement this ordering strictly, rejecting
+ any combination or order of filters that can not be supported. If implementations
+ choose a strict interpretation of filter ordering, they MUST clearly document
+ that behavior.
+
+ To reject an invalid combination or order of filters, implementations SHOULD
+ consider the Route Rules with this configuration invalid. If all Route Rules
+ in a Route are invalid, the entire Route would be considered invalid. If only
+ a portion of Route Rules are invalid, implementations MUST set the
+ "PartiallyInvalid" condition for the Route.
+
+ Conformance-levels at this level are defined based on the type of filter:
+
+ - ALL core filters MUST be supported by all implementations.
+ - Implementers are encouraged to support extended filters.
+ - Implementation-specific custom filters have no API guarantees across
+ implementations.
+
+ Specifying the same filter multiple times is not supported unless explicitly
+ indicated in the filter.
+
+ All filters are expected to be compatible with each other except for the
+ URLRewrite and RequestRedirect filters, which may not be combined. If an
+ implementation can not support other combinations of filters, they must clearly
+ document that limitation. In cases where incompatible or unsupported
+ filters are specified and cause the `Accepted` condition to be set to status
+ `False`, implementations may use the `IncompatibleFilters` reason to specify
+ this configuration error.
+
+ Support: Core
+ items:
+ description: |-
+ HTTPRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. HTTPRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
+ properties:
+ extensionRef:
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
+
+ This filter can be used multiple times within the same rule.
+
+ Support: Implementation-specific
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For example
+ "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ requestHeaderModifier:
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
+
+ Support: Core
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: |+
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
+
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
+
+ Support: Extended
+
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
+
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
+
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
+ this backend in the underlying implementation.
+
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
+
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
+
+ Support: Extended for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ required:
+ - backendRef
+ type: object
+ requestRedirect:
+ description: |-
+ RequestRedirect defines a schema for a filter that responds to the
+ request with an HTTP redirection.
+
+ Support: Core
+ properties:
+ hostname:
+ description: |-
+ Hostname is the hostname to be used in the value of the `Location`
+ header in the response.
+ When empty, the hostname in the `Host` header of the request is used.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines parameters used to modify the path of the incoming request.
+ The modified path is then used to construct the `Location` header. When
+ empty, the request path is used as-is.
+
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified when
+ type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)
+ : true'
+ - message: type must be 'ReplaceFullPath' when replaceFullPath
+ is set
+ rule: 'has(self.replaceFullPath) ? self.type ==
+ ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified when
+ type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)
+ : true'
+ - message: type must be 'ReplacePrefixMatch' when
+ replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ port:
+ description: |-
+ Port is the port to be used in the value of the `Location`
+ header in the response.
+
+ If no port is specified, the redirect port MUST be derived using the
+ following rules:
+
+ * If redirect scheme is not-empty, the redirect port MUST be the well-known
+ port associated with the redirect scheme. Specifically "http" to port 80
+ and "https" to port 443. If the redirect scheme does not have a
+ well-known port, the listener port of the Gateway SHOULD be used.
+ * If redirect scheme is empty, the redirect port MUST be the Gateway
+ Listener port.
+
+ Implementations SHOULD NOT add the port number in the 'Location'
+ header in the following cases:
+
+ * A Location header that will use HTTP (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 80.
+ * A Location header that will use HTTPS (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 443.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ scheme:
+ description: |-
+ Scheme is the scheme to be used in the value of the `Location` header in
+ the response. When empty, the scheme of the request is used.
+
+ Scheme redirects can affect the port of the redirect, for more information,
+ refer to the documentation for the port field of this filter.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Extended
+ enum:
+ - http
+ - https
+ type: string
+ statusCode:
+ default: 302
+ description: |-
+ StatusCode is the HTTP status code to be used in response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Core
+ enum:
+ - 301
+ - 302
+ type: integer
+ type: object
+ responseHeaderModifier:
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
+
+ Support: Extended
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: |-
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
+
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations must support core filters.
+
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
+
+ - Implementation-specific: Filters that are defined and supported by
+ specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` should be set to
+ "ExtensionRef" for custom filters.
+
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
+
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - RequestHeaderModifier
+ - ResponseHeaderModifier
+ - RequestMirror
+ - RequestRedirect
+ - URLRewrite
+ - ExtensionRef
+ type: string
+ urlRewrite:
+ description: |-
+ URLRewrite defines a schema for a filter that modifies a request during forwarding.
+
+ Support: Extended
+ properties:
+ hostname:
+ description: |-
+ Hostname is the value to be used to replace the Host header value during
+ forwarding.
+
+ Support: Extended
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines a path rewrite.
+
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified when
+ type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)
+ : true'
+ - message: type must be 'ReplaceFullPath' when replaceFullPath
+ is set
+ rule: 'has(self.replaceFullPath) ? self.type ==
+ ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified when
+ type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)
+ : true'
+ - message: type must be 'ReplacePrefixMatch' when
+ replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: filter.requestHeaderModifier must be nil if the
+ filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type !=
+ ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type ==
+ ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil if the
+ filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type !=
+ ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for RequestMirror
+ filter.type
+ rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')'
+ - message: filter.requestRedirect must be nil if the filter.type
+ is not RequestRedirect
+ rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')'
+ - message: filter.requestRedirect must be specified for RequestRedirect
+ filter.type
+ rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')'
+ - message: filter.urlRewrite must be nil if the filter.type
+ is not URLRewrite
+ rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'
+ - message: filter.urlRewrite must be specified for URLRewrite
+ filter.type
+ rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for ExtensionRef
+ filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: May specify either httpRouteFilterRequestRedirect
+ or httpRouteFilterRequestRewrite, but not both
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'') &&
+ self.exists(f, f.type == ''URLRewrite''))'
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ - message: RequestRedirect filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestRedirect').size() <=
+ 1
+ - message: URLRewrite filter cannot be repeated
+ rule: self.filter(f, f.type == 'URLRewrite').size() <= 1
+ matches:
+ default:
+ - path:
+ type: PathPrefix
+ value: /
+ description: |-
+ Matches define conditions used for matching the rule against incoming
+ HTTP requests. Each match is independent, i.e. this rule will be matched
+ if **any** one of the matches is satisfied.
+
+ For example, take the following matches configuration:
+
+ ```
+ matches:
+ - path:
+ value: "/foo"
+ headers:
+ - name: "version"
+ value: "v2"
+ - path:
+ value: "/v2/foo"
+ ```
+
+ For a request to match against this rule, a request must satisfy
+ EITHER of the two conditions:
+
+ - path prefixed with `/foo` AND contains the header `version: v2`
+ - path prefix of `/v2/foo`
+
+ See the documentation for HTTPRouteMatch on how to specify multiple
+ match conditions that should be ANDed together.
+
+ If no matches are specified, the default is a prefix
+ path match on "/", which has the effect of matching every
+ HTTP request.
+
+ Proxy or Load Balancer routing configuration generated from HTTPRoutes
+ MUST prioritize matches based on the following criteria, continuing on
+ ties. Across all rules specified on applicable Routes, precedence must be
+ given to the match having:
+
+ * "Exact" path match.
+ * "Prefix" path match with largest number of characters.
+ * Method match.
+ * Largest number of header matches.
+ * Largest number of query param matches.
+
+ Note: The precedence of RegularExpression path matches are implementation-specific.
+
+ If ties still exist across multiple Routes, matching precedence MUST be
+ determined in order of the following criteria, continuing on ties:
+
+ * The oldest Route based on creation timestamp.
+ * The Route appearing first in alphabetical order by
+ "{namespace}/{name}".
+
+ If ties still exist within an HTTPRoute, matching precedence MUST be granted
+ to the FIRST matching rule (in list order) with a match meeting the above
+ criteria.
+
+ When no rules matching a request have been successfully attached to the
+ parent a request is coming from, a HTTP 404 status code MUST be returned.
+ items:
+ description: "HTTPRouteMatch defines the predicate used to
+ match requests to a given\naction. Multiple match types
+ are ANDed together, i.e. the match will\nevaluate to true
+ only if all conditions are satisfied.\n\nFor example, the
+ match below will match a HTTP request only if its path\nstarts
+ with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t
+ \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t
+ \ value \"v1\"\n\n```"
+ properties:
+ headers:
+ description: |-
+ Headers specifies HTTP request header matchers. Multiple match values are
+ ANDed together, meaning, a request must match all the specified headers
+ to select the route.
+ items:
+ description: |-
+ HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request
+ headers.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, only the first
+ entry with an equivalent name MUST be considered for a match. Subsequent
+ entries with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+
+ When a header is repeated in an HTTP request, it is
+ implementation-specific behavior as to how this is represented.
+ Generally, proxies should follow the guidance from the RFC:
+ https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
+ processing a repeated header, with special handling for "Set-Cookie".
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ type:
+ default: Exact
+ description: |-
+ Type specifies how to match against the value of the header.
+
+ Support: Core (Exact)
+
+ Support: Implementation-specific (RegularExpression)
+
+ Since RegularExpression HeaderMatchType has implementation-specific
+ conformance, implementations can support POSIX, PCRE or any other dialects
+ of regular expressions. Please read the implementation's documentation to
+ determine the supported dialect.
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ value:
+ description: Value is the value of HTTP Header to
+ be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ method:
+ description: |-
+ Method specifies HTTP method matcher.
+ When specified, this route will be matched only if the request has the
+ specified method.
+
+ Support: Extended
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ - PATCH
+ type: string
+ path:
+ default:
+ type: PathPrefix
+ value: /
+ description: |-
+ Path specifies a HTTP request path matcher. If this field is not
+ specified, a default prefix match on the "/" path is provided.
+ properties:
+ type:
+ default: PathPrefix
+ description: |-
+ Type specifies how to match against the path Value.
+
+ Support: Core (Exact, PathPrefix)
+
+ Support: Implementation-specific (RegularExpression)
+ enum:
+ - Exact
+ - PathPrefix
+ - RegularExpression
+ type: string
+ value:
+ default: /
+ description: Value of the HTTP path to match against.
+ maxLength: 1024
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: value must be an absolute path and start with
+ '/' when type one of ['Exact', 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'')
+ : true'
+ - message: must not contain '//' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'')
+ : true'
+ - message: must not contain '/./' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'')
+ : true'
+ - message: must not contain '/../' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'')
+ : true'
+ - message: must not contain '%2f' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'')
+ : true'
+ - message: must not contain '%2F' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'')
+ : true'
+ - message: must not contain '#' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'')
+ : true'
+ - message: must not end with '/..' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'')
+ : true'
+ - message: must not end with '/.' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'')
+ : true'
+ - message: type must be one of ['Exact', 'PathPrefix',
+ 'RegularExpression']
+ rule: self.type in ['Exact','PathPrefix'] || self.type
+ == 'RegularExpression'
+ - message: must only contain valid characters (matching
+ ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$)
+ for types ['Exact', 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""")
+ : true'
+ queryParams:
+ description: |-
+ QueryParams specifies HTTP query parameter matchers. Multiple match
+ values are ANDed together, meaning, a request must match all the
+ specified query parameters to select the route.
+
+ Support: Extended
+ items:
+ description: |-
+ HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP
+ query parameters.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP query param to be matched. This must be an
+ exact string match. (See
+ https://tools.ietf.org/html/rfc7230#section-2.7.3).
+
+ If multiple entries specify equivalent query param names, only the first
+ entry with an equivalent name MUST be considered for a match. Subsequent
+ entries with an equivalent query param name MUST be ignored.
+
+ If a query param is repeated in an HTTP request, the behavior is
+ purposely left undefined, since different data planes have different
+ capabilities. However, it is *recommended* that implementations should
+ match against the first value of the param if the data plane supports it,
+ as this behavior is expected in other load balancing contexts outside of
+ the Gateway API.
+
+ Users SHOULD NOT route traffic based on repeated query params to guard
+ themselves against potential differences in the implementations.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ type:
+ default: Exact
+ description: |-
+ Type specifies how to match against the value of the query parameter.
+
+ Support: Extended (Exact)
+
+ Support: Implementation-specific (RegularExpression)
+
+ Since RegularExpression QueryParamMatchType has Implementation-specific
+ conformance, implementations can support POSIX, PCRE or any other
+ dialects of regular expressions. Please read the implementation's
+ documentation to determine the supported dialect.
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ value:
+ description: Value is the value of HTTP query param
+ to be matched.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ maxItems: 64
+ type: array
+ timeouts:
+ description: |-
+ Timeouts defines the timeouts that can be configured for an HTTP request.
+
+ Support: Extended
+ properties:
+ backendRequest:
+ description: |-
+ BackendRequest specifies a timeout for an individual request from the gateway
+ to a backend. This covers the time from when the request first starts being
+ sent from the gateway to when the full response has been received from the backend.
+
+ Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+ completely. Implementations that cannot completely disable the timeout MUST
+ instead interpret the zero duration as the longest possible value to which
+ the timeout can be set.
+
+ An entire client HTTP transaction with a gateway, covered by the Request timeout,
+ may result in more than one call from the gateway to the destination backend,
+ for example, if automatic retries are supported.
+
+ The value of BackendRequest must be a Gateway API Duration string as defined by
+ GEP-2257. When this field is unspecified, its behavior is implementation-specific;
+ when specified, the value of BackendRequest must be no more than the value of the
+ Request timeout (since the Request timeout encompasses the BackendRequest timeout).
+
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ request:
+ description: |-
+ Request specifies the maximum duration for a gateway to respond to an HTTP request.
+ If the gateway has not been able to respond before this deadline is met, the gateway
+ MUST return a timeout error.
+
+ For example, setting the `rules.timeouts.request` field to the value `10s` in an
+ `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds
+ to complete.
+
+ Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+ completely. Implementations that cannot completely disable the timeout MUST
+ instead interpret the zero duration as the longest possible value to which
+ the timeout can be set.
+
+ This timeout is intended to cover as close to the whole request-response transaction
+ as possible although an implementation MAY choose to start the timeout after the entire
+ request stream has been received instead of immediately after the transaction is
+ initiated by the client.
+
+ The value of Request is a Gateway API Duration string as defined by GEP-2257. When this
+ field is unspecified, request timeout behavior is implementation-specific.
+
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: backendRequest timeout cannot be longer than request
+ timeout
+ rule: '!(has(self.request) && has(self.backendRequest) &&
+ duration(self.request) != duration(''0s'') && duration(self.backendRequest)
+ > duration(self.request))'
+ type: object
+ x-kubernetes-validations:
+ - message: RequestRedirect filter must not be used together with
+ backendRefs
+ rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ?
+ (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))):
+ true'
+ - message: When using RequestRedirect filter with path.replacePrefixMatch,
+ exactly one PathPrefix match must be specified
+ rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect)
+ && has(f.requestRedirect.path) && f.requestRedirect.path.type
+ == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))
+ ? ((size(self.matches) != 1 || !has(self.matches[0].path) ||
+ self.matches[0].path.type != ''PathPrefix'') ? false : true)
+ : true'
+ - message: When using URLRewrite filter with path.replacePrefixMatch,
+ exactly one PathPrefix match must be specified
+ rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite)
+ && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''
+ && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches)
+ != 1 || !has(self.matches[0].path) || self.matches[0].path.type
+ != ''PathPrefix'') ? false : true) : true'
+ - message: Within backendRefs, when using RequestRedirect filter
+ with path.replacePrefixMatch, exactly one PathPrefix match must
+ be specified
+ rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,
+ (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect)
+ && has(f.requestRedirect.path) && f.requestRedirect.path.type
+ == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))
+ )) ? ((size(self.matches) != 1 || !has(self.matches[0].path)
+ || self.matches[0].path.type != ''PathPrefix'') ? false : true)
+ : true'
+ - message: Within backendRefs, When using URLRewrite filter with
+ path.replacePrefixMatch, exactly one PathPrefix match must be
+ specified
+ rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,
+ (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite)
+ && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''
+ && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches)
+ != 1 || !has(self.matches[0].path) || self.matches[0].path.type
+ != ''PathPrefix'') ? false : true) : true'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: While 16 rules and 64 matches per rule are allowed, the
+ total number of matches across all rules in a route must be less
+ than 128
+ rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size()
+ > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size()
+ : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size()
+ > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size()
+ : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size()
+ > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size()
+ : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size()
+ > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size()
+ : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size()
+ > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size()
+ : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128'
+ type: object
+ status:
+ description: Status defines the current state of HTTPRoute.
+ properties:
+ parents:
+ description: |-
+ Parents is a list of parent resources (usually Gateways) that are
+ associated with the route, and the status of the route with respect to
+ each parent. When this route attaches to a parent, the controller that
+ manages the parent must add an entry to this list when the controller
+ first sees the route and should update the entry as appropriate when the
+ route or gateway is modified.
+
+ Note that parent references that cannot be resolved by an implementation
+ of this API will not be added to this list. Implementations of this API
+ can only populate Route status for the Gateways/parent resources they are
+ responsible for.
+
+ A maximum of 32 Gateways will be represented in this list. An empty list
+ means the route has not been attached to any Gateway.
+ items:
+ description: |-
+ RouteParentStatus describes the status of a route with respect to an
+ associated Parent.
+ properties:
+ conditions:
+ description: |-
+ Conditions describes the status of the route with respect to the Gateway.
+ Note that the route's availability is also subject to the Gateway's own
+ status conditions and listener status.
+
+ If the Route's ParentRef specifies an existing Gateway that supports
+ Routes of this kind AND that Gateway's controller has sufficient access,
+ then that Gateway's controller MUST set the "Accepted" condition on the
+ Route, to indicate whether the route has been accepted or rejected by the
+ Gateway, and why.
+
+ A Route MUST be considered "Accepted" if at least one of the Route's
+ rules is implemented by the Gateway.
+
+ There are a number of cases where the "Accepted" condition may not be set
+ due to lack of controller visibility, that includes when:
+
+ * The Route refers to a non-existent parent.
+ * The Route is of a type that the controller does not support.
+ * The Route is in a namespace the controller does not have access to.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ parentRef:
+ description: |-
+ ParentRef corresponds with a ParentRef in the spec that this
+ RouteParentStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - controllerName
+ - parentRef
+ type: object
+ maxItems: 32
+ type: array
+ required:
+ - parents
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
+# config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.2.1
+ gateway.networking.k8s.io/channel: standard
+ creationTimestamp: null
+ name: referencegrants.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: ReferenceGrant
+ listKind: ReferenceGrantList
+ plural: referencegrants
+ shortNames:
+ - refgrant
+ singular: referencegrant
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ ReferenceGrant identifies kinds of resources in other namespaces that are
+ trusted to reference the specified kinds of resources in the same namespace
+ as the policy.
+
+ Each ReferenceGrant can be used to represent a unique trust relationship.
+ Additional Reference Grants can be used to add to the set of trusted
+ sources of inbound references for the namespace they are defined within.
+
+ All cross-namespace references in Gateway API (with the exception of cross-namespace
+ Gateway-route attachment) require a ReferenceGrant.
+
+ ReferenceGrant is a form of runtime verification allowing users to assert
+ which cross-namespace object references are permitted. Implementations that
+ support ReferenceGrant MUST NOT permit cross-namespace references which have
+ no grant, and MUST respond to the removal of a grant by revoking the access
+ that the grant allowed.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of ReferenceGrant.
+ properties:
+ from:
+ description: |-
+ From describes the trusted namespaces and kinds that can reference the
+ resources described in "To". Each entry in this list MUST be considered
+ to be an additional place that references can be valid from, or to put
+ this another way, entries MUST be combined using OR.
+
+ Support: Core
+ items:
+ description: ReferenceGrantFrom describes trusted namespaces and
+ kinds.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent.
+ When empty, the Kubernetes core API group is inferred.
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: |-
+ Kind is the kind of the referent. Although implementations may support
+ additional resources, the following types are part of the "Core"
+ support level for this field.
+
+ When used to permit a SecretObjectReference:
+
+ * Gateway
+
+ When used to permit a BackendObjectReference:
+
+ * GRPCRoute
+ * HTTPRoute
+ * TCPRoute
+ * TLSRoute
+ * UDPRoute
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - group
+ - kind
+ - namespace
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ to:
+ description: |-
+ To describes the resources that may be referenced by the resources
+ described in "From". Each entry in this list MUST be considered to be an
+ additional place that references can be valid to, or to put this another
+ way, entries MUST be combined using OR.
+
+ Support: Core
+ items:
+ description: |-
+ ReferenceGrantTo describes what Kinds are allowed as targets of the
+ references.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent.
+ When empty, the Kubernetes core API group is inferred.
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: |-
+ Kind is the kind of the referent. Although implementations may support
+ additional resources, the following types are part of the "Core"
+ support level for this field:
+
+ * Secret when used to permit a SecretObjectReference
+ * Service when used to permit a BackendObjectReference
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent. When unspecified, this policy
+ refers to all resources of the specified Group and Kind in the local
+ namespace.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ required:
+ - from
+ - to
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/00_prerequisites/00_namespace.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/00_prerequisites/00_namespace.yaml
new file mode 100644
index 0000000..91c261c
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/00_prerequisites/00_namespace.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ annotations: {}
+ labels:
+ name: syn-airlock-microgateway
+ name: syn-airlock-microgateway
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/00_prerequisites/01_license_secret.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/00_prerequisites/01_license_secret.yaml
new file mode 100644
index 0000000..2aedd0f
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/00_prerequisites/01_license_secret.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+data:
+ microgateway-license.txt: ''
+kind: Secret
+metadata:
+ annotations: {}
+ labels:
+ name: airlock-microgateway-license
+ name: airlock-microgateway-license
+ namespace: syn-airlock-microgateway
+type: Opaque
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/00_prerequisites/01_network_policy.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/00_prerequisites/01_network_policy.yaml
new file mode 100644
index 0000000..33d7a9d
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/00_prerequisites/01_network_policy.yaml
@@ -0,0 +1,16 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ annotations: {}
+ labels:
+ name: allow-from-waf-namespaces
+ name: allow-from-waf-namespaces
+ namespace: syn-airlock-microgateway
+spec:
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ appuio.ch/waf: airlock
+ policyTypes:
+ - Ingress
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/accesscontrolpolicies.microgateway.airlock.com.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/accesscontrolpolicies.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..ee697b7
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/accesscontrolpolicies.microgateway.airlock.com.yaml
@@ -0,0 +1,933 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ gateway.networking.k8s.io/policy: direct
+ name: accesscontrolpolicies.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: AccessControlPolicy
+ listKind: AccessControlPolicyList
+ plural: accesscontrolpolicies
+ singular: accesscontrolpolicy
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: AccessControlPolicy is a Direct Attached Policy for the Kubernetes
+ Gateway API. It specifies the options to perform access control with a
+ Microgateway.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of AccessControlPolicy.
+ properties:
+ policies:
+ description: Policies configures access control policies. The first
+ matching policy (from top to bottom) applies.
+ items:
+ properties:
+ authorization:
+ description: Authorization configures how requests are authorized.
+ An empty object value {} disables authorization.
+ properties:
+ authentication:
+ description: Authentication specifies that clients need
+ to be authenticated with the provided method.
+ properties:
+ oidc:
+ description: OIDC configures client authentication
+ using OpenID Connect.
+ properties:
+ introspection:
+ description: Introspection configures how token
+ introspection is performed. An empty object
+ value {} defaults to the _always_ strategy.
+ properties:
+ strategy:
+ description: Strategy defines the behavior
+ for token introspection.
+ properties:
+ always:
+ description: Always strategy defines a
+ strategy for checking every request.
+ type: object
+ random:
+ description: Random strategy defines a
+ probabilistic strategy for checking
+ the `x-th` request.
+ properties:
+ probability:
+ description: |-
+ Probability specifies the probability in % with which a request is selected to be introspected.
+ A valid value for probability must be from the range: [`0.01%`,`99.99%`].
+ To introspect the token on every request the _always_ strategy must be used.
+ maxLength: 6
+ minLength: 2
+ type: string
+ x-kubernetes-validations:
+ - message: 'Probability must have
+ a value from the valid range:
+ [`0.01%`,`99.99%`]'
+ rule: self.matches(r"""^[1-9]?[0-9](\.[0-9]{1,2})?%$""")
+ && self != '0%' && self != '0.0%'
+ && self != '0.00%'
+ required:
+ - probability
+ type: object
+ type: object
+ type: object
+ oidcRelyingPartyRef:
+ description: OIDCRelyingPartyRef configures how
+ the Airlock Microgateway Engine interacts with
+ the OpenID provider.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - oidcRelyingPartyRef
+ type: object
+ type: object
+ deny:
+ description: Deny specifies to deny access for all requests
+ matching this policy.
+ type: object
+ requireAll:
+ description: RequireAll specifies conditions which must
+ all be satisfied for the request to be authorized.
+ items:
+ properties:
+ oidc:
+ description: OIDC specifies a condition on the result
+ of an OpenID Connect flow.
+ properties:
+ claim:
+ description: Claim specifies a condition on
+ a JWT claim.
+ properties:
+ name:
+ description: Name of the claim.
+ minLength: 1
+ type: string
+ value:
+ description: |-
+ Value of the claim. If not specified, only existence of the claim is checked (any value is allowed).
+
+ Value matching is only supported if the data type of the claim is either primitive (`number`, `boolean`, `string`) or `array` of primitives.
+ In case of a non-string value, the match will be performed against the stringified value.
+
+ If the claim has an unsupported data type (e.g. `object` or `null`), its value will never match.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be
+ case-insensitive. In case of a
+ regex match, the regex gets wrapped
+ with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ required:
+ - name
+ type: object
+ required:
+ - claim
+ type: object
+ required:
+ - oidc
+ type: object
+ minItems: 1
+ type: array
+ requireAny:
+ description: RequireAny specifies conditions of which
+ at least one must be satisfied for the request to be
+ authorized.
+ items:
+ properties:
+ oidc:
+ description: OIDC specifies a condition on the result
+ of an OpenID Connect flow.
+ properties:
+ claim:
+ description: Claim specifies a condition on
+ a JWT claim.
+ properties:
+ name:
+ description: Name of the claim.
+ minLength: 1
+ type: string
+ value:
+ description: |-
+ Value of the claim. If not specified, only existence of the claim is checked (any value is allowed).
+
+ Value matching is only supported if the data type of the claim is either primitive (`number`, `boolean`, `string`) or `array` of primitives.
+ In case of a non-string value, the match will be performed against the stringified value.
+
+ If the claim has an unsupported data type (e.g. `object` or `null`), its value will never match.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be
+ case-insensitive. In case of a
+ regex match, the regex gets wrapped
+ with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ required:
+ - name
+ type: object
+ required:
+ - claim
+ type: object
+ required:
+ - oidc
+ type: object
+ minItems: 1
+ type: array
+ type: object
+ identityPropagation:
+ description: IdentityPropagation configures how the authenticated
+ user's identity is communicated to the protected application.
+ properties:
+ actions:
+ description: Actions specifies the propagation actions.
+ items:
+ properties:
+ identityPropagationRef:
+ description: IdentityPropagationRef selects an IdentityPropagation
+ to apply.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - identityPropagationRef
+ type: object
+ type: array
+ onFailure:
+ description: |-
+ OnFailure configures what should happen, if an identity propagation fails. Meaning of the possible values:
+ _Pass_: The request should be forwarded to the upstream, without including the information from the failed identity propagations.
+ enum:
+ - Pass
+ type: string
+ required:
+ - actions
+ - onFailure
+ type: object
+ requestConditions:
+ description: |-
+ RequestConditions defines additional request properties which must be matched in order for this policy to apply. A policy without request conditions will always match.
+
+ WARNING: There is currently a limitation that if `authentication.oidc` is configured for this policy, you must ensure that the request condition also matches logout requests and callback redirects from the OIDC Provider as configured in the OIDCRelyingParty (`pathMapping.logoutPath` / `pathMapping.redirectPath`).
+ properties:
+ header:
+ description: Header defines the matching headers of a
+ request.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to match
+ a string. In comparison to a normal StringMatcher,
+ a value is always matched ignoring the case
+ and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a header.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to
+ match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex gets
+ wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the request condition
+ should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching media type
+ from the content-type header of a request.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods of a
+ request.
+ items:
+ description: Method defines common HTTP methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path of a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match
+ a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the
+ matching should be case-insensitive. In case
+ of a regex match, the regex gets wrapped with
+ a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines the matching remote IPs of a request.
+ Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4 or IPv6 CIDR
+ ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``.
+ items:
+ description: "CIDRRange defines an IPv4 or IPv6\
+ \ CIDR range, e.g. \u201C196.148.3.128/26\u201C\
+ \ or \u201C2001:db8::/28\u201C."
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether the match should
+ be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ required:
+ - authorization
+ type: object
+ maxItems: 128
+ minItems: 1
+ type: array
+ targetRefs:
+ description: |-
+ TargetRefs are the resources this policy is being attached to. Referenced resources must be in the same namespace as the policy.
+ Support: HTTPRoute.
+ items:
+ description: |-
+ LocalPolicyTargetReference identifies an API object to apply a direct or
+ inherited policy to. This should be used as part of Policy resources
+ that can target Gateway API resources. For more information on how this
+ policy attachment model works, and a sample Policy resource, refer to
+ the policy attachment documentation for Gateway API.
+ properties:
+ group:
+ description: Group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ x-kubernetes-validations:
+ - message: 'TargetRef Kind must be: HTTPRoute'
+ rule: self.all(t, t.kind == 'HTTPRoute')
+ - message: TargetRef Group must be gateway.networking.k8s.io.
+ rule: self.all(t, t.group == 'gateway.networking.k8s.io')
+ - message: Combination of name, group and kind must be unique
+ for each TargetRef
+ rule: self.all(t1, self.exists_one(t2, t1.group == t2.group
+ && t1.kind == t2.kind && t1.name == t2.name))
+ required:
+ - policies
+ - targetRefs
+ type: object
+ status:
+ description: Status defines the state of the AccessControlPolicy.
+ properties:
+ ancestors:
+ description: |-
+ Ancestors is a list of ancestor resources (usually Gateways) that are
+ associated with the policy, and the status of the policy with respect to
+ each ancestor. When this policy attaches to a parent, the controller that
+ manages the parent and the ancestors MUST add an entry to this list when
+ the controller first sees the policy and SHOULD update the entry as
+ appropriate when the relevant ancestor is modified.
+
+ Note that choosing the relevant ancestor is left to the Policy designers;
+ an important part of Policy design is designing the right object level at
+ which to namespace this status.
+
+ Note also that implementations MUST ONLY populate ancestor status for
+ the Ancestor resources they are responsible for. Implementations MUST
+ use the ControllerName field to uniquely identify the entries in this list
+ that they are responsible for.
+
+ Note that to achieve this, the list of PolicyAncestorStatus structs
+ MUST be treated as a map with a composite key, made up of the AncestorRef
+ and ControllerName fields combined.
+
+ A maximum of 16 ancestors will be represented in this list. An empty list
+ means the Policy is not relevant for any ancestors.
+
+ If this slice is full, implementations MUST NOT add further entries.
+ Instead they MUST consider the policy unimplementable and signal that
+ on any related resources such as the ancestor that would be referenced
+ here. For example, if this list was full on BackendTLSPolicy, no
+ additional Gateways would be able to reference the Service targeted by
+ the BackendTLSPolicy.
+ items:
+ description: |-
+ PolicyAncestorStatus describes the status of a route with respect to an
+ associated Ancestor.
+
+ Ancestors refer to objects that are either the Target of a policy or above it
+ in terms of object hierarchy. For example, if a policy targets a Service, the
+ Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+ the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+ useful object to place Policy status on, so we recommend that implementations
+ SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+ have a _very_ good reason otherwise.
+
+ In the context of policy attachment, the Ancestor is used to distinguish which
+ resource results in a distinct application of this policy. For example, if a policy
+ targets a Service, it may have a distinct result per attached Gateway.
+
+ Policies targeting the same resource may have different effects depending on the
+ ancestors of those resources. For example, different Gateways targeting the same
+ Service may have different capabilities, especially if they have different underlying
+ implementations.
+
+ For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+ used as a backend in a HTTPRoute that is itself attached to a Gateway.
+ In this case, the relevant object for status is the Gateway, and that is the
+ ancestor object referred to in this status.
+
+ Note that a parent is also an ancestor, so for objects where the parent is the
+ relevant object for status, this struct SHOULD still be used.
+
+ This struct is intended to be used in a slice that's effectively a map,
+ with a composite key made up of the AncestorRef and the ControllerName.
+ properties:
+ ancestorRef:
+ description: |-
+ AncestorRef corresponds with a ParentRef in the spec that this
+ PolicyAncestorStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ conditions:
+ description: Conditions describes the status of the Policy
+ with respect to the given Ancestor.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - 'True'
+ - 'False'
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ required:
+ - ancestorRef
+ - controllerName
+ type: object
+ maxItems: 16
+ type: array
+ required:
+ - ancestors
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/accesscontrols.microgateway.airlock.com.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/accesscontrols.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..e9f2a41
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/accesscontrols.microgateway.airlock.com.yaml
@@ -0,0 +1,589 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: accesscontrols.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: AccessControl
+ listKind: AccessControlList
+ plural: accesscontrols
+ singular: accesscontrol
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: AccessControl specifies the options to perform access control
+ with a Microgateway Engine container.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specifies how the Airlock Microgateway Engine performs
+ access control.
+ properties:
+ policies:
+ description: Policies configures access control policies. The first
+ matching policy (from top to bottom) applies.
+ items:
+ properties:
+ authorization:
+ description: Authorization configures how requests are authorized.
+ An empty object value {} disables authorization.
+ properties:
+ authentication:
+ description: Authentication specifies that clients need
+ to be authenticated with the provided method.
+ properties:
+ oidc:
+ description: OIDC configures client authentication
+ using OpenID Connect.
+ properties:
+ introspection:
+ description: Introspection configures how token
+ introspection is performed. An empty object
+ value {} defaults to the _always_ strategy.
+ properties:
+ strategy:
+ description: Strategy defines the behavior
+ for token introspection.
+ properties:
+ always:
+ description: Always strategy defines a
+ strategy for checking every request.
+ type: object
+ random:
+ description: Random strategy defines a
+ probabilistic strategy for checking
+ the `x-th` request.
+ properties:
+ probability:
+ description: |-
+ Probability specifies the probability in % with which a request is selected to be introspected.
+ A valid value for probability must be from the range: [`0.01%`,`99.99%`].
+ To introspect the token on every request the _always_ strategy must be used.
+ maxLength: 6
+ minLength: 2
+ type: string
+ x-kubernetes-validations:
+ - message: 'Probability must have
+ a value from the valid range:
+ [`0.01%`,`99.99%`]'
+ rule: self.matches(r"""^[1-9]?[0-9](\.[0-9]{1,2})?%$""")
+ && self != '0%' && self != '0.0%'
+ && self != '0.00%'
+ required:
+ - probability
+ type: object
+ type: object
+ type: object
+ oidcRelyingPartyRef:
+ description: OIDCRelyingPartyRef configures how
+ the Airlock Microgateway Engine interacts with
+ the OpenID provider.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - oidcRelyingPartyRef
+ type: object
+ type: object
+ deny:
+ description: Deny specifies to deny access for all requests
+ matching this policy.
+ type: object
+ requireAll:
+ description: RequireAll specifies conditions which must
+ all be satisfied for the request to be authorized.
+ items:
+ properties:
+ oidc:
+ description: OIDC specifies a condition on the result
+ of an OpenID Connect flow.
+ properties:
+ claim:
+ description: Claim specifies a condition on
+ a JWT claim.
+ properties:
+ name:
+ description: Name of the claim.
+ minLength: 1
+ type: string
+ value:
+ description: |-
+ Value of the claim. If not specified, only existence of the claim is checked (any value is allowed).
+
+ Value matching is only supported if the data type of the claim is either primitive (`number`, `boolean`, `string`) or `array` of primitives.
+ In case of a non-string value, the match will be performed against the stringified value.
+
+ If the claim has an unsupported data type (e.g. `object` or `null`), its value will never match.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be
+ case-insensitive. In case of a
+ regex match, the regex gets wrapped
+ with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ required:
+ - name
+ type: object
+ required:
+ - claim
+ type: object
+ required:
+ - oidc
+ type: object
+ minItems: 1
+ type: array
+ requireAny:
+ description: RequireAny specifies conditions of which
+ at least one must be satisfied for the request to be
+ authorized.
+ items:
+ properties:
+ oidc:
+ description: OIDC specifies a condition on the result
+ of an OpenID Connect flow.
+ properties:
+ claim:
+ description: Claim specifies a condition on
+ a JWT claim.
+ properties:
+ name:
+ description: Name of the claim.
+ minLength: 1
+ type: string
+ value:
+ description: |-
+ Value of the claim. If not specified, only existence of the claim is checked (any value is allowed).
+
+ Value matching is only supported if the data type of the claim is either primitive (`number`, `boolean`, `string`) or `array` of primitives.
+ In case of a non-string value, the match will be performed against the stringified value.
+
+ If the claim has an unsupported data type (e.g. `object` or `null`), its value will never match.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be
+ case-insensitive. In case of a
+ regex match, the regex gets wrapped
+ with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ required:
+ - name
+ type: object
+ required:
+ - claim
+ type: object
+ required:
+ - oidc
+ type: object
+ minItems: 1
+ type: array
+ type: object
+ identityPropagation:
+ description: IdentityPropagation configures how the authenticated
+ user's identity is communicated to the protected application.
+ properties:
+ actions:
+ description: Actions specifies the propagation actions.
+ items:
+ properties:
+ identityPropagationRef:
+ description: IdentityPropagationRef selects an IdentityPropagation
+ to apply.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - identityPropagationRef
+ type: object
+ type: array
+ onFailure:
+ description: |-
+ OnFailure configures what should happen, if an identity propagation fails. Meaning of the possible values:
+ _Pass_: The request should be forwarded to the upstream, without including the information from the failed identity propagations.
+ enum:
+ - Pass
+ type: string
+ required:
+ - actions
+ - onFailure
+ type: object
+ requestConditions:
+ description: |-
+ RequestConditions defines additional request properties which must be matched in order for this policy to apply. A policy without request conditions will always match.
+
+ WARNING: There is currently a limitation that if `authentication.oidc` is configured for this policy, you must ensure that the request condition also matches logout requests and callback redirects from the OIDC Provider as configured in the OIDCRelyingParty (`pathMapping.logoutPath` / `pathMapping.redirectPath`).
+ properties:
+ header:
+ description: Header defines the matching headers of a
+ request.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to match
+ a string. In comparison to a normal StringMatcher,
+ a value is always matched ignoring the case
+ and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a header.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to
+ match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex gets
+ wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the request condition
+ should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching media type
+ from the content-type header of a request.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods of a
+ request.
+ items:
+ description: Method defines common HTTP methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path of a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match
+ a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the
+ matching should be case-insensitive. In case
+ of a regex match, the regex gets wrapped with
+ a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines the matching remote IPs of a request.
+ Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4 or IPv6 CIDR
+ ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``.
+ items:
+ description: "CIDRRange defines an IPv4 or IPv6\
+ \ CIDR range, e.g. \u201C196.148.3.128/26\u201C\
+ \ or \u201C2001:db8::/28\u201C."
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether the match should
+ be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ required:
+ - authorization
+ type: object
+ maxItems: 128
+ minItems: 1
+ type: array
+ required:
+ - policies
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources: {}
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/apiprotections.microgateway.airlock.com.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/apiprotections.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..9db86a1
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/apiprotections.microgateway.airlock.com.yaml
@@ -0,0 +1,337 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: apiprotections.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: APIProtection
+ listKind: APIProtectionList
+ plural: apiprotections
+ singular: apiprotection
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: APIProtection contains the configuration for API security.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specifies the options to define API protection settings.
+ properties:
+ policies:
+ description: Policies defines the policies for API protection of
+ downstream requests.
+ items:
+ properties:
+ graphQLRef:
+ description: |-
+ GraphQLRef enables and configures GraphQL validation for requests matching this policy.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ name:
+ description: Name describing the configured policy. Must be
+ unique.
+ minLength: 1
+ type: string
+ noValidation:
+ description: NoValidation disables API protection for requests
+ matching this policy.
+ type: object
+ openAPIRef:
+ description: |-
+ OpenAPIRef enables and configures OpenAPI validation for requests matching this policy.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ requestConditions:
+ description: RequestConditions defines additional request
+ properties which must be matched in order for this policy
+ to apply.
+ properties:
+ header:
+ description: Header defines the matching headers of a
+ request.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to match
+ a string. In comparison to a normal StringMatcher,
+ a value is always matched ignoring the case
+ and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a header.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to
+ match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex gets
+ wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the request condition
+ should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching media type
+ from the content-type header of a request.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods of a
+ request.
+ items:
+ description: Method defines common HTTP methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path of a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match
+ a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the
+ matching should be case-insensitive. In case
+ of a regex match, the regex gets wrapped with
+ a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines the matching remote IPs of a request.
+ Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4 or IPv6 CIDR
+ ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``.
+ items:
+ description: "CIDRRange defines an IPv4 or IPv6\
+ \ CIDR range, e.g. \u201C196.148.3.128/26\u201C\
+ \ or \u201C2001:db8::/28\u201C."
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether the match should
+ be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type: object
+ served: true
+ storage: true
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/contentsecurities.microgateway.airlock.com.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/contentsecurities.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..e68cd79
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/contentsecurities.microgateway.airlock.com.yaml
@@ -0,0 +1,168 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: contentsecurities.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: ContentSecurity
+ listKind: ContentSecurityList
+ plural: contentsecurities
+ singular: contentsecurity
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: ContentSecurity specifies the options to secure an upstream
+ web application with a Microgateway Engine container.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specifies the options to secure an upstream web application
+ with a Microgateway Engine container.
+ properties:
+ apiProtection:
+ description: |-
+ APIProtection defines the relevant configurations to protect APIs.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ **Deprecated:** Use policies in APIProtection CRD instead.
+ properties:
+ graphQLRef:
+ description: |-
+ GraphQLRef selects the relevant GraphQL configuration resource.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ **Deprecated:** Use policies in APIProtection CRD instead.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ openAPIRef:
+ description: |-
+ OpenAPIRef selects the relevant OpenAPI configuration resource.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ **Deprecated:** Use policies in APIProtection CRD instead.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ apiProtectionRef:
+ description: |-
+ APIProtectionRef defines the relevant configurations to protect multiple APIs on different paths.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ csrfProtectionRef:
+ description: |-
+ CSRFProtectionRef selects the relevant CSRF configuration resource.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ filter:
+ description: |-
+ Filter defines the set of filters, e.g. Airlock Deny Rules, to be applied to incoming requests
+ to protect against various attack patterns.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ denyRulesRef:
+ description: |-
+ DenyRulesRef selects the relevant DenyRules configuration resource.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ headerRewritesRef:
+ description: |-
+ HeaderRewritesRef selects the relevant HeaderRewrites.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ limitsRef:
+ description: |-
+ LimitsRef selects the relevant Limits configuration resource.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ parserRef:
+ description: |-
+ ParserRef selects the relevant Parser configuration resource.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources: {}
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/contentsecuritypolicies.microgateway.airlock.com.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/contentsecuritypolicies.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..4db787d
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/contentsecuritypolicies.microgateway.airlock.com.yaml
@@ -0,0 +1,492 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ gateway.networking.k8s.io/policy: direct
+ name: contentsecuritypolicies.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: ContentSecurityPolicy
+ listKind: ContentSecurityPolicyList
+ plural: contentsecuritypolicies
+ singular: contentsecuritypolicy
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: ContentSecurityPolicy is a Direct Attached Policy for the Kubernetes
+ Gateway API. It specifies the options to secure an upstream web application
+ with a Microgateway.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of ContentSecurityPolicy.
+ properties:
+ secured:
+ description: Secured enables WAF processing for the routes attached
+ to this policy.
+ properties:
+ apiProtectionRef:
+ description: |-
+ APIProtectionRef defines the relevant configurations to protect multiple APIs on different paths.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ csrfProtectionRef:
+ description: |-
+ CSRFProtectionRef selects the relevant CSRF configuration resource.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ filter:
+ description: |-
+ Filter defines the set of filters, e.g. Airlock Deny Rules, to be applied to incoming requests
+ to protect against various attack patterns.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ denyRulesRef:
+ description: |-
+ DenyRulesRef selects the relevant DenyRules configuration resource.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ headerRewritesRef:
+ description: |-
+ HeaderRewritesRef selects the relevant HeaderRewrites.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ limitsRef:
+ description: |-
+ LimitsRef selects the relevant Limits configuration resource.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ parserRef:
+ description: |-
+ ParserRef selects the relevant Parser configuration resource.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ targetRefs:
+ description: |-
+ TargetRefs are the resources this policy is being attached to. Referenced resources must be in the same namespace as the policy.
+ Support: HTTPRoute.
+ items:
+ description: |-
+ LocalPolicyTargetReference identifies an API object to apply a direct or
+ inherited policy to. This should be used as part of Policy resources
+ that can target Gateway API resources. For more information on how this
+ policy attachment model works, and a sample Policy resource, refer to
+ the policy attachment documentation for Gateway API.
+ properties:
+ group:
+ description: Group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ x-kubernetes-validations:
+ - message: 'TargetRef Kind must be: HTTPRoute'
+ rule: self.all(t, t.kind == 'HTTPRoute')
+ - message: TargetRef Group must be gateway.networking.k8s.io.
+ rule: self.all(t, t.group == 'gateway.networking.k8s.io')
+ - message: Combination of name, group and kind must be unique
+ for each TargetRef
+ rule: self.all(t1, self.exists_one(t2, t1.group == t2.group
+ && t1.kind == t2.kind && t1.name == t2.name))
+ unsecured:
+ description: |-
+ Unsecured disables all WAF functionality and therefore protection for the routes attached to this policy.
+ WARNING: Using this setting when the application is exposed to untrusted downstream traffic is highly discouraged.
+ type: object
+ required:
+ - targetRefs
+ type: object
+ status:
+ description: Status defines the state of the ContentSecurityPolicy.
+ properties:
+ ancestors:
+ description: |-
+ Ancestors is a list of ancestor resources (usually Gateways) that are
+ associated with the policy, and the status of the policy with respect to
+ each ancestor. When this policy attaches to a parent, the controller that
+ manages the parent and the ancestors MUST add an entry to this list when
+ the controller first sees the policy and SHOULD update the entry as
+ appropriate when the relevant ancestor is modified.
+
+ Note that choosing the relevant ancestor is left to the Policy designers;
+ an important part of Policy design is designing the right object level at
+ which to namespace this status.
+
+ Note also that implementations MUST ONLY populate ancestor status for
+ the Ancestor resources they are responsible for. Implementations MUST
+ use the ControllerName field to uniquely identify the entries in this list
+ that they are responsible for.
+
+ Note that to achieve this, the list of PolicyAncestorStatus structs
+ MUST be treated as a map with a composite key, made up of the AncestorRef
+ and ControllerName fields combined.
+
+ A maximum of 16 ancestors will be represented in this list. An empty list
+ means the Policy is not relevant for any ancestors.
+
+ If this slice is full, implementations MUST NOT add further entries.
+ Instead they MUST consider the policy unimplementable and signal that
+ on any related resources such as the ancestor that would be referenced
+ here. For example, if this list was full on BackendTLSPolicy, no
+ additional Gateways would be able to reference the Service targeted by
+ the BackendTLSPolicy.
+ items:
+ description: |-
+ PolicyAncestorStatus describes the status of a route with respect to an
+ associated Ancestor.
+
+ Ancestors refer to objects that are either the Target of a policy or above it
+ in terms of object hierarchy. For example, if a policy targets a Service, the
+ Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+ the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+ useful object to place Policy status on, so we recommend that implementations
+ SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+ have a _very_ good reason otherwise.
+
+ In the context of policy attachment, the Ancestor is used to distinguish which
+ resource results in a distinct application of this policy. For example, if a policy
+ targets a Service, it may have a distinct result per attached Gateway.
+
+ Policies targeting the same resource may have different effects depending on the
+ ancestors of those resources. For example, different Gateways targeting the same
+ Service may have different capabilities, especially if they have different underlying
+ implementations.
+
+ For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+ used as a backend in a HTTPRoute that is itself attached to a Gateway.
+ In this case, the relevant object for status is the Gateway, and that is the
+ ancestor object referred to in this status.
+
+ Note that a parent is also an ancestor, so for objects where the parent is the
+ relevant object for status, this struct SHOULD still be used.
+
+ This struct is intended to be used in a slice that's effectively a map,
+ with a composite key made up of the AncestorRef and the ControllerName.
+ properties:
+ ancestorRef:
+ description: |-
+ AncestorRef corresponds with a ParentRef in the spec that this
+ PolicyAncestorStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ conditions:
+ description: Conditions describes the status of the Policy
+ with respect to the given Ancestor.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - 'True'
+ - 'False'
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ required:
+ - ancestorRef
+ - controllerName
+ type: object
+ maxItems: 16
+ type: array
+ required:
+ - ancestors
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/csrfprotections.microgateway.airlock.com.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/csrfprotections.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..e3993ca
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/csrfprotections.microgateway.airlock.com.yaml
@@ -0,0 +1,316 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: csrfprotections.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: CSRFProtection
+ listKind: CSRFProtectionList
+ plural: csrfprotections
+ singular: csrfprotection
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: CSRFProtection contains the configuration for CSRF.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired CSRF behavior.
+ properties:
+ exceptions:
+ description: Exceptions defines CSRF exceptions.
+ items:
+ description: CSRFProtectionException defines an exception for
+ a CSRF protection. Exceptions may be defined for requestConditions
+ (properties of a request without taking into consideration the
+ reason why a request has been blocked).
+ properties:
+ requestConditions:
+ description: RequestConditions defines an exception based
+ on a property of a request without taking into consideration
+ the reason why a request has been blocked.
+ properties:
+ header:
+ description: Header defines the matching headers of a
+ request.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to match
+ a string. In comparison to a normal StringMatcher,
+ a value is always matched ignoring the case
+ and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a header.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to
+ match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex gets
+ wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the request condition
+ should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching media type
+ from the content-type header of a request.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods of a
+ request.
+ items:
+ description: Method defines common HTTP methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path of a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match
+ a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the
+ matching should be case-insensitive. In case
+ of a regex match, the regex gets wrapped with
+ a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines the matching remote IPs of a request.
+ Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4 or IPv6 CIDR
+ ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``.
+ items:
+ description: "CIDRRange defines an IPv4 or IPv6\
+ \ CIDR range, e.g. \u201C196.148.3.128/26\u201C\
+ \ or \u201C2001:db8::/28\u201C."
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether the match should
+ be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ required:
+ - requestConditions
+ type: object
+ type: array
+ settings:
+ description: Settings configures the CSRF filter.
+ properties:
+ threatHandlingMode:
+ default: Block
+ description: ThreatHandlingMode specifies how threats should
+ be handled if a CSRF attack is detected.
+ enum:
+ - Block
+ - LogOnly
+ type: string
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/denyrules.microgateway.airlock.com.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/denyrules.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..73b2a80
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/denyrules.microgateway.airlock.com.yaml
@@ -0,0 +1,1977 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: denyrules.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: DenyRules
+ listKind: DenyRulesList
+ plural: denyrules
+ singular: denyrules
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ DenyRules configures request filtering using Airlock built-in and custom deny rules.
+ Deny rules establish a negative security model. They define prohibited patterns which, when a match is found in a request, lead to it being blocked from reaching the upstream web application.
+ To handle possible false positives, lower the security level or define fine-granular deny rule exceptions
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired deny rules behavior.
+ properties:
+ request:
+ description: Request configures deny rules for downstream requests.
+ properties:
+ builtIn:
+ description: BuiltIn configures the built-in deny rules.
+ properties:
+ exceptions:
+ description: Exceptions allows to define exceptions for
+ specific requests and deny rules.
+ items:
+ description: |-
+ DenyRulesException defines an exception for deny rules. Exceptions may be defined by any or a combination of the following elements: blockedData (the request data causing a block) or requestConditions (properties of a request without taking into consideration the reason why a request has been blocked).
+ At least one of blockedData and requestConditions must be set.
+ properties:
+ blockedData:
+ description: BlockedData defines an exception based
+ on the request data causing the block.
+ properties:
+ graphQL:
+ description: |-
+ GraphQL defines an exception based on a blocked GraphQL query.
+ Only one of parameter, header, path, pathSegment, json or graphQL can be set.
+ properties:
+ argument:
+ description: |-
+ Argument defines an argument of a field of the GraphQL query.
+ At least one of field, argument and value must be set.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ field:
+ description: |-
+ Field defines a field of the GraphQL query.
+ At least one of field, argument and value must be set.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: |-
+ Value defines the value of an argument of the GraphQL query.
+ At least one of field, argument and value must be set.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ header:
+ description: |-
+ Header defines an exception based on a blocked header.
+ Only one of parameter, header, path, pathSegment, json or graphQL can be set.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to
+ match a string. In comparison to a normal
+ StringMatcher, a value is always matched
+ ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a
+ header.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ json:
+ description: |-
+ JSON defines an exception based on a blocked JSON property.
+ Only one of parameter, header, path, pathSegment, json or graphQL can be set.
+ properties:
+ jsonPath:
+ description: |-
+ JSONPath defines the JSONPath pattern to match the path within the JSON.
+ Expressions in JSONPath i.e. `?(expr)` are not supported.
+ minLength: 1
+ type: string
+ key:
+ description: |-
+ Key defines the key of the JSON property.
+ At most one of key and value can be set.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: |-
+ Value defines the value of the JSON property.
+ At most one of key and value can be set.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ parameter:
+ description: |-
+ Parameter defines an exception based on a blocked parameter.
+ Only one of parameter, header, path, pathSegment, json or graphQL can be set.
+ properties:
+ name:
+ description: Name defines the name of a parameter.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ source:
+ default: Any
+ description: Source defines the source of
+ the parameter.
+ enum:
+ - Query
+ - Post
+ - Any
+ type: string
+ value:
+ description: Value defines the value of a
+ parameter.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ path:
+ description: |-
+ Path defines an exception based on the blocked path.
+ Only one of parameter, header, path, pathSegment, json or graphQL can be set.
+ properties:
+ matcher:
+ description: StringMatcher defines the way
+ to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ pathSegment:
+ description: |-
+ PathSegment defines an exception based on a blocked path segment.
+ Only one of parameter, header, path, pathSegment, json or graphQL can be set.
+ properties:
+ segments:
+ description: Segments defines the position
+ of a segment within the path.
+ properties:
+ index:
+ description: Index specifies an exact
+ path segment position by index (0-based).
+ minimum: 0
+ type: integer
+ type: object
+ value:
+ description: Value defines the value of a
+ path segment.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ type: object
+ requestConditions:
+ description: RequestConditions defines an exception
+ based on a property of a request without taking
+ into consideration the reason why a request has
+ been blocked.
+ properties:
+ header:
+ description: Header defines the matching headers
+ of a request.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to
+ match a string. In comparison to a normal
+ StringMatcher, a value is always matched
+ ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a
+ header.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the request
+ condition should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching media
+ type from the content-type header of a request.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods
+ of a request.
+ items:
+ description: Method defines common HTTP methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path of
+ a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the way
+ to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines the matching remote IPs of a request.
+ Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4 or
+ IPv6 CIDR ranges, e.g. ``196.148.3.128/26``
+ or ``2001:db8::/28``.
+ items:
+ description: "CIDRRange defines an IPv4\
+ \ or IPv6 CIDR range, e.g. \u201C196.148.3.128/26\u201C\
+ \ or \u201C2001:db8::/28\u201C."
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether the
+ match should be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ ruleKeys:
+ description: RuleKeys restricts the exception to a
+ set of deny rules.
+ items:
+ description: |-
+ A deny rule name can be any of the following values:
+ ENCODING |
+ EXPLOIT |
+ HPP |
+ HTML |
+ IDOR |
+ LDAP |
+ NOSQL |
+ OGNL |
+ PHP |
+ PROTOCOL |
+ SANITY |
+ SCANNING |
+ SQL |
+ TEMPLATE |
+ UNIXCMD |
+ WINCMD |
+ XSS |
+ SSRF |
+ BOT
+ enum:
+ - ENCODING
+ - EXPLOIT
+ - HPP
+ - HTML
+ - IDOR
+ - LDAP
+ - NOSQL
+ - OGNL
+ - PHP
+ - PROTOCOL
+ - SANITY
+ - SCANNING
+ - SQL
+ - TEMPLATE
+ - UNIXCMD
+ - WINCMD
+ - XSS
+ - SSRF
+ - BOT
+ type: string
+ minItems: 1
+ type: array
+ type: object
+ type: array
+ overrides:
+ description: Overrides allows to override the builtIn settings
+ for specific deny rules.
+ items:
+ description: DenyRulesOverride allows to override the
+ builtIn settings for specific deny rules.
+ properties:
+ conditions:
+ description: Conditions select which built-in deny
+ rules' settings will be adjusted.
+ properties:
+ ruleKeys:
+ description: RuleKeys is a list of built-in deny
+ rule names.
+ items:
+ description: |-
+ A deny rule name can be any of the following values:
+ ENCODING |
+ EXPLOIT |
+ HPP |
+ HTML |
+ IDOR |
+ LDAP |
+ NOSQL |
+ OGNL |
+ PHP |
+ PROTOCOL |
+ SANITY |
+ SCANNING |
+ SQL |
+ TEMPLATE |
+ UNIXCMD |
+ WINCMD |
+ XSS |
+ SSRF |
+ BOT
+ enum:
+ - ENCODING
+ - EXPLOIT
+ - HPP
+ - HTML
+ - IDOR
+ - LDAP
+ - NOSQL
+ - OGNL
+ - PHP
+ - PROTOCOL
+ - SANITY
+ - SCANNING
+ - SQL
+ - TEMPLATE
+ - UNIXCMD
+ - WINCMD
+ - XSS
+ - SSRF
+ - BOT
+ type: string
+ minItems: 1
+ type: array
+ types:
+ description: Types defines the type of attributes
+ the override should be applied on. If Types
+ are defined without any RuleKeys the override
+ is applied to all deny rules.
+ items:
+ description: |-
+ A deny rule override type name can be any of the following values:
+ Header |
+ Parameter |
+ Path |
+ JSON |
+ GraphQL
+ enum:
+ - Header
+ - Parameter
+ - Path
+ - PathSegment
+ - JSON
+ - GraphQL
+ type: string
+ minItems: 0
+ type: array
+ type: object
+ settings:
+ description: Settings override the corresponding properties
+ for the selected rules.
+ properties:
+ level:
+ description: Level specifies the filter strength.
+ enum:
+ - Unfiltered
+ - Basic
+ - Standard
+ - Strict
+ type: string
+ threatHandlingMode:
+ description: ThreatHandlingMode specifies how
+ threats should be handled.
+ enum:
+ - Block
+ - LogOnly
+ type: string
+ type: object
+ type: object
+ type: array
+ settings:
+ description: Settings contains the keys which will be adjusted.
+ properties:
+ level:
+ default: Standard
+ description: Level represents a set of deny rules with
+ different filter strengths.
+ enum:
+ - Unfiltered
+ - Basic
+ - Standard
+ - Strict
+ type: string
+ threatHandlingMode:
+ default: Block
+ description: ThreatHandlingMode specifies how threats
+ should be handled when a deny rule matches.
+ enum:
+ - Block
+ - LogOnly
+ type: string
+ type: object
+ type: object
+ custom:
+ description: Custom allows configuring additional deny rules.
+ properties:
+ rules:
+ description: Rules defines list of additional deny rules.
+ items:
+ properties:
+ blockData:
+ description: BlockData specifies the request data
+ which should cause a block.
+ properties:
+ graphQL:
+ description: |-
+ GraphQL specifies to block requests containing a matching GraphQL property.
+ At least one of field, argument and value must be set.
+ properties:
+ argument:
+ description: |-
+ Argument defines an argument of a field of the GraphQL query.
+ At least one of field, argument and value must be set.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ field:
+ description: |-
+ Field defines a field of the GraphQL query.
+ At least one of field, argument and value must be set.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: |-
+ Value defines the value of an argument of the GraphQL query.
+ At least one of field, argument and value must be set.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ header:
+ description: |-
+ Header specifies to block requests containing a matching header.
+ Only one of parameter, header, path, pathSegment or json can be set.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a
+ header.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ json:
+ description: |-
+ JSON specifies to block requests containing a matching JSON property in the body.
+ Only one of parameter, header, path, pathSegment or json can be set.
+ properties:
+ key:
+ description: Key defines the key of a JSON
+ object.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a
+ JSON object.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ parameter:
+ description: |-
+ Parameter specifies to block requests containing a matching parameter.
+ Only one of parameter, header, path, pathSegment or json can be set.
+ properties:
+ name:
+ description: Name defines the name of a parameter.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a
+ parameter.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ path:
+ description: |-
+ Path specifies to block requests with a matching path.
+ Only one of parameter, header, path, pathSegment or json can be set.
+ properties:
+ matcher:
+ description: Matcher specifies which path
+ to block.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ pathSegment:
+ description: |-
+ PathSegment specifies to block requests containing a matching path segment.
+ Only one of parameter, header, path, pathSegment or json can be set.
+ properties:
+ segments:
+ description: |-
+ Segments restricts which path segments are filtered by this rule.
+ If not specified, all segments of a path are filtered.
+ properties:
+ index:
+ description: Index restricts the rule
+ to the path segment at this index (0-based).
+ minimum: 0
+ type: integer
+ type: object
+ value:
+ description: Value specifies which path segment
+ values to block.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ required:
+ - value
+ type: object
+ type: object
+ requestConditions:
+ description: RequestConditions defines additional
+ request properties which must be matched in order
+ for this rule to apply.
+ properties:
+ header:
+ description: Header defines the matching headers
+ of a request.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to
+ match a string. In comparison to a normal
+ StringMatcher, a value is always matched
+ ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a
+ header.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the request
+ condition should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching media
+ type from the content-type header of a request.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods
+ of a request.
+ items:
+ description: Method defines common HTTP methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path of
+ a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the way
+ to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines the matching remote IPs of a request.
+ Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4 or
+ IPv6 CIDR ranges, e.g. ``196.148.3.128/26``
+ or ``2001:db8::/28``.
+ items:
+ description: "CIDRRange defines an IPv4\
+ \ or IPv6 CIDR range, e.g. \u201C196.148.3.128/26\u201C\
+ \ or \u201C2001:db8::/28\u201C."
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether the
+ match should be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ ruleKey:
+ description: RuleKey defines a technical key for the
+ deny rule. Must be unique.
+ minLength: 1
+ pattern: ^[A-Z][A-Z0-9_]*$
+ type: string
+ threatHandlingMode:
+ default: Block
+ description: ThreatHandlingMode specifies how threats
+ should be handled when a deny rule matches.
+ enum:
+ - Block
+ - LogOnly
+ type: string
+ required:
+ - blockData
+ - ruleKey
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - ruleKey
+ x-kubernetes-list-type: map
+ type: object
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources: {}
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/envoyclusters.microgateway.airlock.com.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/envoyclusters.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..4abc45c
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/envoyclusters.microgateway.airlock.com.yaml
@@ -0,0 +1,60 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: envoyclusters.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: EnvoyCluster
+ listKind: EnvoyClusterList
+ plural: envoyclusters
+ singular: envoycluster
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: EnvoyCluster is an additional Envoy Cluster resource which
+ is added to those defined by the Airlock Microgateway.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired additional Envoy cluster.
+ properties:
+ value:
+ description: Value defines the Envoy Cluster which is added to those
+ configured by the Airlock Microgateway.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources: {}
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/envoyconfigurations.microgateway.airlock.com.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/envoyconfigurations.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..e8b2d5e
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/envoyconfigurations.microgateway.airlock.com.yaml
@@ -0,0 +1,207 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: envoyconfigurations.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: EnvoyConfiguration
+ listKind: EnvoyConfigurationList
+ plural: envoyconfigurations
+ singular: envoyconfiguration
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .status.status
+ name: Status
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ EnvoyConfiguration is the Schema for the envoyconfigurations API
+ {{% notice warning %}} EnvoyConfiguration resources may contain sensitive information and thus RBAC permissions should be granted with care. {{% /notice %}}
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: EnvoyConfigurationSpec defines the desired state of EnvoyConfiguration
+ properties:
+ envoyResources:
+ properties:
+ clusters:
+ items:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: array
+ endpoints:
+ items:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: array
+ extensions:
+ items:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: array
+ listeners:
+ items:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: array
+ routes:
+ items:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: array
+ runtimes:
+ items:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: array
+ scopedRoutes:
+ items:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: array
+ secrets:
+ items:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: array
+ type: object
+ envoyResourcesRaw:
+ description: |-
+ EnvoyResourcesRaw defines the desired state for each resource type. The resources are stored as zstd compressed JSON bytes.
+ For debugging purposes, the resources can be inspected with the following command: `kubectl get envoyconfiguration -ojsonpath='{.spec.envoyResourcesRaw}' | base64 -d | zstd -d | jq`
+ format: byte
+ type: string
+ nodeID:
+ description: '**Deprecated:** This field is now ignored as NodeID
+ is always derived from the resource name.'
+ type: string
+ type: object
+ status:
+ description: EnvoyConfigurationStatus defines the observed state of
+ EnvoyConfiguration
+ properties:
+ conditions:
+ items:
+ properties:
+ lastTransitionTime:
+ description: Last time the condition transitioned from one
+ status to another.
+ format: date-time
+ type: string
+ message:
+ description: A human-readable message indicating details about
+ the transition.
+ type: string
+ observedGeneration:
+ description: |-
+ ObservedGeneration represents the `.metadata.generation` based on which the condition was set.
+ For instance, if `.metadata.generation` is currently 12, but the `.status.conditions[x].observedGeneration` is 9, the condition is out of date with respect to the current state of the EnvoyConfiguration.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: The reason for the condition's last transition.
+ type: string
+ status:
+ description: Status of the condition, one of True, False,
+ Unknown.
+ type: string
+ type:
+ description: Type of EnvoyConfiguration condition.
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ status:
+ type: string
+ xds:
+ properties:
+ resourceTypes:
+ additionalProperties:
+ description: XdsResourceTypeSyncStatus defines the sync status
+ of xDS for a specific resource type
+ properties:
+ errorMessage:
+ description: ErrorMessage defines an optional message
+ why the currently served resources of this resource
+ type are rejected by the client.
+ type: string
+ resources:
+ additionalProperties:
+ description: XdsResourceStatus defines the status of
+ xDS for a specific resource
+ properties:
+ version:
+ description: Version defines the version which is
+ currently served for this resource.
+ type: string
+ required:
+ - version
+ type: object
+ description: Resources defines the resources which are
+ currently served for this resource type.
+ type: object
+ status:
+ description: Status defines the current sync status of
+ this resource type.
+ type: string
+ version:
+ description: Version defines the version which is currently
+ served for this resource type.
+ type: string
+ required:
+ - resources
+ - status
+ - version
+ type: object
+ description: ResourceTypes defines the sync statuses for each
+ resource type.
+ type: object
+ version:
+ description: Version defines the version of the underlying xDS
+ snapshot.
+ type: integer
+ required:
+ - version
+ type: object
+ required:
+ - status
+ - xds
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/envoyhttpfilters.microgateway.airlock.com.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/envoyhttpfilters.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..5b89569
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/envoyhttpfilters.microgateway.airlock.com.yaml
@@ -0,0 +1,60 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: envoyhttpfilters.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: EnvoyHTTPFilter
+ listKind: EnvoyHTTPFilterList
+ plural: envoyhttpfilters
+ singular: envoyhttpfilter
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: EnvoyHTTPFilter is an additional Envoy HTTP Filter resource
+ which is added to those defined by the Airlock Microgateway.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired additional Envoy HTTP filter.
+ properties:
+ value:
+ description: Value defines the HTTP filter which is added to those
+ configured by the Airlock Microgateway.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources: {}
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/gatewayparameters.microgateway.airlock.com.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/gatewayparameters.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..a7ca2e3
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/gatewayparameters.microgateway.airlock.com.yaml
@@ -0,0 +1,1534 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: gatewayparameters.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: GatewayParameters
+ listKind: GatewayParametersList
+ plural: gatewayparameters
+ singular: gatewayparameters
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ GatewayParameters defines the configuration settings for deploying a Gateway in a Kubernetes, including options for logging, service type, deployment strategy, and resource management. It can be referenced by either a GatewayClass or a Gateway.
+ Note: More specific GatewayParameters takes precedence, e.g., if a Gateway references GatewayParameters, the parameters from its associated GatewayClass are completely overridden without merging.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: GatewayParametersSpec defines additional configuration
+ parameters for the Gateway.
+ properties:
+ defaults:
+ description: Defaults specifies default configurations and policies
+ for the Gateway.
+ properties:
+ downstream:
+ description: Downstream defines the downstream configuration
+ for this Gateway.
+ properties:
+ remoteIP:
+ description: |-
+ RemoteIP defines how the remote IP of a client is propagated.
+ Default: connectionIP: {...}
+ properties:
+ connectionIP:
+ description: ConnectionIP configures to use the source
+ IP address of the direct downstream connection.
+ type: object
+ customHeader:
+ description: CustomHeader specifies to use a custom
+ header for remote IP extraction.
+ properties:
+ headerName:
+ description: HeaderName specifies the name of the
+ custom header containing the remote IP.
+ minLength: 1
+ type: string
+ required:
+ default: true
+ description: Required specifies if the custom header
+ is required. If true and not available the request
+ will be rejected with 403.
+ type: boolean
+ required:
+ - headerName
+ type: object
+ xff:
+ description: XFF configures to use the standard 'X-Forwarded-For'
+ header for IP extraction.
+ properties:
+ numTrustedHops:
+ default: 1
+ description: NumTrustedHops specifies to extract
+ the client's originating IP from the nth rightmost
+ entry in the X-Forwarded-For header. With the
+ default value of 1, the IP is extracted from the
+ rightmost entry.
+ format: int32
+ minimum: 1
+ type: integer
+ type: object
+ type: object
+ type: object
+ sessionHandlingRef:
+ description: SessionHandlingRef selects the default SessionHandling
+ configuration for the Gateway.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ kubernetes:
+ description: Kubernetes defines the configuration for Kubernetes
+ resources provisioned for the Gateway.
+ properties:
+ deployment:
+ description: Deployment configures the Kubernetes Deployment
+ provisioned for the Gateway.
+ properties:
+ automountServiceAccountToken:
+ default: false
+ description: AutomountServiceAccountToken configures whether
+ a service account token should be automatically mounted.
+ Set this to `true` only if a sidecar that requires a service
+ account token (e.g., OpenShift ServiceMesh) is injected
+ to the Gateway Deployment.
+ type: boolean
+ engineContainer:
+ description: EngineContainer configures the container running
+ the Airlock Microgateway Engine.
+ properties:
+ resources:
+ description: |-
+ Resources specifies the compute resources required for this container.
+ See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for details.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry
+ in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ type: object
+ imagePullSecrets:
+ description: |-
+ ImagePullSecrets configures the list of references to secrets in the same namespace, which will be used in the Gateway deployment for pulling any of the images.
+ More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod
+ items:
+ description: |-
+ LocalObjectReference contains enough information to let you locate the
+ referenced object inside the same namespace.
+ properties:
+ name:
+ default: ''
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ placement:
+ description: Placement configures scheduling of the Airlock
+ Microgateway Engine pod.
+ properties:
+ affinity:
+ description: Affinity specifies affinity and anti-affinity
+ rules for the Airlock Microgateway Engine pods.
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling
+ rules for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated
+ with the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with matching
+ the corresponding nodeSelectorTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node selector
+ terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling rules
+ (e.g. co-locate this pod in the same node, zone,
+ etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a
+ list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a
+ list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the same
+ node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a
+ list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a
+ list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: NodeSelector is a selector which must be
+ true for the Airlock Microgateway Engine pods to fit
+ on a node.
+ type: object
+ tolerations:
+ description: Tolerations allows scheduling of Airlock
+ Microgateway Engine pods on tainted nodes.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ topologySpreadConstraints:
+ description: |-
+ TopologySpreadConstraints describes how the Airlock Microgateway Engine pods ought to spread across topology domains (e.g., nodes, zones).
+ If the label selector of the constraints is undefined, the label selector of the deployment will be used instead.
+ items:
+ description: TopologySpreadConstraint specifies how
+ to spread matching pods among the given topology.
+ properties:
+ labelSelector:
+ description: |-
+ LabelSelector is used to find matching pods.
+ Pods that match this label selector are counted to determine the number of pods
+ in their corresponding topology domain.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select the pods over which
+ spreading will be calculated. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are ANDed with labelSelector
+ to select the group of existing pods over which spreading will be calculated
+ for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ MatchLabelKeys cannot be set when LabelSelector isn't set.
+ Keys that don't exist in the incoming pod labels will
+ be ignored. A null or empty list means only match against labelSelector.
+
+ This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ description: |-
+ MaxSkew describes the degree to which pods may be unevenly distributed.
+ When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+ between the number of matching pods in the target topology and the global minimum.
+ The global minimum is the minimum number of matching pods in an eligible domain
+ or zero if the number of eligible domains is less than MinDomains.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 2/2/1:
+ In this case, the global minimum is 1.
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P |
+ - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+ scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+ violate MaxSkew(1).
+ - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+ When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+ to topologies that satisfy it.
+ It's a required field. Default value is 1 and 0 is not allowed.
+ format: int32
+ type: integer
+ minDomains:
+ description: |-
+ MinDomains indicates a minimum number of eligible domains.
+ When the number of eligible domains with matching topology keys is less than minDomains,
+ Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+ And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+ this value has no effect on scheduling.
+ As a result, when the number of eligible domains is less than minDomains,
+ scheduler won't schedule more than maxSkew Pods to those domains.
+ If value is nil, the constraint behaves as if MinDomains is equal to 1.
+ Valid values are integers greater than 0.
+ When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+ For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+ labelSelector spread as 2/2/2:
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P P |
+ The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+ In this situation, new pod with the same labelSelector cannot be scheduled,
+ because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+ it will violate MaxSkew.
+ format: int32
+ type: integer
+ nodeAffinityPolicy:
+ description: |-
+ NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+ when calculating pod topology spread skew. Options are:
+ - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+ - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+ If this value is nil, the behavior is equivalent to the Honor policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ nodeTaintsPolicy:
+ description: |-
+ NodeTaintsPolicy indicates how we will treat node taints when calculating
+ pod topology spread skew. Options are:
+ - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+ has a toleration, are included.
+ - Ignore: node taints are ignored. All nodes are included.
+
+ If this value is nil, the behavior is equivalent to the Ignore policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ topologyKey:
+ description: |-
+ TopologyKey is the key of node labels. Nodes that have a label with this key
+ and identical values are considered to be in the same topology.
+ We consider each as a "bucket", and try to put balanced number
+ of pods into each bucket.
+ We define a domain as a particular instance of a topology.
+ Also, we define an eligible domain as a domain whose nodes meet the requirements of
+ nodeAffinityPolicy and nodeTaintsPolicy.
+ e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+ And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+ It's a required field.
+ type: string
+ whenUnsatisfiable:
+ description: |-
+ WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+ the spread constraint.
+ - DoNotSchedule (default) tells the scheduler not to schedule it.
+ - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+ but giving higher precedence to topologies that would help reduce the
+ skew.
+ A constraint is considered "Unsatisfiable" for an incoming pod
+ if and only if every possible node assignment for that pod would violate
+ "MaxSkew" on some topology.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 3/1/1:
+ | zone1 | zone2 | zone3 |
+ | P P P | P | P |
+ If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+ to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+ MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+ won't make it *more* imbalanced.
+ It's a required field.
+ type: string
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ type: object
+ type: array
+ type: object
+ replicas:
+ default: 2
+ description: Replicas sets the number of Gateway Deployment
+ replicas.
+ format: int32
+ minimum: 1
+ type: integer
+ strategy:
+ description: |-
+ Strategy configures the deployment strategy which is used to replace existing Airlock Microgateway Engine pods with new ones.
+ If undefined, default settings (RollingUpdate) are applied.
+ properties:
+ rollingUpdate:
+ description: |-
+ Rolling update config params. Present only if DeploymentStrategyType =
+ RollingUpdate.
+ properties:
+ maxSurge:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of pods that can be scheduled above the desired number of
+ pods.
+ Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+ This can not be 0 if MaxUnavailable is 0.
+ Absolute number is calculated from percentage by rounding up.
+ Defaults to 25%.
+ Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
+ the rolling update starts, such that the total number of old and new pods do not exceed
+ 130% of desired pods. Once old pods have been killed,
+ new ReplicaSet can be scaled up further, ensuring that total number of pods running
+ at any time during the update is at most 130% of desired pods.
+ x-kubernetes-int-or-string: true
+ maxUnavailable:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of pods that can be unavailable during the update.
+ Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+ Absolute number is calculated from percentage by rounding down.
+ This can not be 0 if MaxSurge is 0.
+ Defaults to 25%.
+ Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
+ immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
+ can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
+ that the total number of pods available at all times during the update is at
+ least 70% of desired pods.
+ x-kubernetes-int-or-string: true
+ type: object
+ type:
+ description: Type of deployment. Can be "Recreate" or
+ "RollingUpdate". Default is RollingUpdate.
+ type: string
+ type: object
+ type: object
+ service:
+ description: Service configures the Kubernetes Service provisioned
+ for the Gateway.
+ properties:
+ allocateLoadBalancerNodePorts:
+ description: |-
+ AllocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer.
+ If undefined, the default is `true`. It may be set to `false` if the cluster load-balancer does not rely on NodePorts.
+ type: boolean
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations specifies additional annotations
+ for the Service, e.g., for configuring cloud LoadBalancers.
+ maxProperties: 8
+ type: object
+ x-kubernetes-validations:
+ - message: Annotation keys must be in the form of an optional
+ DNS subdomain prefix followed by a required name segment
+ of up to 63 characters.
+ rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))
+ - message: If specified, the annotation key's prefix must
+ be a DNS subdomain not longer than 253 characters
+ in total.
+ rule: self.all(key, key.split("/")[0].size() < 253)
+ - message: Annotation values may not be longer than 4096
+ characters.
+ rule: self.all(key, size(self[key]) <= 4096)
+ externalTrafficPolicy:
+ description: |-
+ ExternalTrafficPolicy describes how nodes distribute service traffic they receive on one of the Service's "externally-facing" addresses (NodePorts, and LoadBalancer IPs). Meaning of the possible values:
+ _Local_: preserves the source IP of the traffic by routing only to endpoints on the same node as the traffic was received on (dropping the traffic if there are no local endpoints).
+ _Cluster_: routes traffic to all endpoints. Be aware that this may break client IP detection and dependent features (e.g., deny rule exceptions or access control policies with request conditions matching remote IPs).
+ If undefined, the `Local` policy is applied.
+ enum:
+ - Cluster
+ - Local
+ type: string
+ type:
+ default: ClusterIP
+ description: Type specifies the type of Kubernetes Service.
+ enum:
+ - ClusterIP
+ - NodePort
+ - LoadBalancer
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: ExternalTrafficPolicy can only be set for externally-accessible
+ service types (i.e., NodePort, LoadBalancer)
+ rule: '!has(self.externalTrafficPolicy) || self.type ==
+ "NodePort" || self.type == "LoadBalancer"'
+ - message: AllocateLoadBalancerNodePorts can only be set for
+ service type LoadBalancer
+ rule: '!has(self.allocateLoadBalancerNodePorts) || self.type
+ == "LoadBalancer"'
+ type: object
+ logging:
+ description: Logging specifies Envoy system logging settings for
+ the Gateway.
+ properties:
+ level:
+ default: info
+ description: Level specifies the logging level for the Envoy
+ system logs of the Airlock Microgateway Engine.
+ enum:
+ - 'off'
+ - critical
+ - error
+ - warn
+ - info
+ - debug
+ - trace
+ type: string
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources: {}
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/graphqls.microgateway.airlock.com.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/graphqls.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..86de4a1
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/graphqls.microgateway.airlock.com.yaml
@@ -0,0 +1,94 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: graphqls.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: GraphQL
+ listKind: GraphQLList
+ plural: graphqls
+ singular: graphql
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: GraphQL contains the configuration for the GraphQL specification.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired GraphQL specification.
+ properties:
+ settings:
+ description: Settings defines the settings to configure GraphQL.
+ properties:
+ allowIntrospection:
+ default: true
+ description: AllowIntrospection specifies if the introspection
+ system is exposed.
+ type: boolean
+ allowMutations:
+ default: true
+ description: AllowMutations specifies if mutations are allowed.
+ type: boolean
+ schema:
+ description: Specifies the GraphQL schema.
+ properties:
+ source:
+ description: Source specifies the GraphQL schema to be enforced.
+ properties:
+ configMapRef:
+ description: ConfigMapRef references the configmap by
+ its name containing the well-known key `schema.graphql`.
+ Use the `data` field for plaintext or the `binaryData`
+ for compressed data. Supported compression formats
+ are zstd, gzip or zip.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ required:
+ - source
+ type: object
+ threatHandlingMode:
+ default: Block
+ description: ThreatHandlingMode specifies how threats should
+ be handled.
+ enum:
+ - Block
+ - LogOnly
+ type: string
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/headerrewrites.microgateway.airlock.com.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/headerrewrites.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..f8be6ad
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/headerrewrites.microgateway.airlock.com.yaml
@@ -0,0 +1,2338 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: headerrewrites.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: HeaderRewrites
+ listKind: HeaderRewritesList
+ plural: headerrewrites
+ singular: headerrewrites
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: HeaderRewrites is the Schema for the headerrewrites API
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired header rewriting behavior.
+ properties:
+ request:
+ description: Request defines manipulations on upstream request headers.
+ properties:
+ add:
+ description: Add defines which request headers will be added
+ before forwarding to the upstream.
+ properties:
+ custom:
+ description: |-
+ Custom allows configuring additional upstream request headers.
+ Add selected headers.
+ items:
+ properties:
+ headers:
+ description: Headers to add.
+ items:
+ description: HeaderRewritesHeader specifies a header
+ with a particular value
+ properties:
+ name:
+ description: Name defines the name of a header.
+ minLength: 1
+ type: string
+ value:
+ description: Value defines the value of a header.
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ minItems: 1
+ type: array
+ mode:
+ default: AddIfAbsent
+ description: Mode defines the header addition strategy.
+ enum:
+ - AddIfAbsent
+ - OverwriteOrAdd
+ type: string
+ name:
+ description: Name describing the configured operation.
+ minLength: 1
+ type: string
+ requestConditions:
+ description: RequestConditions defines additional
+ request properties which must be matched in order
+ for this operation to be applied.
+ properties:
+ header:
+ description: Header defines the matching headers
+ of a request.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to
+ match a string. In comparison to a normal
+ StringMatcher, a value is always matched
+ ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a
+ header.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the request
+ condition should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching media
+ type from the content-type header of a request.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods
+ of a request.
+ items:
+ description: Method defines common HTTP methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path of
+ a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the way
+ to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines the matching remote IPs of a request.
+ Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4 or
+ IPv6 CIDR ranges, e.g. ``196.148.3.128/26``
+ or ``2001:db8::/28``.
+ items:
+ description: "CIDRRange defines an IPv4\
+ \ or IPv6 CIDR range, e.g. \u201C196.148.3.128/26\u201C\
+ \ or \u201C2001:db8::/28\u201C."
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether the
+ match should be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ required:
+ - headers
+ - name
+ type: object
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ allow:
+ description: |-
+ Allow defines which request headers will be forwarded to the upstream.
+ This can either be allHeaders or matchingHeaders.
+ Default: matchingHeaders: {...}
+ properties:
+ allHeaders:
+ description: AllHeaders specifies that all request headers
+ should be forwarded.
+ type: object
+ matchingHeaders:
+ description: MatchingHeaders specifies which request headers
+ should be forwarded.
+ properties:
+ builtIn:
+ description: BuiltIn allows configuring a set of predefined
+ upstream request headers.
+ properties:
+ standardHeaders:
+ default: true
+ description: StandardHeaders defines whether the
+ request headers which are forwarded to the upstream
+ will be restricted to a set of common request
+ headers.
+ type: boolean
+ tracingHeaders:
+ default: false
+ description: TracingHeaders defines whether to allow
+ common tracing headers to be forwarded to the
+ upstream.
+ type: boolean
+ type: object
+ custom:
+ description: Custom allows configuring additional upstream
+ request headers.
+ items:
+ properties:
+ headers:
+ description: Headers to allow.
+ items:
+ description: |-
+ HeaderMatcher defines a matcher for an HTTP header.
+ At least one of name and value must be set.
+ properties:
+ name:
+ description: Name defines the name of a
+ header.
+ properties:
+ matcher:
+ description: Matcher defines the way
+ to match a string. In comparison to
+ a normal StringMatcher, a value is
+ always matched ignoring the case and
+ can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of
+ a header.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be
+ case-insensitive. In case of a
+ regex match, the regex gets wrapped
+ with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ minItems: 1
+ type: array
+ name:
+ description: Name describing the configured operation.
+ Must be unique.
+ minLength: 1
+ type: string
+ requestConditions:
+ description: RequestConditions defines additional
+ request properties which must be matched in
+ order for this operation to be applied.
+ properties:
+ header:
+ description: Header defines the matching headers
+ of a request.
+ properties:
+ name:
+ description: Name defines the name of
+ a header.
+ properties:
+ matcher:
+ description: Matcher defines the way
+ to match a string. In comparison
+ to a normal StringMatcher, a value
+ is always matched ignoring the case
+ and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of
+ a header.
+ properties:
+ matcher:
+ description: StringMatcher defines
+ the way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should
+ be case-insensitive. In case
+ of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the
+ request condition should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching
+ media type from the content-type header
+ of a request.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods
+ of a request.
+ items:
+ description: Method defines common HTTP
+ methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path
+ of a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines the matching remote IPs of a request.
+ Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4
+ or IPv6 CIDR ranges, e.g. ``196.148.3.128/26``
+ or ``2001:db8::/28``.
+ items:
+ description: "CIDRRange defines an IPv4\
+ \ or IPv6 CIDR range, e.g. \u201C\
+ 196.148.3.128/26\u201C or \u201C2001:db8::/28\u201C\
+ ."
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether
+ the match should be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ required:
+ - headers
+ - name
+ type: object
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type: object
+ remove:
+ description: Remove defines which request headers will be removed
+ before forwarding to the upstream.
+ properties:
+ builtIn:
+ description: BuiltIn allows configuring a set of predefined
+ upstream request headers.
+ properties:
+ alternativeForwardedHeaders:
+ default: true
+ description: |-
+ AlternativeForwardedHeaders removes downstream request headers which could potentially
+ be abused to alter the upstream's view of the remote connection.
+ type: boolean
+ type: object
+ custom:
+ description: Custom allows configuring additional upstream
+ request headers.
+ items:
+ properties:
+ headers:
+ description: Headers to remove.
+ items:
+ description: |-
+ HeaderMatcher defines a matcher for an HTTP header.
+ At least one of name and value must be set.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to
+ match a string. In comparison to a normal
+ StringMatcher, a value is always matched
+ ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a header.
+ properties:
+ matcher:
+ description: StringMatcher defines the way
+ to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ minItems: 1
+ type: array
+ name:
+ description: Name describing the configured operation.
+ Must be unique.
+ minLength: 1
+ type: string
+ requestConditions:
+ description: RequestConditions defines additional
+ request properties which must be matched in order
+ for this operation to be applied.
+ properties:
+ header:
+ description: Header defines the matching headers
+ of a request.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to
+ match a string. In comparison to a normal
+ StringMatcher, a value is always matched
+ ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a
+ header.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the request
+ condition should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching media
+ type from the content-type header of a request.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods
+ of a request.
+ items:
+ description: Method defines common HTTP methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path of
+ a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the way
+ to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines the matching remote IPs of a request.
+ Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4 or
+ IPv6 CIDR ranges, e.g. ``196.148.3.128/26``
+ or ``2001:db8::/28``.
+ items:
+ description: "CIDRRange defines an IPv4\
+ \ or IPv6 CIDR range, e.g. \u201C196.148.3.128/26\u201C\
+ \ or \u201C2001:db8::/28\u201C."
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether the
+ match should be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ required:
+ - headers
+ - name
+ type: object
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type: object
+ response:
+ description: Response defines manipulations on upstream response
+ headers.
+ properties:
+ add:
+ description: Add defines which response headers will be added
+ before forwarding to the downstream.
+ properties:
+ builtIn:
+ description: BuiltIn allows configuring a set of predefined
+ upstream response headers.
+ properties:
+ csp:
+ default: true
+ description: |-
+ CSP sets a content security policy which allows only same-origin requests except for images
+ if the 'Content-Security-Policy' header is not set by the upstream.
+ type: boolean
+ featurePolicy:
+ default: false
+ description: |-
+ FeaturePolicy sets a feature policy which prevents cross-origin use of several browser features
+ if the 'Feature-Policy' header is not set by the upstream.
+ **Deprecated:** Use permissionsPolicy instead.
+ type: boolean
+ hsts:
+ default: true
+ description: HSTS enforces the use of HTTPS if the 'Strict-Transport-Security'
+ header is not already set by the upstream.
+ type: boolean
+ hstsPreload:
+ default: false
+ description: HSTSPreload enforces the use of HTTPS including
+ for subdomains and enables HSTS preload.
+ type: boolean
+ permissionsPolicy:
+ default: true
+ description: |-
+ PermissionsPolicy sets a permissions policy which prevents cross-origin use of several browser features
+ if the 'Permissions-Policy' header is not set by the upstream.
+ type: boolean
+ referrerPolicy:
+ default: true
+ description: |-
+ ReferrerPolicy ensures that no 'Referer' header is sent for cross-origin requests
+ if the 'Referrer-Policy' header is not set by the upstream.
+ type: boolean
+ xContentTypeOptions:
+ default: true
+ description: XContentTypeOptions sets 'X-Content-Type-Options'
+ to 'nosniff' if it is not set by the upstream.
+ type: boolean
+ xFrameOptions:
+ default: true
+ description: XFrameOptions sets 'X-Frame-Options' to
+ SAMEORIGIN if it is not set by the upstream.
+ type: boolean
+ type: object
+ custom:
+ description: Custom allows configuring additional upstream
+ response headers.
+ items:
+ properties:
+ headers:
+ description: Headers to add.
+ items:
+ description: HeaderRewritesHeader specifies a header
+ with a particular value
+ properties:
+ name:
+ description: Name defines the name of a header.
+ minLength: 1
+ type: string
+ value:
+ description: Value defines the value of a header.
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ minItems: 1
+ type: array
+ mode:
+ default: AddIfAbsent
+ description: Mode defines the header addition strategy.
+ enum:
+ - AddIfAbsent
+ - OverwriteOrAdd
+ type: string
+ name:
+ description: Name describing the configured operation.
+ minLength: 1
+ type: string
+ requestConditions:
+ description: RequestConditions defines additional
+ request properties which must be matched in order
+ for this operation to be applied.
+ properties:
+ header:
+ description: Header defines the matching headers
+ of a request.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to
+ match a string. In comparison to a normal
+ StringMatcher, a value is always matched
+ ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a
+ header.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the request
+ condition should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching media
+ type from the content-type header of a request.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods
+ of a request.
+ items:
+ description: Method defines common HTTP methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path of
+ a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the way
+ to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines the matching remote IPs of a request.
+ Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4 or
+ IPv6 CIDR ranges, e.g. ``196.148.3.128/26``
+ or ``2001:db8::/28``.
+ items:
+ description: "CIDRRange defines an IPv4\
+ \ or IPv6 CIDR range, e.g. \u201C196.148.3.128/26\u201C\
+ \ or \u201C2001:db8::/28\u201C."
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether the
+ match should be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ required:
+ - headers
+ - name
+ type: object
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ allow:
+ description: |-
+ Allow defines which response headers will be forwarded to the downstream.
+ This can either be allHeaders or matchingHeaders.
+ Default: allHeaders: {}
+ properties:
+ allHeaders:
+ description: AllHeaders specifies that all response headers
+ should be forwarded.
+ type: object
+ matchingHeaders:
+ description: MatchingHeaders specifies which response headers
+ should be forwarded.
+ properties:
+ builtIn:
+ description: BuiltIn allows configuring a set of predefined
+ upstream response header.
+ properties:
+ standardHeaders:
+ default: false
+ description: StandardHeaders defines whether the
+ response headers which are forwarded to the downstream
+ will be restricted to a set of common response
+ headers.
+ type: boolean
+ type: object
+ custom:
+ description: Custom allows configuring additional upstream
+ response headers.
+ items:
+ properties:
+ headers:
+ description: Headers to allow.
+ items:
+ description: |-
+ HeaderMatcher defines a matcher for an HTTP header.
+ At least one of name and value must be set.
+ properties:
+ name:
+ description: Name defines the name of a
+ header.
+ properties:
+ matcher:
+ description: Matcher defines the way
+ to match a string. In comparison to
+ a normal StringMatcher, a value is
+ always matched ignoring the case and
+ can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of
+ a header.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be
+ case-insensitive. In case of a
+ regex match, the regex gets wrapped
+ with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ minItems: 1
+ type: array
+ name:
+ description: Name describing the configured operation.
+ Must be unique.
+ minLength: 1
+ type: string
+ requestConditions:
+ description: RequestConditions defines additional
+ request properties which must be matched in
+ order for this operation to be applied.
+ properties:
+ header:
+ description: Header defines the matching headers
+ of a request.
+ properties:
+ name:
+ description: Name defines the name of
+ a header.
+ properties:
+ matcher:
+ description: Matcher defines the way
+ to match a string. In comparison
+ to a normal StringMatcher, a value
+ is always matched ignoring the case
+ and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of
+ a header.
+ properties:
+ matcher:
+ description: StringMatcher defines
+ the way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should
+ be case-insensitive. In case
+ of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the
+ request condition should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching
+ media type from the content-type header
+ of a request.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods
+ of a request.
+ items:
+ description: Method defines common HTTP
+ methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path
+ of a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines the matching remote IPs of a request.
+ Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4
+ or IPv6 CIDR ranges, e.g. ``196.148.3.128/26``
+ or ``2001:db8::/28``.
+ items:
+ description: "CIDRRange defines an IPv4\
+ \ or IPv6 CIDR range, e.g. \u201C\
+ 196.148.3.128/26\u201C or \u201C2001:db8::/28\u201C\
+ ."
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether
+ the match should be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ required:
+ - headers
+ - name
+ type: object
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type: object
+ remove:
+ description: Remove defines which response headers will be removed
+ before forwarding to the downstream.
+ properties:
+ builtIn:
+ description: BuiltIn allows configuring a set of predefined
+ upstream response headers.
+ properties:
+ auth:
+ description: Auth defines the categories of headers
+ concerning authentication.
+ properties:
+ basic:
+ default: false
+ description: Basic removes upstream response headers
+ that advise clients to authenticate with Basic
+ Authentication.
+ type: boolean
+ negotiate:
+ default: true
+ description: Negotiate removes upstream response
+ headers that advise clients to authenticate with
+ Negotiate.
+ type: boolean
+ ntlm:
+ default: true
+ description: |-
+ NTLM removes upstream response headers that advise clients to authenticate with NTLM.
+ By default, these headers are removed, because NTLM pass-through is not supported.
+ type: boolean
+ type: object
+ informationLeakage:
+ description: InformationLeakage defines the categories
+ of headers concerning information leakage.
+ properties:
+ application:
+ default: true
+ description: Application removes upstream response
+ headers that leak information about the deployed
+ software.
+ type: boolean
+ server:
+ default: true
+ description: Server removes upstream response headers
+ that leak information about the server.
+ type: boolean
+ type: object
+ permissiveCors:
+ default: true
+ description: PermissiveCORS removes upstream response
+ headers for CORS (Cross-Origin Resource Sharing) which
+ have no restrictions and therefore reduce client-side
+ security.
+ type: boolean
+ type: object
+ custom:
+ description: Custom allows configuring additional upstream
+ response headers.
+ items:
+ properties:
+ headers:
+ description: Headers to remove.
+ items:
+ description: |-
+ HeaderMatcher defines a matcher for an HTTP header.
+ At least one of name and value must be set.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to
+ match a string. In comparison to a normal
+ StringMatcher, a value is always matched
+ ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a header.
+ properties:
+ matcher:
+ description: StringMatcher defines the way
+ to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ minItems: 1
+ type: array
+ name:
+ description: Name describing the configured remove
+ operation. Must be unique.
+ minLength: 1
+ type: string
+ requestConditions:
+ description: RequestConditions defines additional
+ request properties which must be matched in order
+ for this operation to be applied.
+ properties:
+ header:
+ description: Header defines the matching headers
+ of a request.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to
+ match a string. In comparison to a normal
+ StringMatcher, a value is always matched
+ ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a
+ header.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the request
+ condition should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching media
+ type from the content-type header of a request.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods
+ of a request.
+ items:
+ description: Method defines common HTTP methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path of
+ a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the way
+ to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines the matching remote IPs of a request.
+ Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4 or
+ IPv6 CIDR ranges, e.g. ``196.148.3.128/26``
+ or ``2001:db8::/28``.
+ items:
+ description: "CIDRRange defines an IPv4\
+ \ or IPv6 CIDR range, e.g. \u201C196.148.3.128/26\u201C\
+ \ or \u201C2001:db8::/28\u201C."
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether the
+ match should be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ required:
+ - headers
+ - name
+ type: object
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type: object
+ settings:
+ description: Settings configures the HeaderRewrites filter.
+ properties:
+ operationalMode:
+ default: Production
+ description: OperationalMode defines the behavior of the filter.
+ In integration mode more information is logged about the requests
+ and responses.
+ enum:
+ - Production
+ - Integration
+ type: string
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/identitypropagations.microgateway.airlock.com.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/identitypropagations.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..1728ab2
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/identitypropagations.microgateway.airlock.com.yaml
@@ -0,0 +1,169 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: identitypropagations.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: IdentityPropagation
+ listKind: IdentityPropagationList
+ plural: identitypropagations
+ singular: identitypropagation
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: IdentityPropagation specifies the desired identity propagation.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired identity propagation.
+ properties:
+ bearerToken:
+ description: BearerToken configures identity propagation via an
+ authorization header containing a bearer token.
+ properties:
+ source:
+ description: Source from which to extract the token.
+ properties:
+ metadata:
+ description: Metadata specifies to extract a value from
+ an Envoy dynamic filter metadata key.
+ properties:
+ key:
+ description: Key specifies the metadata key from which
+ to load the value, e.g. `some_payload.aud`.
+ minLength: 1
+ type: string
+ namespace:
+ description: Namespace specifies the metadata namespace
+ within which the lookup should be performed, e.g.
+ `envoy.filters.http.jwt_authn`.
+ minLength: 1
+ type: string
+ required:
+ - key
+ - namespace
+ type: object
+ oidc:
+ description: OIDC specifies to extract a value from the
+ result of an OpenID Connect flow.
+ properties:
+ accessToken:
+ description: AccessToken specifies to extract the value
+ from the OpenID Connect Access Token.
+ type: object
+ idToken:
+ description: IDToken specifies to extract the value
+ from the OpenID Connect ID Token.
+ properties:
+ claim:
+ description: Claim selects the JWT claim from which
+ to extract the value.
+ minLength: 1
+ type: string
+ required:
+ - claim
+ type: object
+ type: object
+ type: object
+ required:
+ - source
+ type: object
+ header:
+ description: Header configures identity propagation via a request
+ header.
+ properties:
+ name:
+ description: Name of the header to set.
+ minLength: 1
+ type: string
+ value:
+ description: Value to propagate to the application.
+ properties:
+ source:
+ description: Source from which to extract the value.
+ properties:
+ metadata:
+ description: Metadata specifies to extract a value from
+ an Envoy dynamic filter metadata key.
+ properties:
+ key:
+ description: Key specifies the metadata key from
+ which to load the value, e.g. `some_payload.aud`.
+ minLength: 1
+ type: string
+ namespace:
+ description: Namespace specifies the metadata namespace
+ within which the lookup should be performed, e.g.
+ `envoy.filters.http.jwt_authn`.
+ minLength: 1
+ type: string
+ required:
+ - key
+ - namespace
+ type: object
+ oidc:
+ description: OIDC specifies to extract a value from
+ the result of an OpenID Connect flow.
+ properties:
+ accessToken:
+ description: AccessToken specifies to extract the
+ value from the OpenID Connect Access Token.
+ type: object
+ idToken:
+ description: IDToken specifies to extract the value
+ from the OpenID Connect ID Token.
+ properties:
+ claim:
+ description: Claim selects the JWT claim from
+ which to extract the value.
+ minLength: 1
+ type: string
+ required:
+ - claim
+ type: object
+ type: object
+ type: object
+ required:
+ - source
+ type: object
+ required:
+ - name
+ - value
+ type: object
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources: {}
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/jwks.microgateway.airlock.com.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/jwks.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..a42859f
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/jwks.microgateway.airlock.com.yaml
@@ -0,0 +1,331 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: jwks.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: JWKS
+ listKind: JWKSList
+ plural: jwks
+ singular: jwks
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: JWKS provides a JSON Web Key Set.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the JWKS.
+ properties:
+ provider:
+ description: Provider configures the source from which to retrieve
+ the JWKS.
+ properties:
+ local:
+ description: Local specifies to retrieve the JWKS from a local
+ secret.
+ properties:
+ secretRef:
+ description: SecretRef selects the secret containing the
+ JWKS under the key 'jwks.json'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ remote:
+ description: Remote specifies to retrieve the JWKS from a remote
+ endpoint.
+ properties:
+ timeouts:
+ description: Timeouts specifies the timeouts when interacting
+ with the Token endpoint.
+ properties:
+ connect:
+ default: 5s
+ description: Connect specifies the timeout for establishing
+ a connection.
+ type: string
+ maxDuration:
+ default: 15s
+ description: MaxDuration specifies the response timeout.
+ type: string
+ type: object
+ tls:
+ description: TLS defines TLS settings.
+ properties:
+ certificateVerification:
+ description: CertificateVerification specifies how the
+ certificate presented by the server is verified.
+ properties:
+ custom:
+ description: |-
+ Custom explicitly specifies how the server certificate should be verified.
+ Typical use cases include specifying a custom CA and SAN match when working with self-signed certificates or pinning a specific public key.
+ properties:
+ allowedSANs:
+ description: "AllowedSANs is a list of matchers\
+ \ to verify the Subject Alternative name.\
+ \ If specified, it will verify that the\n\
+ Subject Alternative Name of the presented\
+ \ certificate matches one of the specified\
+ \ matchers. The matching uses \u201Cany\u201D\
+ \ semantics,\nthat is to say, the SAN is verified\
+ \ if at least one matcher is matched.\nAllowedSANs\
+ \ requires trustedCA to be set."
+ items:
+ description: |-
+ TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
+ Subject Alternative Name of the presented certificate matches one of the specified matchers.
+ properties:
+ matcher:
+ description: Matcher defines the string
+ matcher for the SAN value.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ sanType:
+ description: SanType defines the type
+ of SAN matcher.
+ enum:
+ - DNS
+ - Email
+ - URI
+ - IPAddress
+ type: string
+ required:
+ - matcher
+ - sanType
+ type: object
+ minItems: 1
+ type: array
+ certificatePinning:
+ description: |-
+ CertificatePinning defines constraints the presented certificate must fulfill.
+ If more than one constraint is configured only one must be satisfied.
+ At least one of allowedSPKIs and allowedHashes must be set.
+ properties:
+ allowedHashes:
+ description: |-
+ AllowedHashes is a list of hex-encoded SHA-256 hashes.
+ If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ allowedSPKIs:
+ description: |-
+ AllowedSPKIs is a list of base64-encoded SHA-256 hashes.
+ If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ type: object
+ crl:
+ description: CRL defines the Certificate Revocation
+ List (CRL) settings.
+ properties:
+ lists:
+ description: Lists defines the list of secretRefs
+ containing Certificate Revocation Lists.
+ items:
+ properties:
+ secretRef:
+ description: SecretRef defines the
+ reference to a secret containing
+ one or more CRL's (in PEM format)
+ under the key 'ca.crl'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ minItems: 1
+ type: array
+ validationMode:
+ default: VerifyChain
+ description: ValidationMode defines whether
+ only the leaf certificate or also the
+ CA certs should be checked.
+ enum:
+ - VerifyLeafCertOnly
+ - VerifyChain
+ type: string
+ type: object
+ trustedCA:
+ description: TrustedCA defines which CA certificates
+ are trusted.
+ properties:
+ certificates:
+ description: Certificates defines the list
+ of secretRefs containing trusted CA certificates.
+ items:
+ properties:
+ secretRef:
+ description: SecretRef defines the
+ reference to a secret containing
+ one or more CA certificates under
+ the key 'ca.crt'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ minItems: 1
+ type: array
+ verificationDepth:
+ default: 1
+ description: |-
+ VerificationDepth specifies the hops in the certificate chain at which validation is performed.
+ 1 means that either the leaf or the signing CA must be in the set of trusted certificates.
+ format: int32
+ type: integer
+ required:
+ - certificates
+ type: object
+ type: object
+ disabled:
+ description: |-
+ Disabled specifies to trust any certificate without verification.
+ THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING.
+ type: object
+ publicCAs:
+ description: PublicCAs specifies to only accept
+ certificates with a SAN matching "uri" and which
+ are signed by a CA which is either directly or
+ indirectly trusted by any of the root CA certificates
+ shipped with the Airlock Microgateway Engine's
+ base image.
+ type: object
+ type: object
+ ciphers:
+ description: Ciphers defines a list of the supported
+ TLS cipher suites. For details on cipher list refer
+ to the envoy documentation on cipher_suites in common
+ tls configuration.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ protocol:
+ description: Protocol defines the supported TLS protocol
+ versions.
+ properties:
+ maximum:
+ description: Maximum supported TLS version.
+ enum:
+ - TLSv1_0
+ - TLSv1_1
+ - TLSv1_2
+ - TLSv1_3
+ type: string
+ minimum:
+ description: Minimum supported TLS version.
+ enum:
+ - TLSv1_0
+ - TLSv1_1
+ - TLSv1_2
+ - TLSv1_3
+ type: string
+ type: object
+ type: object
+ uri:
+ description: URI specifies the endpoint address.
+ format: uri
+ minLength: 1
+ pattern: ^(http|https)://.*$
+ type: string
+ required:
+ - uri
+ type: object
+ type: object
+ required:
+ - provider
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/limits.microgateway.airlock.com.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/limits.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..f82a8ab
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/limits.microgateway.airlock.com.yaml
@@ -0,0 +1,726 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: limits.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: Limits
+ listKind: LimitsList
+ plural: limits
+ singular: limits
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: Limits contains the configuration for limits.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired limits behavior.
+ properties:
+ request:
+ description: Request defines the limits for requests.
+ properties:
+ limited:
+ description: Limited enables limits on request scope.
+ properties:
+ exceptions:
+ description: Exceptions defines limit exceptions.
+ items:
+ description: LimitsException defines an exception for
+ limits.
+ properties:
+ length:
+ description: Length defines an exception for length
+ limits based on the data element exceeding the limit.
+ properties:
+ graphQL:
+ description: GraphQL defines a field, argument
+ or value length limit exception for a GraphQL
+ query.
+ properties:
+ argument:
+ description: |-
+ Argument restricts the exception to GraphQL queries with a matching argument of a field.
+ At least one of field, argument and value must be set.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ field:
+ description: |-
+ Field restricts the exception to GraphQL queries with a matching field.
+ At least one of field, argument and value must be set.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: |-
+ Value restricts the exception to GraphQL queries with a matching argument value.
+ At least one of field, argument and value must be set.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ json:
+ description: JSON defines a key and value length
+ limit exception for a JSON property.
+ properties:
+ jsonPath:
+ description: |-
+ JSONPath restricts the exception to JSON properties with a matching JSONPath.
+ Expressions in JSONPath i.e. `?(expr)` are not supported.
+ minLength: 1
+ type: string
+ required:
+ - jsonPath
+ type: object
+ parameter:
+ description: Parameter defines a name and value
+ length limit exception for a parameter.
+ properties:
+ name:
+ description: Name restricts the exception
+ to parameters with a matching name.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ source:
+ default: Any
+ description: Source restricts the exception
+ to parameters of this kind.
+ enum:
+ - Query
+ - Post
+ - Any
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ requestConditions:
+ description: RequestConditions defines additional
+ request properties which must be matched in order
+ for this exception to apply.
+ properties:
+ header:
+ description: Header defines the matching headers
+ of a request.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to
+ match a string. In comparison to a normal
+ StringMatcher, a value is always matched
+ ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a
+ header.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the request
+ condition should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching media
+ type from the content-type header of a request.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods
+ of a request.
+ items:
+ description: Method defines common HTTP methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path of
+ a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the way
+ to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines the matching remote IPs of a request.
+ Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4 or
+ IPv6 CIDR ranges, e.g. ``196.148.3.128/26``
+ or ``2001:db8::/28``.
+ items:
+ description: "CIDRRange defines an IPv4\
+ \ or IPv6 CIDR range, e.g. \u201C196.148.3.128/26\u201C\
+ \ or \u201C2001:db8::/28\u201C."
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether the
+ match should be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ type: object
+ type: array
+ general:
+ description: General defines general request limits.
+ properties:
+ bodySize:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 100Mi
+ description: BodySize limits the total size of the request
+ body. It specifies the number of bytes (0 = unlimited).
+ This limit is effective for any request not processed
+ by one of the content parsers (e.g. json) as configured
+ in the Parser CRD. **Note** This limit does not apply
+ to WebSocket or gRPC traffic.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ pathLength:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 1Ki
+ description: PathLength defines the maximum path length
+ for all requests (parsed and unparsed).
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ graphQL:
+ description: GraphQL defines the limits for GraphQL requests.
+ properties:
+ nestingDepth:
+ default: 10
+ description: NestingDepth defines the maximum depth
+ of nesting for GraphQL objects.
+ format: int64
+ type: integer
+ querySize:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 1Ki
+ description: QuerySize defines the maximum size for
+ GraphQL queries.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ valueLength:
+ anyOf:
+ - type: integer
+ - type: string
+ default: '256'
+ description: ValueLength defines the maximum length
+ for GraphQL values.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ json:
+ description: JSON defines the limits for JSON requests.
+ properties:
+ bodySize:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 100Ki
+ description: BodySize limits the total size of the JSON
+ request body. It specifies the number of bytes (0
+ = unlimited).
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ elementCount:
+ default: 10000
+ description: ElementCount defines the maximum number
+ of keys and array items in the whole JSON document
+ (recursive).
+ format: int64
+ type: integer
+ keyCount:
+ default: 250
+ description: KeyCount defines the maximum number of
+ keys of a single JSON object (non-recursive).
+ format: int64
+ type: integer
+ keyLength:
+ anyOf:
+ - type: integer
+ - type: string
+ default: '128'
+ description: KeyLength defines the maximum length for
+ JSON keys.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ nestingDepth:
+ default: 100
+ description: NestingDepth defines the maximum depth
+ of nesting for JSON objects and JSON arrays.
+ format: int64
+ type: integer
+ valueLength:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Ki
+ description: ValueLength defines the maximum length
+ for JSON values.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ multipart:
+ description: Multipart defines the limits for Multipart
+ requests.
+ properties:
+ bodySize:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 100Mi
+ description: BodySize limits the total size of the Multipart
+ request body. It specifies the number of bytes (0
+ = unlimited).
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ parameter:
+ description: Parameter defines the limits for request parameters.
+ properties:
+ bodySize:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 100Ki
+ description: BodySize limits the total size of the form
+ data body. It specifies the number of bytes (0 = unlimited).
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ count:
+ default: 128
+ description: Count defines the maximum number of request
+ parameters.
+ format: int64
+ type: integer
+ nameLength:
+ anyOf:
+ - type: integer
+ - type: string
+ default: '128'
+ description: NameLength defines the maximum length for
+ parameter names.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ valueLength:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Ki
+ description: ValueLength defines the maximum length
+ for parameter values.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ unlimited:
+ description: Unlimited disables all limits on request scope.
+ type: object
+ type: object
+ settings:
+ description: Settings configures the limits filter.
+ properties:
+ threatHandlingMode:
+ default: Block
+ description: ThreatHandlingMode specifies how threats should
+ be handled when a limit hits.
+ enum:
+ - Block
+ - LogOnly
+ type: string
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/oidcproviders.microgateway.airlock.com.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/oidcproviders.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..5693388
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/oidcproviders.microgateway.airlock.com.yaml
@@ -0,0 +1,651 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: oidcproviders.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: OIDCProvider
+ listKind: OIDCProviderList
+ plural: oidcproviders
+ singular: oidcprovider
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ OIDCProvider specifies an OpenID Provider (OP).
+
+ {{% notice info %}} The OIDC feature requires SessionHandling to be configured in the SidecarGateway. {{% /notice %}}
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of an OpenID Provider.
+ properties:
+ static:
+ description: Static configures an OpenID Provider by explicitly
+ specifying all endpoints.
+ properties:
+ endpoints:
+ description: Endpoints specifies the OpenID Provider endpoints.
+ properties:
+ authorization:
+ description: Authorization specifies the endpoint to which
+ the authorization request is sent.
+ properties:
+ uri:
+ description: URI specifies the endpoint address.
+ format: uri
+ minLength: 1
+ pattern: ^(http|https)://.*$
+ type: string
+ required:
+ - uri
+ type: object
+ introspection:
+ description: Introspection configures the endpoint to which
+ the introspection request to validate access tokens is
+ sent.
+ properties:
+ timeouts:
+ description: Timeouts specifies the timeouts when interacting
+ with the Token endpoint.
+ properties:
+ connect:
+ default: 5s
+ description: Connect specifies the timeout for establishing
+ a connection.
+ type: string
+ maxDuration:
+ default: 15s
+ description: MaxDuration specifies the response
+ timeout.
+ type: string
+ type: object
+ tls:
+ description: TLS defines TLS settings.
+ properties:
+ certificateVerification:
+ description: CertificateVerification specifies how
+ the certificate presented by the server is verified.
+ properties:
+ custom:
+ description: |-
+ Custom explicitly specifies how the server certificate should be verified.
+ Typical use cases include specifying a custom CA and SAN match when working with self-signed certificates or pinning a specific public key.
+ properties:
+ allowedSANs:
+ description: "AllowedSANs is a list of matchers\
+ \ to verify the Subject Alternative name.\
+ \ If specified, it will verify that the\n\
+ Subject Alternative Name of the presented\
+ \ certificate matches one of the specified\
+ \ matchers. The matching uses \u201Cany\u201D\
+ \ semantics,\nthat is to say, the SAN\
+ \ is verified if at least one matcher\
+ \ is matched.\nAllowedSANs requires trustedCA\
+ \ to be set."
+ items:
+ description: |-
+ TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
+ Subject Alternative Name of the presented certificate matches one of the specified matchers.
+ properties:
+ matcher:
+ description: Matcher defines the string
+ matcher for the SAN value.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should
+ be case-insensitive. In case
+ of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ sanType:
+ description: SanType defines the type
+ of SAN matcher.
+ enum:
+ - DNS
+ - Email
+ - URI
+ - IPAddress
+ type: string
+ required:
+ - matcher
+ - sanType
+ type: object
+ minItems: 1
+ type: array
+ certificatePinning:
+ description: |-
+ CertificatePinning defines constraints the presented certificate must fulfill.
+ If more than one constraint is configured only one must be satisfied.
+ At least one of allowedSPKIs and allowedHashes must be set.
+ properties:
+ allowedHashes:
+ description: |-
+ AllowedHashes is a list of hex-encoded SHA-256 hashes.
+ If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ allowedSPKIs:
+ description: |-
+ AllowedSPKIs is a list of base64-encoded SHA-256 hashes.
+ If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ type: object
+ crl:
+ description: CRL defines the Certificate
+ Revocation List (CRL) settings.
+ properties:
+ lists:
+ description: Lists defines the list
+ of secretRefs containing Certificate
+ Revocation Lists.
+ items:
+ properties:
+ secretRef:
+ description: SecretRef defines
+ the reference to a secret containing
+ one or more CRL's (in PEM format)
+ under the key 'ca.crl'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ minItems: 1
+ type: array
+ validationMode:
+ default: VerifyChain
+ description: ValidationMode defines
+ whether only the leaf certificate
+ or also the CA certs should be checked.
+ enum:
+ - VerifyLeafCertOnly
+ - VerifyChain
+ type: string
+ type: object
+ trustedCA:
+ description: TrustedCA defines which CA
+ certificates are trusted.
+ properties:
+ certificates:
+ description: Certificates defines the
+ list of secretRefs containing trusted
+ CA certificates.
+ items:
+ properties:
+ secretRef:
+ description: SecretRef defines
+ the reference to a secret containing
+ one or more CA certificates
+ under the key 'ca.crt'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ minItems: 1
+ type: array
+ verificationDepth:
+ default: 1
+ description: |-
+ VerificationDepth specifies the hops in the certificate chain at which validation is performed.
+ 1 means that either the leaf or the signing CA must be in the set of trusted certificates.
+ format: int32
+ type: integer
+ required:
+ - certificates
+ type: object
+ type: object
+ disabled:
+ description: |-
+ Disabled specifies to trust any certificate without verification.
+ THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING.
+ type: object
+ publicCAs:
+ description: PublicCAs specifies to only accept
+ certificates with a SAN matching "uri" and
+ which are signed by a CA which is either directly
+ or indirectly trusted by any of the root CA
+ certificates shipped with the Airlock Microgateway
+ Engine's base image.
+ type: object
+ type: object
+ ciphers:
+ description: Ciphers defines a list of the supported
+ TLS cipher suites. For details on cipher list
+ refer to the envoy documentation on cipher_suites
+ in common tls configuration.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ protocol:
+ description: Protocol defines the supported TLS
+ protocol versions.
+ properties:
+ maximum:
+ description: Maximum supported TLS version.
+ enum:
+ - TLSv1_0
+ - TLSv1_1
+ - TLSv1_2
+ - TLSv1_3
+ type: string
+ minimum:
+ description: Minimum supported TLS version.
+ enum:
+ - TLSv1_0
+ - TLSv1_1
+ - TLSv1_2
+ - TLSv1_3
+ type: string
+ type: object
+ type: object
+ uri:
+ description: URI specifies the endpoint address.
+ format: uri
+ minLength: 1
+ pattern: ^(http|https)://.*$
+ type: string
+ required:
+ - uri
+ type: object
+ token:
+ description: Token configures the endpoint from which the
+ access, ID and refresh tokens are obtained.
+ properties:
+ timeouts:
+ description: Timeouts specifies the timeouts when interacting
+ with the Token endpoint.
+ properties:
+ connect:
+ default: 5s
+ description: Connect specifies the timeout for establishing
+ a connection.
+ type: string
+ maxDuration:
+ default: 15s
+ description: MaxDuration specifies the response
+ timeout.
+ type: string
+ type: object
+ tls:
+ description: TLS defines TLS settings.
+ properties:
+ certificateVerification:
+ description: CertificateVerification specifies how
+ the certificate presented by the server is verified.
+ properties:
+ custom:
+ description: |-
+ Custom explicitly specifies how the server certificate should be verified.
+ Typical use cases include specifying a custom CA and SAN match when working with self-signed certificates or pinning a specific public key.
+ properties:
+ allowedSANs:
+ description: "AllowedSANs is a list of matchers\
+ \ to verify the Subject Alternative name.\
+ \ If specified, it will verify that the\n\
+ Subject Alternative Name of the presented\
+ \ certificate matches one of the specified\
+ \ matchers. The matching uses \u201Cany\u201D\
+ \ semantics,\nthat is to say, the SAN\
+ \ is verified if at least one matcher\
+ \ is matched.\nAllowedSANs requires trustedCA\
+ \ to be set."
+ items:
+ description: |-
+ TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
+ Subject Alternative Name of the presented certificate matches one of the specified matchers.
+ properties:
+ matcher:
+ description: Matcher defines the string
+ matcher for the SAN value.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should
+ be case-insensitive. In case
+ of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ sanType:
+ description: SanType defines the type
+ of SAN matcher.
+ enum:
+ - DNS
+ - Email
+ - URI
+ - IPAddress
+ type: string
+ required:
+ - matcher
+ - sanType
+ type: object
+ minItems: 1
+ type: array
+ certificatePinning:
+ description: |-
+ CertificatePinning defines constraints the presented certificate must fulfill.
+ If more than one constraint is configured only one must be satisfied.
+ At least one of allowedSPKIs and allowedHashes must be set.
+ properties:
+ allowedHashes:
+ description: |-
+ AllowedHashes is a list of hex-encoded SHA-256 hashes.
+ If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ allowedSPKIs:
+ description: |-
+ AllowedSPKIs is a list of base64-encoded SHA-256 hashes.
+ If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ type: object
+ crl:
+ description: CRL defines the Certificate
+ Revocation List (CRL) settings.
+ properties:
+ lists:
+ description: Lists defines the list
+ of secretRefs containing Certificate
+ Revocation Lists.
+ items:
+ properties:
+ secretRef:
+ description: SecretRef defines
+ the reference to a secret containing
+ one or more CRL's (in PEM format)
+ under the key 'ca.crl'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ minItems: 1
+ type: array
+ validationMode:
+ default: VerifyChain
+ description: ValidationMode defines
+ whether only the leaf certificate
+ or also the CA certs should be checked.
+ enum:
+ - VerifyLeafCertOnly
+ - VerifyChain
+ type: string
+ type: object
+ trustedCA:
+ description: TrustedCA defines which CA
+ certificates are trusted.
+ properties:
+ certificates:
+ description: Certificates defines the
+ list of secretRefs containing trusted
+ CA certificates.
+ items:
+ properties:
+ secretRef:
+ description: SecretRef defines
+ the reference to a secret containing
+ one or more CA certificates
+ under the key 'ca.crt'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ minItems: 1
+ type: array
+ verificationDepth:
+ default: 1
+ description: |-
+ VerificationDepth specifies the hops in the certificate chain at which validation is performed.
+ 1 means that either the leaf or the signing CA must be in the set of trusted certificates.
+ format: int32
+ type: integer
+ required:
+ - certificates
+ type: object
+ type: object
+ disabled:
+ description: |-
+ Disabled specifies to trust any certificate without verification.
+ THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING.
+ type: object
+ publicCAs:
+ description: PublicCAs specifies to only accept
+ certificates with a SAN matching "uri" and
+ which are signed by a CA which is either directly
+ or indirectly trusted by any of the root CA
+ certificates shipped with the Airlock Microgateway
+ Engine's base image.
+ type: object
+ type: object
+ ciphers:
+ description: Ciphers defines a list of the supported
+ TLS cipher suites. For details on cipher list
+ refer to the envoy documentation on cipher_suites
+ in common tls configuration.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ protocol:
+ description: Protocol defines the supported TLS
+ protocol versions.
+ properties:
+ maximum:
+ description: Maximum supported TLS version.
+ enum:
+ - TLSv1_0
+ - TLSv1_1
+ - TLSv1_2
+ - TLSv1_3
+ type: string
+ minimum:
+ description: Minimum supported TLS version.
+ enum:
+ - TLSv1_0
+ - TLSv1_1
+ - TLSv1_2
+ - TLSv1_3
+ type: string
+ type: object
+ type: object
+ uri:
+ description: URI specifies the endpoint address.
+ format: uri
+ minLength: 1
+ pattern: ^(http|https)://.*$
+ type: string
+ required:
+ - uri
+ type: object
+ required:
+ - authorization
+ - token
+ type: object
+ issuer:
+ description: Issuer specifies the unique identifier of the OIDC
+ Provider, which is used e.g. for signature verification.
+ format: uri
+ minLength: 1
+ pattern: ^(http|https)://.*$
+ type: string
+ tokenValidation:
+ description: TokenValidation configures token validation.
+ properties:
+ idToken:
+ description: IDToken configures validation for the OIDC
+ ID Token.
+ properties:
+ signatureVerification:
+ description: SignatureVerification specifies how to
+ verify the ID Token signature.
+ properties:
+ disabled:
+ description: Disabled specifies to skip verification
+ of the JWT signature. Not recommended for production
+ environments.
+ type: object
+ jwksRef:
+ description: JwksRef specifies the JWKS to use for
+ verifying the JWT signature (usually provided
+ by the OpenID Provider).
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ required:
+ - signatureVerification
+ type: object
+ required:
+ - idToken
+ type: object
+ required:
+ - endpoints
+ - issuer
+ - tokenValidation
+ type: object
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources: {}
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/oidcrelyingparties.microgateway.airlock.com.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/oidcrelyingparties.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..7bb90e6
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/oidcrelyingparties.microgateway.airlock.com.yaml
@@ -0,0 +1,245 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: oidcrelyingparties.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: OIDCRelyingParty
+ listKind: OIDCRelyingPartyList
+ plural: oidcrelyingparties
+ singular: oidcrelyingparty
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ OIDCRelyingParty specifies how the Airlock Microgateway Engine interacts with an OpenID Provider (OP).
+
+ {{% notice info %}} The OIDC feature requires SessionHandling to be configured in the SidecarGateway. {{% /notice %}}
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the OIDC Relying Party configuration.
+ properties:
+ clientID:
+ description: ClientID specifies the OIDCRelyingParty "client_id".
+ minLength: 1
+ type: string
+ credentials:
+ description: Credentials used for client authentication on the back-channel
+ with the authorization server.
+ properties:
+ clientSecret:
+ description: ClientSecret authenticates with the client password
+ issued by the OpenID Provider (OP).
+ properties:
+ method:
+ default: BasicAuth
+ description: Method specifies in which format the client
+ secret is sent with the authorization request.
+ enum:
+ - BasicAuth
+ - FormURLEncoded
+ type: string
+ secretRef:
+ description: SecretRef specifies the kubernetes secret containing
+ the client password with key "client.secret".
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ required:
+ - clientSecret
+ type: object
+ flowTimeout:
+ default: 5m
+ description: FlowTimeout specifies the time window within which
+ an initiated OIDC flow can be completed by the client.
+ type: string
+ oidcProviderRef:
+ description: OIDCProviderRef selects the OpenID Provider (OP) used
+ to authenticate users.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ pathMapping:
+ description: PathMapping configures the action matching.
+ properties:
+ logoutPath:
+ description: |-
+ LogoutPath specifies which request paths should initiate a logout.
+
+ WARNING: If the AccessControl policy referencing this OIDCRelyingParty has a request condition, you must currently ensure that it also matches these logout requests.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the matching
+ should be case-insensitive. In case of a regex match,
+ the regex gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ redirectPath:
+ description: |-
+ RedirectPath specifies which request paths should be interpreted as a callback redirect from the authorization endpoint.
+
+ WARNING: If the AccessControl policy referencing this OIDCRelyingParty has a request condition, you must currently ensure that it also matches these callback redirect requests.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the matching
+ should be case-insensitive. In case of a regex match,
+ the regex gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ required:
+ - logoutPath
+ - redirectPath
+ type: object
+ redirectURI:
+ description: |-
+ RedirectURI configures the "redirect_uri" parameter included in the authorization request.
+ May contain envoy command operators, e.g.: `%REQ(:x-forwarded-proto)%://%REQ(:authority)%/callback`
+
+ WARNING: If the AccessControl policy referencing this OIDCRelyingParty has a request condition, you must currently
+ ensure that it also matches requests to this URI.
+ minLength: 1
+ type: string
+ scopes:
+ description: |-
+ Scopes specifies the scopes to request during the OIDC flow.
+ The mandatory `openid` scope is implicitly added to the list if not already present.
+ Default: `['openid', 'profile']`
+
+ Note: Different OIDCRelyingParties which use the same OIDC Provider and Client ID must request the same scopes for now.
+ items:
+ minLength: 1
+ type: string
+ type: array
+ required:
+ - clientID
+ - credentials
+ - oidcProviderRef
+ - pathMapping
+ - redirectURI
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources: {}
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/openapis.microgateway.airlock.com.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/openapis.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..d4028cc
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/openapis.microgateway.airlock.com.yaml
@@ -0,0 +1,188 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: openapis.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: OpenAPI
+ listKind: OpenAPIList
+ plural: openapis
+ singular: openapi
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: OpenAPI contains the configuration for the OpenAPI specification.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired OpenAPI specification.
+ properties:
+ response:
+ description: Response defines the validation behaviour for responses.
+ properties:
+ secured:
+ description: Secured enables response checking.
+ properties:
+ validation:
+ default: Lax
+ description: Validation defines the validation mode for
+ responses.
+ enum:
+ - Lax
+ - Strict
+ type: string
+ type: object
+ unsecured:
+ description: Unsecured disables response checking.
+ type: object
+ type: object
+ settings:
+ description: Settings defines the settings to configure OpenAPI
+ specification enforcement.
+ properties:
+ logging:
+ description: Logging specifies the access log behavior.
+ properties:
+ maxFailedSubvalidations:
+ default: 10
+ description: MaxFailedSubvalidations defines the maximum
+ number of failed subvalidations being logged.
+ format: int64
+ type: integer
+ type: object
+ schema:
+ description: Schema configures the OpenAPI specification.
+ properties:
+ source:
+ description: Source specifies the OpenAPI specification
+ to be enforced.
+ properties:
+ configMapRef:
+ description: ConfigMapRef references the configmap by
+ its name containing the well-known key `openapi.json`.
+ Use the `data` field for plaintext or the `binaryData`
+ for compressed data. Supported compression formats
+ are zstd, gzip or zip.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ required:
+ - source
+ type: object
+ threatHandlingMode:
+ default: Block
+ description: ThreatHandlingMode specifies how threats should
+ be handled.
+ enum:
+ - Block
+ - LogOnly
+ type: string
+ validation:
+ description: Validation specifies the patterns for the validation
+ behavior.
+ properties:
+ authentication:
+ description: Authentication defines the settings for the
+ authentication scheme.
+ properties:
+ oAuth2:
+ description: OAuth2 specifies the OAuth2 parameters.
+ properties:
+ allowedParameters:
+ description: AllowedParameters specifies the allowed
+ parameters for the authentication scheme.
+ properties:
+ builtIn:
+ description: BuiltIn allows configuring a set
+ of predefined allowed parameters.
+ properties:
+ standardParameters:
+ default: true
+ description: StandardParameters defines
+ whether the allowed parameters should
+ be expanded by the set of common parameters.
+ type: boolean
+ type: object
+ custom:
+ description: Custom allows configuring additional
+ allowed parameters.
+ items:
+ minLength: 1
+ type: string
+ minItems: 1
+ type: array
+ type: object
+ type: object
+ oidc:
+ description: Oidc specifies the OIDC parameters.
+ properties:
+ allowedParameters:
+ description: AllowedParameters specifies the allowed
+ parameters for the authentication scheme.
+ properties:
+ builtIn:
+ description: BuiltIn allows configuring a set
+ of predefined allowed parameters.
+ properties:
+ standardParameters:
+ default: true
+ description: StandardParameters defines
+ whether the allowed parameters should
+ be expanded by the set of common parameters.
+ type: boolean
+ type: object
+ custom:
+ description: Custom allows configuring additional
+ allowed parameters.
+ items:
+ minLength: 1
+ type: string
+ minItems: 1
+ type: array
+ type: object
+ type: object
+ type: object
+ type: object
+ required:
+ - schema
+ type: object
+ required:
+ - settings
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/parsers.microgateway.airlock.com.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/parsers.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..c24f00c
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/parsers.microgateway.airlock.com.yaml
@@ -0,0 +1,402 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: parsers.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: Parser
+ listKind: ParserList
+ plural: parsers
+ singular: parser
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: Parser contains the configuration for content parsers (default
+ and custom).
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired parser behavior.
+ properties:
+ request:
+ description: Request defines the parsing for downstream requests.
+ properties:
+ custom:
+ description: Custom allows configuring additional rules for
+ parser selection.
+ properties:
+ rules:
+ description: |-
+ Rules defines a custom set prepended before built-in rules of enabled request parsers.
+ Disable all built-in parsers to overrule them completely.
+ items:
+ properties:
+ action:
+ description: |-
+ Action specifies what should happen when a request condition matches.
+ Only one of parse or skip can be set.
+ properties:
+ parse:
+ description: Parse activates the configured parser.
+ properties:
+ form:
+ description: Form activates the Form parser.
+ type: object
+ json:
+ description: JSON activates the JSON parser.
+ type: object
+ multipart:
+ description: Multipart activates the multipart
+ parser.
+ type: object
+ type: object
+ skip:
+ description: Skip disables any content parsing
+ type: object
+ type: object
+ requestConditions:
+ description: RequestConditions defines additional
+ request properties which must be matched in order
+ for this rule to apply.
+ properties:
+ header:
+ description: Header defines the matching headers
+ of a request.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to
+ match a string. In comparison to a normal
+ StringMatcher, a value is always matched
+ ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a
+ header.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the request
+ condition should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching media
+ type from the content-type header of a request.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods
+ of a request.
+ items:
+ description: Method defines common HTTP methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path of
+ a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the way
+ to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines the matching remote IPs of a request.
+ Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4 or
+ IPv6 CIDR ranges, e.g. ``196.148.3.128/26``
+ or ``2001:db8::/28``.
+ items:
+ description: "CIDRRange defines an IPv4\
+ \ or IPv6 CIDR range, e.g. \u201C196.148.3.128/26\u201C\
+ \ or \u201C2001:db8::/28\u201C."
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether the
+ match should be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ required:
+ - action
+ - requestConditions
+ type: object
+ type: array
+ type: object
+ defaultContentType:
+ default: application/x-www-form-urlencoded
+ description: DefaultContentType specifies the content-type header
+ which should be injected into the request before parser selection
+ if it is not already present and the request has a body.
+ minLength: 1
+ type: string
+ parsers:
+ description: Parsers defines the configuration for the available
+ content parsers.
+ properties:
+ form:
+ description: Form defines the configuration for the form
+ parser.
+ properties:
+ enable:
+ default: true
+ description: Enable defines whether form payloads are
+ inspected.
+ type: boolean
+ mediaTypePattern:
+ default: .*urlencoded.*
+ description: MediaTypePattern is a regex specifying
+ the media types for which the request body should
+ be treated as form arguments.
+ minLength: 1
+ type: string
+ type: object
+ json:
+ description: JSON defines the configuration for the JSON
+ parser.
+ properties:
+ enable:
+ default: true
+ description: Enable defines whether json payloads are
+ inspected.
+ type: boolean
+ mediaTypePattern:
+ default: .*json.*
+ description: MediaTypePattern is a regex specifying
+ the media types for which the request body should
+ be treated as JSON.
+ minLength: 1
+ type: string
+ type: object
+ multipart:
+ description: Multipart defines the configuration for the
+ multipart parser.
+ properties:
+ enable:
+ default: true
+ description: Enable defines whether multipart payloads
+ are inspected.
+ type: boolean
+ mediaTypePattern:
+ default: .*multipart.*
+ description: MediaTypePattern is a regex specifying
+ the media types for which the request body should
+ be treated as a multipart payload.
+ minLength: 1
+ type: string
+ type: object
+ type: object
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/redisproviders.microgateway.airlock.com.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/redisproviders.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..c493cfe
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/redisproviders.microgateway.airlock.com.yaml
@@ -0,0 +1,258 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: redisproviders.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: RedisProvider
+ listKind: RedisProviderList
+ plural: redisproviders
+ singular: redisprovider
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: RedisProvider contains a client configuration for connecting
+ to a Redis database.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of a Redis database client configuration.
+ properties:
+ auth:
+ description: Auth specifies the Redis credentials.
+ properties:
+ password:
+ description: Password specifies the Redis password.
+ properties:
+ secretRef:
+ description: SecretRef selects the secret containing the
+ Redis password under the key 'redis.password'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ username:
+ default: default
+ description: Username specifies the Redis username to authenticate
+ with.
+ minLength: 1
+ pattern: ^[^\s]+$
+ type: string
+ required:
+ - password
+ type: object
+ mode:
+ description: Mode configures the redis deployment mode.
+ properties:
+ cluster:
+ description: Cluster specifies the Redis Cluster to connect
+ to.
+ properties:
+ nodes:
+ description: Nodes specifies the Cluster nodes.
+ items:
+ properties:
+ host:
+ description: Host specifies the IP or hostname.
+ minLength: 1
+ pattern: ^(\d{1,3}(\.\d{1,3}){3}|([0-9a-fA-F]{1,4}|:)+(:\d{1,3}(\.\d{1,3}){3})?|[a-z0-9\-]+(\.[a-z0-9\-]+)*)$
+ type: string
+ port:
+ default: 6379
+ description: Port specifies the port.
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - host
+ type: object
+ minItems: 1
+ type: array
+ required:
+ - nodes
+ type: object
+ sentinel:
+ description: Sentinel specifies the Redis Sentinels to connect
+ to.
+ properties:
+ masterName:
+ description: MasterName specifies the master name.
+ minLength: 1
+ type: string
+ nodes:
+ description: Nodes specifies the Sentinel nodes.
+ items:
+ properties:
+ host:
+ description: Host specifies the IP or hostname.
+ minLength: 1
+ pattern: ^(\d{1,3}(\.\d{1,3}){3}|([0-9a-fA-F]{1,4}|:)+(:\d{1,3}(\.\d{1,3}){3})?|[a-z0-9\-]+(\.[a-z0-9\-]+)*)$
+ type: string
+ port:
+ default: 6379
+ description: Port specifies the port.
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - host
+ type: object
+ minItems: 1
+ type: array
+ required:
+ - masterName
+ - nodes
+ type: object
+ standalone:
+ description: Standalone specifies the standalone Redis instance
+ to connect to.
+ properties:
+ host:
+ description: Host specifies the IP or hostname.
+ minLength: 1
+ pattern: ^(\d{1,3}(\.\d{1,3}){3}|([0-9a-fA-F]{1,4}|:)+(:\d{1,3}(\.\d{1,3}){3})?|[a-z0-9\-]+(\.[a-z0-9\-]+)*)$
+ type: string
+ port:
+ default: 6379
+ description: Port specifies the port.
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - host
+ type: object
+ type: object
+ timeouts:
+ description: Timeouts specifies the timeouts when interacting with
+ the Redis endpoint.
+ properties:
+ connect:
+ default: 5s
+ description: Connect specifies the timeout for establishing
+ a connection.
+ type: string
+ maxDuration:
+ default: 2s
+ description: MaxDuration specifies the response timeout.
+ type: string
+ type: object
+ tls:
+ description: TLS defines TLS settings. If not specified, TLS is
+ disabled i.e. unencrypted TCP is used when connecting to the Redis
+ instance.
+ properties:
+ certificateVerification:
+ description: CertificateVerification specifies how the certificate
+ presented by the server is verified.
+ properties:
+ custom:
+ description: Custom explicitly specifies how the server
+ certificate should be verified.
+ properties:
+ trustedCA:
+ description: TrustedCA defines which CA certificates
+ are trusted.
+ properties:
+ certificates:
+ description: Certificates defines the list of secretRefs
+ containing trusted CA certificates.
+ items:
+ properties:
+ secretRef:
+ description: SecretRef defines the reference
+ to a secret containing one or more CA certificates
+ under the key 'ca.crt'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ minItems: 1
+ type: array
+ required:
+ - certificates
+ type: object
+ required:
+ - trustedCA
+ type: object
+ disabled:
+ description: 'Disabled specifies to trust any certificate
+ without verification. THIS IS INSECURE AND SHOULD ONLY
+ BE USED FOR TESTING. Note: This setting currently also
+ disables TLS SNI.'
+ type: object
+ publicCAs:
+ description: "PublicCAs specifies to only accept certificates\
+ \ with a SAN matching the host and which are signed by\
+ \ a CA which is either directly or indirectly trusted\
+ \ by any of the root CA certificates shipped with the\
+ \ Airlock Microgateway Session Agent\u2019s base image."
+ type: object
+ type: object
+ clientCertificate:
+ description: ClientCertificate configures client certificate
+ authentication. If not specified, TLS-based client authentication
+ is disabled.
+ properties:
+ secretRef:
+ description: SecretRef specifies the client certificate
+ to use (secret of type kubernetes.io/tls).
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ type: object
+ required:
+ - mode
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/sessionhandlings.microgateway.airlock.com.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/sessionhandlings.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..ec06d87
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/sessionhandlings.microgateway.airlock.com.yaml
@@ -0,0 +1,92 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: sessionhandlings.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: SessionHandling
+ listKind: SessionHandlingList
+ plural: sessionhandlings
+ singular: sessionhandling
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: SessionHandling contains the configuration for session handling.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired session handling behavior.
+ properties:
+ defaultTimeouts:
+ description: DefaultTimeouts specifies the session timeouts to apply
+ when not provided by the authentication method.
+ properties:
+ lifetime:
+ default: 12h
+ description: Lifetime specifies the maximum duration a session
+ can exist.
+ type: string
+ type: object
+ persistence:
+ description: Persistence configures where to store the session state.
+ properties:
+ redisProviderRef:
+ description: RedisProviderRef specifies to cache session information
+ in the provided Redis instance.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - redisProviderRef
+ type: object
+ prefix:
+ description: |-
+ Prefix specifies the prefix under which the sessions should be stored in the persistence layer.
+ If not specified, an automatic prefix derived from the namespaced SessionHandling CR name is used, which ensures that sessions will always be isolated on Microgateways configured with different SessionHandling CRs, even if they share the same persistence backend.
+
+ To allow session sharing between different Microgateway deployments, ensure that the prefix and persistence backend is the same across all corresponding SessionHandling CRs.
+
+ Note: Session cookies are currently never shared across different fully qualified domain names (FQDNs) and authentication via different OIDC Relying Parties generates different session cookies. Clients will therefore only able to transparently reuse session cookies for connecting to different Microgateway deployments if those are a) exposed under the same FQDN and b) handle authentication via the same OIDC Relying Party.
+ maxLength: 64
+ minLength: 1
+ pattern: ^[a-zA-Z][a-zA-Z0-9_]*$
+ type: string
+ required:
+ - persistence
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/sidecargateways.microgateway.airlock.com.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/sidecargateways.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..96dc91e
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/sidecargateways.microgateway.airlock.com.yaml
@@ -0,0 +1,868 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: sidecargateways.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: SidecarGateway
+ listKind: SidecarGatewayList
+ plural: sidecargateways
+ singular: sidecargateway
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .status.status
+ name: Status
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: SidecarGateway contains the configuration how to configure
+ the Airlock Microgateway Engine when used as Sidecar Container within
+ the Pod of an application.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired sidecar gateway behavior.
+ properties:
+ applications:
+ description: Applications defines applications which run on different
+ ports.
+ items:
+ properties:
+ containerPort:
+ default: 8080
+ description: |-
+ ContainerPort refers to the container port.
+ This must be a valid port number, 0 < x < 65536.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ downstream:
+ description: Downstream defines the downstream configuration
+ for this application
+ properties:
+ protocol:
+ description: |-
+ Protocol defines the exposed HTTP protocol version. At most one of http1, http2 and auto can be set.
+ Default: auto: {}
+ properties:
+ auto:
+ description: Auto specifies that the protocol should
+ be inferred.
+ properties:
+ http2:
+ description: HTTP2 specifies the settings for
+ when HTTP/2 is inferred.
+ properties:
+ allowConnect:
+ default: false
+ description: Allows proxying Websocket and
+ other upgrades over H2 connect.
+ type: boolean
+ type: object
+ type: object
+ http1:
+ description: HTTP1 specifies that the client is assumed
+ to speak HTTP/1.1.
+ type: object
+ http2:
+ description: HTTP2 specifies that the client is assumed
+ to speak HTTP/2.
+ properties:
+ allowConnect:
+ default: false
+ description: Allows proxying Websocket and other
+ upgrades over H2 connect.
+ type: boolean
+ type: object
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines how the remote IP of a client is propagated.
+ Default: xff: {...}
+ properties:
+ connectionIP:
+ description: ConnectionIP configures to use the source
+ IP address of the direct downstream connection.
+ type: object
+ customHeader:
+ description: CustomHeader specifies to use a custom
+ header for remote IP extraction.
+ properties:
+ headerName:
+ description: HeaderName specifies the name of
+ the custom header containing the remote IP.
+ minLength: 1
+ type: string
+ required:
+ default: true
+ description: Required specifies if the custom
+ header is required. If true and not available
+ the request will be rejected with 403.
+ type: boolean
+ required:
+ - headerName
+ type: object
+ xff:
+ description: XFF configures to use the standard 'X-Forwarded-For'
+ header for IP extraction.
+ properties:
+ numTrustedHops:
+ default: 1
+ description: NumTrustedHops specifies to extract
+ the client's originating IP from the nth rightmost
+ entry in the X-Forwarded-For header. With the
+ default value of 1, the IP is extracted from
+ the rightmost entry.
+ format: int32
+ minimum: 1
+ type: integer
+ type: object
+ type: object
+ requestNormalizations:
+ description: RequestNormalizations defines a set of normalization
+ actions which are applied to the request before route
+ matching.
+ properties:
+ mergeSlashes:
+ default: true
+ description: MergeSlashes ensures that adjacent slashes
+ in the path are merged into one.
+ type: boolean
+ normalizePath:
+ default: true
+ description: NormalizePath ensures normalization according
+ to RFC 3986 without case normalization.
+ type: boolean
+ type: object
+ restrictions:
+ description: Restrictions defines restrictions for downstream.
+ properties:
+ http:
+ description: HTTP defines limits for the HTTP protocol.
+ properties:
+ headersLength:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 60Ki
+ description: HeadersLength defines maximum size
+ of all request headers combined. Requests that
+ exceed this limit will receive a 431 response.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ timeouts:
+ description: Timeouts defines timeouts for downstream
+ properties:
+ http:
+ description: HTTP defines the settings for HTTP timeouts.
+ properties:
+ idle:
+ default: 5m
+ description: |-
+ Idle defines the settings for the idle timeout when no data is sent or received.
+ A value of 0 will completely disable the timeout.
+ Default: 5m
+ type: string
+ maxDuration:
+ default: 5m
+ description: |-
+ MaxDuration defines the total duration for a HTTP request/response stream.
+ A value of 0 will completely disable the timeout.
+ Default: 5m
+ type: string
+ requestHeaders:
+ default: 10s
+ description: |-
+ RequestHeaders defines the duration before all request headers must be received.
+ A value of 0 will completely disable the timeout.
+ Default: 10s
+ type: string
+ type: object
+ type: object
+ tls:
+ description: TLS defines the TLS settings.
+ properties:
+ ciphers:
+ description: Ciphers defines a list of the supported
+ TLS cipher suites. For details on cipher list refer
+ to the envoy documentation on cipher_suites in common
+ tls configuration.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ clientCertificate:
+ description: |-
+ ClientCertificate defines the TLS settings for verification of client certificates.
+ At most one of ignored, optional and required can be set.
+ Default: ignored: {}
+ properties:
+ ignored:
+ description: Ignored disables verification of
+ the client certificate.
+ type: object
+ optional:
+ description: |-
+ Optional enables verification of the client certificate if one is presented.
+ In this mode only trustedCA and crl settings can be configured since certificatePinning and allowedSANs require a client certificate.
+ properties:
+ crl:
+ description: CRL defines the Certificate Revocation
+ List (CRL) settings.
+ properties:
+ lists:
+ description: Lists defines the list of
+ secretRefs containing Certificate Revocation
+ Lists.
+ items:
+ properties:
+ secretRef:
+ description: SecretRef defines the
+ reference to a secret containing
+ one or more CRL's (in PEM format)
+ under the key 'ca.crl'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ minItems: 1
+ type: array
+ validationMode:
+ default: VerifyChain
+ description: ValidationMode defines whether
+ only the leaf certificate or also the
+ CA certs should be checked.
+ enum:
+ - VerifyLeafCertOnly
+ - VerifyChain
+ type: string
+ type: object
+ trustedCA:
+ description: TrustedCA defines which CA certificates
+ are trusted.
+ properties:
+ certificates:
+ description: Certificates defines the
+ list of secretRefs containing trusted
+ CA certificates.
+ items:
+ properties:
+ secretRef:
+ description: SecretRef defines the
+ reference to a secret containing
+ one or more CA certificates under
+ the key 'ca.crt'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ minItems: 1
+ type: array
+ verificationDepth:
+ default: 1
+ description: |-
+ VerificationDepth specifies the hops in the certificate chain at which validation is performed.
+ 1 means that either the leaf or the signing CA must be in the set of trusted certificates.
+ format: int32
+ type: integer
+ required:
+ - certificates
+ type: object
+ required:
+ - trustedCA
+ type: object
+ required:
+ description: |-
+ Required contains settings for client certificate verification. A client must present a valid certificate.
+ At least one of trustedCA and certificatePinning must be set.
+ properties:
+ allowedSANs:
+ description: "AllowedSANs is a list of matchers\
+ \ to verify the Subject Alternative name.\
+ \ If specified, it will verify that the\n\
+ Subject Alternative Name of the presented\
+ \ certificate matches one of the specified\
+ \ matchers. The matching uses \u201Cany\u201D\
+ \ semantics,\nthat is to say, the SAN is\
+ \ verified if at least one matcher is matched.\n\
+ AllowedSANs requires trustedCA to be set."
+ items:
+ description: |-
+ TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
+ Subject Alternative Name of the presented certificate matches one of the specified matchers.
+ properties:
+ matcher:
+ description: Matcher defines the string
+ matcher for the SAN value.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be
+ case-insensitive. In case of a
+ regex match, the regex gets wrapped
+ with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ sanType:
+ description: SanType defines the type
+ of SAN matcher.
+ enum:
+ - DNS
+ - Email
+ - URI
+ - IPAddress
+ type: string
+ required:
+ - matcher
+ - sanType
+ type: object
+ minItems: 1
+ type: array
+ certificatePinning:
+ description: |-
+ CertificatePinning defines the constraints a client certificate must fulfill.
+ If more than one constraint is configured only one must be satisfied.
+ At least one of allowedSPKIs and allowedHashes must be set.
+ properties:
+ allowedHashes:
+ description: |-
+ AllowedHashes is a list of hex-encoded SHA-256 hashes.
+ If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ allowedSPKIs:
+ description: |-
+ AllowedSPKIs is a list of base64-encoded SHA-256 hashes.
+ If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ type: object
+ crl:
+ description: CRL defines the Certificate Revocation
+ List (CRL) settings.
+ properties:
+ lists:
+ description: Lists defines the list of
+ secretRefs containing Certificate Revocation
+ Lists.
+ items:
+ properties:
+ secretRef:
+ description: SecretRef defines the
+ reference to a secret containing
+ one or more CRL's (in PEM format)
+ under the key 'ca.crl'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ minItems: 1
+ type: array
+ validationMode:
+ default: VerifyChain
+ description: ValidationMode defines whether
+ only the leaf certificate or also the
+ CA certs should be checked.
+ enum:
+ - VerifyLeafCertOnly
+ - VerifyChain
+ type: string
+ type: object
+ trustedCA:
+ description: TrustedCA defines which CA certificates
+ are trusted.
+ properties:
+ certificates:
+ description: Certificates defines the
+ list of secretRefs containing trusted
+ CA certificates.
+ items:
+ properties:
+ secretRef:
+ description: SecretRef defines the
+ reference to a secret containing
+ one or more CA certificates under
+ the key 'ca.crt'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ minItems: 1
+ type: array
+ verificationDepth:
+ default: 1
+ description: |-
+ VerificationDepth specifies the hops in the certificate chain at which validation is performed.
+ 1 means that either the leaf or the signing CA must be in the set of trusted certificates.
+ format: int32
+ type: integer
+ required:
+ - certificates
+ type: object
+ type: object
+ type: object
+ enable:
+ default: false
+ description: Enable defines if the downstream connection
+ is encrypted.
+ type: boolean
+ protocol:
+ description: Protocol defines the supported TLS protocol
+ versions.
+ properties:
+ maximum:
+ description: Maximum supported TLS version.
+ enum:
+ - TLSv1_0
+ - TLSv1_1
+ - TLSv1_2
+ - TLSv1_3
+ type: string
+ minimum:
+ description: Minimum supported TLS version.
+ enum:
+ - TLSv1_0
+ - TLSv1_1
+ - TLSv1_2
+ - TLSv1_3
+ type: string
+ type: object
+ secretRef:
+ description: SecretRef defines the reference to the
+ TLS server certificate (secret of type kubernetes.io/tls).
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ xfcc:
+ description: "XFCC defines the handling of X-Forwarded-Client-Cert\
+ \ header. Meaning of the possible values:\n_Sanitize_:\
+ \ Do not send the XFCC header to the next hop. This\
+ \ is the default value.\n_ForwardOnly_: When the\
+ \ client connection is mTLS (Mutual TLS), forward\
+ \ the XFCC header in the request.\n_AppendAndForward_:\
+ \ When the client connection is mTLS, append the\
+ \ client certificate information to the request\u2019\
+ s XFCC header and forward it.\n_SanitizeAndSet_:\
+ \ When the client connection is mTLS, reset the\
+ \ XFCC header with the client certificate information\
+ \ and send it to the next hop.\n_AlwaysForwardOnly_:\
+ \ Always forward the XFCC header in the request,\
+ \ regardless of whether the client connection is\
+ \ mTLS.\nNote: When forwarding the XFCC header in\
+ \ the request you might have to adjust the header\
+ \ length restrictions (See sidecargateway.spec.applications.downstream.restrictions.http)"
+ enum:
+ - Sanitize
+ - ForwardOnly
+ - AppendAndForward
+ - SanitizeAndSet
+ - AlwaysForwardOnly
+ type: string
+ type: object
+ type: object
+ envoyHTTPFilterRefs:
+ description: EnvoyHTTPFilterRefs selects the relevant EnvoyHTTPFilters.
+ properties:
+ prepend:
+ description: Prepend selects the relevant EnvoyHTTPFilters
+ which are added before those configured by the Airlock
+ Microgateway.
+ items:
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ type: object
+ routes:
+ description: Routes defines the security configurations for
+ different paths. The first matching route (from top to bottom)
+ applies.
+ items:
+ description: |-
+ SidecarGatewayApplicationRoute defines the security configurations for different paths.
+ At most one of secured and unsecured can be set.
+ Default: secured: {...}
+ properties:
+ pathPrefix:
+ default: /
+ description: PathPrefix defines the path prefix used
+ during route selection.
+ minLength: 1
+ type: string
+ secured:
+ description: Secured enables WAF processing for this
+ route.
+ properties:
+ accessControlRef:
+ description: |-
+ AccessControlRef selects the relevant AccessControl configuration resource.
+ If undefined, Airlock Microgateway does not perform any access control.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ contentSecurityRef:
+ description: |-
+ ContentSecurityRef selects the relevant ContentSecurity configuration resource.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ unsecured:
+ description: |-
+ Unsecured disables all WAF functionality and therefore protection for this route.
+ WARNING: Using this setting when the application is exposed to untrusted downstream traffic is highly discouraged.
+ type: object
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - pathPrefix
+ x-kubernetes-list-type: map
+ telemetryRef:
+ description: |-
+ TelemetryRef selects the relevant Telemetry configuration resource.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ upstream:
+ description: Upstream defines the upstream configuration for
+ this application
+ properties:
+ protocol:
+ description: |-
+ Protocol defines HTTP protocol version used to communicate with the upstream. At most one of http1, http2 and auto can be set.
+ Default: auto: {}
+ properties:
+ auto:
+ description: Auto specifies to negotiate the protocol
+ with TLS ALPN (if TLS is enabled) or, as a fallback,
+ use the same protocol that is used by the downstream
+ connection.
+ properties:
+ http2:
+ description: HTTP2 specifies the settings for
+ when HTTP/2 is inferred.
+ properties:
+ allowConnect:
+ default: false
+ description: Allows proxying Websocket and
+ other upgrades over H2 connect.
+ type: boolean
+ type: object
+ type: object
+ http1:
+ description: HTTP1 specifies to use HTTP/1.1.
+ type: object
+ http2:
+ description: HTTP2 specifies to use HTTP/2.
+ properties:
+ allowConnect:
+ default: false
+ description: Allows proxying Websocket and other
+ upgrades over H2 connect.
+ type: boolean
+ type: object
+ type: object
+ timeouts:
+ description: Timeouts defines the timeout settings.
+ properties:
+ http:
+ description: HTTP defines the settings for HTTP timeouts.
+ properties:
+ idle:
+ description: |-
+ Timeout defines the settings for http timeouts. If this setting is not specified, the value of applications[].downstream.timeouts.http.idle is inherited.
+ A value of 0 will completely disable the timeout.
+ type: string
+ maxDuration:
+ default: 15s
+ description: |-
+ MaxDuration defines the total duration for a HTTP request/response stream.
+ Default: 15s
+ type: string
+ type: object
+ type: object
+ tls:
+ description: TLS defines the TLS settings.
+ properties:
+ ciphers:
+ description: Ciphers defines a list of the supported
+ TLS cipher suites. For details on cipher list refer
+ to the envoy documentation on cipher_suites in common
+ tls configuration.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ enable:
+ default: false
+ description: Enable defines if the upstream connection
+ is encrypted.
+ type: boolean
+ protocol:
+ description: Protocol defines the supported TLS protocol
+ versions.
+ properties:
+ maximum:
+ description: Maximum supported TLS version.
+ enum:
+ - TLSv1_0
+ - TLSv1_1
+ - TLSv1_2
+ - TLSv1_3
+ type: string
+ minimum:
+ description: Minimum supported TLS version.
+ enum:
+ - TLSv1_0
+ - TLSv1_1
+ - TLSv1_2
+ - TLSv1_3
+ type: string
+ type: object
+ type: object
+ type: object
+ type: object
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - containerPort
+ x-kubernetes-list-type: map
+ envoyClusterRefs:
+ description: EnvoyClusterRefs selects the relevant EnvoyClusters.
+ items:
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ podSelector:
+ description: PodSelector defines to which Pods the configuration
+ will be applied to.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: MatchLabels is a map of {key,value} pairs. A single
+ {key,value} in the matchLabels.
+ type: object
+ type: object
+ sessionHandlingRef:
+ description: SessionHandlingRef selects the SessionHandling configuration
+ to apply.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - applications
+ type: object
+ status:
+ description: Most recently observed status of the SidecarGateway which
+ is populated by the system. This data is read-only and may not be
+ up to date.
+ properties:
+ conditions:
+ items:
+ properties:
+ lastTransitionTime:
+ description: Last time the condition transitioned from one
+ status to another.
+ format: date-time
+ type: string
+ message:
+ description: A human-readable message indicating details about
+ the transition.
+ type: string
+ reason:
+ description: The reason for the condition's last transition.
+ type: string
+ status:
+ description: Status of the condition, one of True, False,
+ Unknown.
+ type: string
+ type:
+ description: Type of SidecarGateway condition.
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ pods:
+ items:
+ properties:
+ envoyConfig:
+ description: EnvoyConfig indicates the name of the EnvoyConfig
+ CR for the Pod.
+ type: string
+ name:
+ description: Name indicates the name of a Pod selected by
+ the SidecarGateway.
+ type: string
+ sessionAgentSecret:
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ status:
+ type: string
+ unmanagedPods:
+ items:
+ properties:
+ managedBy:
+ description: ManagedBy indicates the Airlock Microgateway
+ Operator instance which manages this Pod.
+ type: string
+ name:
+ description: Name indicates the name of a Pod selected by
+ the SidecarGateway.
+ type: string
+ sessionAgentSecret:
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ required:
+ - status
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/telemetries.microgateway.airlock.com.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/telemetries.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..7fafb35
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/telemetries.microgateway.airlock.com.yaml
@@ -0,0 +1,108 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: telemetries.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: Telemetry
+ listKind: TelemetryList
+ plural: telemetries
+ singular: telemetry
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: Telemetry contains the configuration for telemetry (logging,
+ metrics & tracing).
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired telemetry behavior.
+ properties:
+ correlation:
+ description: Correlation defines the correlation aspects of Telemetry.
+ properties:
+ idSource:
+ description: IDSource specifies how an external correlation
+ ID should be obtained for a request. If not specified, no
+ correlation ID will be logged.
+ properties:
+ header:
+ description: Header specifies to extract the correlation
+ ID from a request header. If the header is absent from
+ a request, no correlation ID will be logged.
+ properties:
+ name:
+ default: X-Correlation-Id
+ description: Name of the header (case-insensitive) from
+ which to extract the correlation ID.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - header
+ type: object
+ request:
+ description: Request defines the request related correlation
+ settings of Telemetry.
+ properties:
+ allowDownstreamRequestID:
+ default: true
+ description: AllowDownstreamRequestID defines whether trace
+ sampling will consider a provided x-request-id.
+ type: boolean
+ alterRequestID:
+ default: true
+ description: AlterRequestID defines whether to alter the
+ UUID to reflect the trace sampling decision. If disabled
+ no modification to the UUID will be performed, this may
+ break tracing in the upstream.
+ type: boolean
+ type: object
+ type: object
+ logging:
+ description: Logging defines the logging aspects of Telemetry.
+ properties:
+ accessLog:
+ description: AccessLog defines the access log settings of Telemetry.
+ properties:
+ format:
+ description: Format defines the Access Log format of the
+ sidecar.
+ properties:
+ json:
+ description: JSON defines the Access Log format as JSON.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: object
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/configmap.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/configmap.yaml
new file mode 100644
index 0000000..e97ed8e
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/configmap.yaml
@@ -0,0 +1,410 @@
+apiVersion: v1
+data:
+ engine_bootstrap_config_template.yaml: |
+ # Base configuration, admin interface on port 19000
+ admin:
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ dynamic_resources:
+ cds_config:
+ initial_fetch_timeout: 10s
+ resource_api_version: V3
+ api_config_source:
+ api_type: GRPC
+ transport_api_version: V3
+ grpc_services:
+ - envoy_grpc:
+ cluster_name: xds_cluster
+ set_node_on_first_message_only: true
+ # Prevent Envoy Node from overloading the xDS server due to rejected configuration when using xDS SotW gRPC
+ rate_limit_settings:
+ max_tokens: 5
+ fill_rate: 0.2
+ lds_config:
+ resource_api_version: V3
+ initial_fetch_timeout: 10s
+ api_config_source:
+ api_type: GRPC
+ transport_api_version: V3
+ grpc_services:
+ - envoy_grpc:
+ cluster_name: xds_cluster
+ set_node_on_first_message_only: true
+ # Prevent Envoy Node from overloading the xDS server due to rejected configuration when using xDS SotW gRPC
+ rate_limit_settings:
+ max_tokens: 5
+ fill_rate: 0.2
+ static_resources:
+ listeners:
+ - name: probe
+ address:
+ socket_address:
+ address: 0.0.0.0
+ port_value: 19001
+ filter_chains:
+ - filters:
+ - name: http_connection_manager
+ typed_config:
+ '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ stat_prefix: probe
+ codec_type: AUTO
+ http2_protocol_options:
+ initial_connection_window_size: 1048576
+ initial_stream_window_size: 65536
+ max_concurrent_streams: 100
+ route_config:
+ name: probe
+ virtual_hosts:
+ - name: probe
+ domains:
+ - '*'
+ routes:
+ - name: ready
+ match:
+ path: /ready
+ headers:
+ - name: ':method'
+ string_match:
+ exact: 'GET'
+ route:
+ cluster: airlock_microgateway_engine_admin
+ http_filters:
+ - name: envoy.filters.http.router
+ typed_config:
+ '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ - name: metrics
+ address:
+ socket_address:
+ address: 0.0.0.0
+ port_value: 19002
+ filter_chains:
+ - filters:
+ - name: http_connection_manager
+ typed_config:
+ '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ stat_prefix: metrics
+ codec_type: AUTO
+ http2_protocol_options:
+ initial_connection_window_size: 1048576
+ initial_stream_window_size: 65536
+ max_concurrent_streams: 100
+ route_config:
+ name: metrics
+ virtual_hosts:
+ - name: metrics
+ domains:
+ - '*'
+ routes:
+ - name: metrics
+ match:
+ path: /metrics
+ headers:
+ - name: ':method'
+ string_match:
+ exact: 'GET'
+ route:
+ prefix_rewrite: '/stats/prometheus'
+ cluster: airlock_microgateway_engine_admin
+ http_filters:
+ - name: envoy.filters.http.router
+ typed_config:
+ '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ clusters:
+ - name: xds_cluster
+ connect_timeout: 1s
+ type: STRICT_DNS
+ respect_dns_ttl: true
+ load_assignment:
+ cluster_name: xds_cluster
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: airlock-microgateway-operator-xds.$(OPERATOR_NAMESPACE).svc.cluster.local
+ port_value: 13377
+ typed_extension_protocol_options:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+ explicit_http_config:
+ http2_protocol_options:
+ connection_keepalive:
+ interval: 360s
+ timeout: 5s
+ transport_socket:
+ name: envoy.transport_sockets.tls
+ typed_config:
+ '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+ common_tls_context:
+ tls_params:
+ tls_minimum_protocol_version: TLSv1_3
+ tls_maximum_protocol_version: TLSv1_3
+ validation_context_sds_secret_config:
+ name: validation_context_sds
+ sds_config:
+ resource_api_version: V3
+ path_config_source:
+ path: /app/config/validation_context_sds_secret.yaml
+ watched_directory:
+ path: /app/config/
+ tls_certificate_sds_secret_configs:
+ - name: tls_certificate_sds
+ sds_config:
+ resource_api_version: V3
+ path_config_source:
+ path: /app/config/tls_certificate_sds_secret.yaml
+ watched_directory:
+ path: /app/config/
+ - name: airlock_microgateway_engine_admin
+ connect_timeout: 1s
+ type: STATIC
+ load_assignment:
+ cluster_name: airlock_microgateway_engine_admin
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ typed_extension_protocol_options:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+ explicit_http_config:
+ http2_protocol_options:
+ connection_keepalive:
+ interval: 360s
+ timeout: 5s
+ stats_config:
+ stats_tags:
+ - tag_name: "block_type"
+ regex: "\\.(block_type\\.([^.]+))"
+ - tag_name: "block_subtype"
+ regex: "\\.(block_subtype\\.([^.]+))"
+ - tag_name: "envoy_cluster_name"
+ regex: "\\.(cluster\\.([^.]+))"
+ - tag_name: "upstream"
+ regex: "\\.(cluster\\.upstream_(\\d+))"
+ - tag_name: "upstream"
+ regex: "^cluster\\.(upstream_(\\d+))"
+ - tag_name: "upstream"
+ regex: "\\.(cluster\\.httproute/([^.]+)/rule/[^.]+)"
+ - tag_name: "upstream"
+ regex: "^cluster\\.(httproute/([^.]+)/rule/[^.]+)"
+ use_all_default_tags: true
+ overload_manager:
+ resource_monitors:
+ - name: "envoy.resource_monitors.global_downstream_max_connections"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ max_active_downstream_connections: 50000
+ bootstrap_extensions:
+ - name: airlock.bootstrap.engine_stats
+ typed_config:
+ '@type': type.googleapis.com/airlock.extensions.bootstrap.stats.v1alpha.Stats
+ health_probe_approx_req_per_hour: $(HEALTH_PROBE_REQUESTS_PER_HOUR)
+ application_log_config:
+ log_format:
+ text_format: '{"@timestamp":"%Y-%m-%dT%T.%e%z","log":{"logger":"%n","level":"%l","origin":{"file":{"name":"%g","line":%#},"function":"%!"}},"event":{"module":"envoy","dataset":"envoy.application"},"process":{"pid":%P,"thread":{"id":%t}},"ecs":{"version":"8.5"},"message":"%j"}'
+ engine_container_template.yaml: |
+ name: "$(ENGINE_NAME)"
+ image: "$(ENGINE_IMAGE)"
+ imagePullPolicy: IfNotPresent
+ args:
+ - "--config-path"
+ - "/app/config/bootstrap_config.yaml"
+ - "--base-id"
+ - "$(BASE_ID)"
+ - "--file-flush-interval-msec"
+ - '1000'
+ - "--drain-time-s"
+ - '60'
+ - "--service-node"
+ - "$(POD_NAME).$(POD_NAMESPACE)"
+ - "--service-cluster"
+ - "$(APP_NAME).$(POD_NAMESPACE)"
+ - "--log-path"
+ - "/dev/stdout"
+ - "--log-level"
+ - "$(LOG_LEVEL)"
+ volumeMounts:
+ - name: airlock-microgateway-bootstrap-secret-volume
+ mountPath: /app/config/
+ readOnly: true
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ ports:
+ - containerPort: 13378
+ protocol: TCP
+ - containerPort: 19001
+ protocol: TCP
+ - containerPort: 19002
+ protocol: TCP
+ livenessProbe:
+ httpGet:
+ path: /ready
+ port: 19001
+ scheme: HTTP
+ initialDelaySeconds: 0
+ periodSeconds: 10
+ failureThreshold: 3
+ successThreshold: 1
+ timeoutSeconds: 2
+ readinessProbe:
+ httpGet:
+ path: /ready
+ port: 19001
+ scheme: HTTP
+ initialDelaySeconds: 0
+ periodSeconds: 5
+ failureThreshold: 3
+ successThreshold: 1
+ timeoutSeconds: 1
+ startupProbe:
+ httpGet:
+ path: /ready
+ port: 19001
+ scheme: HTTP
+ initialDelaySeconds: 0
+ periodSeconds: 1
+ failureThreshold: 30
+ successThreshold: 1
+ timeoutSeconds: 1
+ securityContext:
+ allowPrivilegeEscalation: false
+ privileged: false
+ runAsNonRoot: true
+ capabilities:
+ drop: ["ALL"]
+ readOnlyRootFilesystem: true
+ seccompProfile:
+ type: RuntimeDefault
+ runAsUser: $(SECURITYCONTEXT_UID)
+ network_validator_container_template.yaml: |
+ name: "$(NETWORK_VALIDATOR_NAME)"
+ image: "$(ENGINE_IMAGE)"
+ imagePullPolicy: IfNotPresent
+ command: ["/app/microgateway-network-validator"]
+ securityContext:
+ allowPrivilegeEscalation: false
+ privileged: false
+ runAsNonRoot: true
+ capabilities:
+ drop: ["ALL"]
+ readOnlyRootFilesystem: true
+ seccompProfile:
+ type: RuntimeDefault
+ runAsUser: $(SECURITYCONTEXT_UID)
+ resources:
+ limits:
+ cpu: 25m
+ memory: 12Mi
+ requests:
+ cpu: 5m
+ memory: 1Mi
+ operator_config.yaml: |
+ apiVersion: config.airlock.com/v1alpha1
+ kind: OperatorConfig
+ health:
+ healthProbeBindAddress: :8081
+ metrics:
+ bindAddress: 0.0.0.0:8080
+ webhook:
+ port: 9443
+ deployment:
+ sidecar:
+ engineContainerTemplate: "/app/config/sidecar/engine_container_template.yaml"
+ networkValidatorContainerTemplate: "/app/config/sidecar/network_validator_container_template.yaml"
+ sessionAgentContainerTemplate: "/app/config/sidecar/session_agent_container_template.yaml"
+ engine:
+ bootstrapConfigTemplate: "/app/config/engine_bootstrap_config_template.yaml"
+ podMonitor:
+ create: false
+ session_agent_container_template.yaml: |
+ name: "$(SESSION_AGENT_NAME)"
+ image: "$(SESSION_AGENT_IMAGE)"
+ imagePullPolicy: IfNotPresent
+ args:
+ - "--port"
+ - "19004"
+ - "--config-path"
+ - "/app/config/config.json"
+ volumeMounts:
+ - name: airlock-microgateway-session-agent-volume
+ mountPath: /app/config/
+ readOnly: true
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ ports:
+ - containerPort: 19004
+ livenessProbe:
+ grpc:
+ port: 19004
+ initialDelaySeconds: 0
+ periodSeconds: 10
+ failureThreshold: 3
+ successThreshold: 1
+ timeoutSeconds: 2
+ readinessProbe:
+ grpc:
+ port: 19004
+ initialDelaySeconds: 0
+ periodSeconds: 5
+ failureThreshold: 3
+ successThreshold: 1
+ timeoutSeconds: 1
+ startupProbe:
+ grpc:
+ port: 19004
+ initialDelaySeconds: 0
+ periodSeconds: 1
+ failureThreshold: 30
+ successThreshold: 1
+ timeoutSeconds: 1
+ securityContext:
+ allowPrivilegeEscalation: false
+ privileged: false
+ runAsNonRoot: true
+ capabilities:
+ drop: ["ALL"]
+ readOnlyRootFilesystem: true
+ seccompProfile:
+ type: RuntimeDefault
+ runAsUser: $(SECURITYCONTEXT_UID)
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator-config
+ namespace: syn-airlock-microgateway
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/dashboard-configmap.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/dashboard-configmap.yaml
new file mode 100644
index 0000000..cbd35f6
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/dashboard-configmap.yaml
@@ -0,0 +1,6280 @@
+apiVersion: v1
+data:
+ accessCtrlLogs.json: |-
+ {
+ "__inputs": [
+ {
+ "name": "DS_LOKI",
+ "label": "Loki",
+ "description": "",
+ "type": "datasource",
+ "pluginId": "loki",
+ "pluginName": "Loki"
+ }
+ ],
+ "__elements": {},
+ "__requires": [
+ {
+ "type": "grafana",
+ "id": "grafana",
+ "name": "Grafana",
+ "version": "11.4.0"
+ },
+ {
+ "type": "datasource",
+ "id": "loki",
+ "name": "Loki",
+ "version": "1.0.0"
+ },
+ {
+ "type": "datasource",
+ "id": "prometheus",
+ "name": "Prometheus",
+ "version": "1.0.0"
+ },
+ {
+ "type": "panel",
+ "id": "table",
+ "name": "Table",
+ "version": ""
+ }
+ ],
+ "annotations": {
+ "list": [
+ {
+ "builtIn": 1,
+ "datasource": {
+ "type": "grafana",
+ "uid": "-- Grafana --"
+ },
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "name": "Annotations & Alerts",
+ "type": "dashboard"
+ }
+ ]
+ },
+ "editable": true,
+ "fiscalYearStartMonth": 0,
+ "graphTooltip": 0,
+ "id": null,
+ "links": [
+ {
+ "asDropdown": true,
+ "icon": "external link",
+ "includeVars": true,
+ "keepTime": true,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "targetBlank": true,
+ "title": "Airlock Microgateway",
+ "tooltip": "",
+ "type": "dashboards",
+ "url": ""
+ }
+ ],
+ "panels": [
+ {
+ "datasource": {
+ "default": false,
+ "type": "loki",
+ "uid": "${DS_LOKI}"
+ },
+ "description": "Access Control logs by Airlock Microgateway, retrieved from corresponding access logs.\n\nThe dashboard can be filtered by namespace. Column filters on the table allow for an even more granular filtering of the logs.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "text",
+ "mode": "fixed"
+ },
+ "custom": {
+ "align": "auto",
+ "cellOptions": {
+ "type": "auto"
+ },
+ "filterable": true,
+ "inspect": true
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ }
+ },
+ "overrides": [
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Namespace"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 221
+ },
+ {
+ "id": "custom.filterable"
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Timestamp"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 214
+ },
+ {
+ "id": "unit",
+ "value": "time: YYYY-MM-DD HH:mm:ss.SSS"
+ },
+ {
+ "id": "custom.filterable"
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "HTTP Method"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 140
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Client IP"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 138
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Request ID"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 328
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Request Size"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 126
+ },
+ {
+ "id": "unit",
+ "value": "bytes"
+ },
+ {
+ "id": "custom.align",
+ "value": "right"
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Status"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 96
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Authenticated"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 135
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Authorized"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 125
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "URL Path"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 373
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Access Control Policy"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 188
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "HTTP Status"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 124
+ }
+ ]
+ }
+ ]
+ },
+ "gridPos": {
+ "h": 27,
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "id": 2,
+ "options": {
+ "cellHeight": "sm",
+ "footer": {
+ "countRows": false,
+ "enablePagination": true,
+ "fields": "",
+ "reducer": [
+ "sum"
+ ],
+ "show": false
+ },
+ "showHeader": true,
+ "sortBy": []
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "loki",
+ "uid": "${DS_LOKI}"
+ },
+ "editorMode": "code",
+ "expr": "{container=\"airlock-microgateway-engine\"} |= \"access_control\" |= \"envoy.access\" | json http_method=\"http.request.method\", url=\"url.path\", domain=\"url.domain\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", user_id=\"airlock.access_control.user_id\", details=\"airlock.access_control.details\", policy=\"airlock.access_control.policy\", status=\"airlock.access_control.status\", authenticated=\"airlock.access_control.authenticated\", response_code=\"http.response.status_code\", authorized=\"airlock.access_control.authorized\", log_type=\"event.dataset\" | log_type = `envoy.access`",
+ "hide": false,
+ "queryType": "range",
+ "refId": "Access Control Logs"
+ }
+ ],
+ "title": "Access Control Logs",
+ "transformations": [
+ {
+ "id": "extractFields",
+ "options": {
+ "format": "json",
+ "source": "labels"
+ }
+ },
+ {
+ "id": "filterFieldsByName",
+ "options": {
+ "byVariable": false,
+ "include": {
+ "names": [
+ "Time",
+ "authenticated",
+ "authorized",
+ "client_ip",
+ "details",
+ "domain",
+ "http_method",
+ "namespace",
+ "policy",
+ "request_id",
+ "request_size",
+ "status",
+ "url",
+ "user_id",
+ "response_code"
+ ]
+ }
+ }
+ },
+ {
+ "id": "organize",
+ "options": {
+ "excludeByName": {
+ "Line": true,
+ "id": true,
+ "labelTypes": true,
+ "labels": true,
+ "tsNs": false
+ },
+ "includeByName": {},
+ "indexByName": {
+ "Time": 0,
+ "authenticated": 9,
+ "authorized": 10,
+ "client_ip": 13,
+ "details": 12,
+ "domain": 2,
+ "http_method": 3,
+ "namespace": 1,
+ "policy": 7,
+ "request_id": 14,
+ "request_size": 5,
+ "response_code": 6,
+ "status": 11,
+ "url": 4,
+ "user_id": 8
+ },
+ "renameByName": {
+ "Time": "Timestamp",
+ "authenticated": "Authenticated",
+ "authorized": "Authorized",
+ "client_ip": "Client IP",
+ "details": "Details",
+ "domain": "URL Domain",
+ "http_method": "HTTP Method",
+ "namespace": "Namespace",
+ "policy": "Access Control Policy",
+ "request_id": "Request ID",
+ "request_size": "Request Size",
+ "response_code": "HTTP Status",
+ "status": "Status",
+ "url": "URL Path",
+ "user_id": "User ID"
+ }
+ }
+ }
+ ],
+ "type": "table"
+ }
+ ],
+ "schemaVersion": 40,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "templating": {
+ "list": [
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "DS_LOKI",
+ "name": "DS_LOKI",
+ "options": [],
+ "query": "loki",
+ "refresh": 1,
+ "regex": "",
+ "type": "datasource"
+ },
+ {
+ "allValue": ".*",
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_license_http_rq_total,namespace)",
+ "includeAll": true,
+ "label": "Gateway Namespace",
+ "multi": true,
+ "name": "namespace",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_license_http_rq_total,namespace)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": "",
+ "sort": 5,
+ "type": "query"
+ },
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "DS_PROMETHEUS",
+ "name": "DS_PROMETHEUS",
+ "options": [],
+ "query": "prometheus",
+ "refresh": 1,
+ "regex": "",
+ "type": "datasource"
+ }
+ ]
+ },
+ "time": {
+ "from": "now-1h",
+ "to": "now"
+ },
+ "timepicker": {},
+ "timezone": "Europe/Zurich",
+ "title": "Airlock Microgateway Access Control - Logs",
+ "uid": "ce99ks6s11nuob",
+ "version": 1,
+ "weekStart": ""
+ }
+kind: ConfigMap
+metadata:
+ annotations:
+ grafana_folder: Airlock Microgateway
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ grafana_dashboard: '1'
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-dashboard-accessctrllogs
+ namespace: syn-airlock-microgateway
+---
+apiVersion: v1
+data:
+ blockLogs.json: |-
+ {
+ "__inputs": [
+ {
+ "name": "DS_LOKI",
+ "label": "Loki",
+ "description": "",
+ "type": "datasource",
+ "pluginId": "loki",
+ "pluginName": "Loki"
+ },
+ {
+ "name": "DS_PROMETHEUS",
+ "label": "Prometheus",
+ "description": "",
+ "type": "datasource",
+ "pluginId": "prometheus",
+ "pluginName": "Prometheus"
+ }
+ ],
+ "__elements": {},
+ "__requires": [
+ {
+ "type": "grafana",
+ "id": "grafana",
+ "name": "Grafana",
+ "version": "10.2.0"
+ },
+ {
+ "type": "datasource",
+ "id": "loki",
+ "name": "Loki",
+ "version": "1.0.0"
+ },
+ {
+ "type": "datasource",
+ "id": "prometheus",
+ "name": "Prometheus",
+ "version": "1.0.0"
+ },
+ {
+ "type": "panel",
+ "id": "table",
+ "name": "Table",
+ "version": ""
+ }
+ ],
+ "annotations": {
+ "list": [
+ {
+ "builtIn": 1,
+ "datasource": {
+ "type": "grafana",
+ "uid": "-- Grafana --"
+ },
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "name": "Annotations & Alerts",
+ "type": "dashboard"
+ }
+ ]
+ },
+ "description": "Log entries of threats blocked by Airlock Microgateway.\n\nThe dashboard can be filtered by namespace and block type. Column filters on the table allow for an even more granular filtering of the logs.",
+ "editable": true,
+ "fiscalYearStartMonth": 0,
+ "graphTooltip": 0,
+ "id": null,
+ "links": [
+ {
+ "asDropdown": true,
+ "icon": "external link",
+ "includeVars": true,
+ "keepTime": true,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "targetBlank": true,
+ "title": "Airlock Microgateway",
+ "tooltip": "",
+ "type": "dashboards",
+ "url": ""
+ }
+ ],
+ "panels": [
+ {
+ "datasource": {
+ "type": "loki",
+ "uid": "${DS_LOKI}"
+ },
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "text",
+ "mode": "fixed"
+ },
+ "custom": {
+ "align": "auto",
+ "cellOptions": {
+ "type": "auto"
+ },
+ "filterable": true,
+ "inspect": true
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ }
+ },
+ "overrides": [
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Namespace"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 221
+ },
+ {
+ "id": "custom.filterable"
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Timestamp"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 214
+ },
+ {
+ "id": "unit",
+ "value": "time: YYYY-MM-DD HH:mm:ss.SSS"
+ },
+ {
+ "id": "custom.filterable"
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "HTTP Method"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 140
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Client IP"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 138
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Request ID"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 328
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Block Type"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 116
+ },
+ {
+ "id": "custom.filterable",
+ "value": false
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Request Size"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 126
+ },
+ {
+ "id": "unit",
+ "value": "bytes"
+ },
+ {
+ "id": "custom.align",
+ "value": "right"
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Block Subtype"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 217
+ }
+ ]
+ }
+ ]
+ },
+ "gridPos": {
+ "h": 27,
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "id": 2,
+ "options": {
+ "cellHeight": "sm",
+ "footer": {
+ "countRows": false,
+ "enablePagination": true,
+ "fields": "",
+ "reducer": [
+ "sum"
+ ],
+ "show": false
+ },
+ "showHeader": true,
+ "sortBy": []
+ },
+ "pluginVersion": "10.2.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "loki",
+ "uid": "${DS_LOKI}"
+ },
+ "editorMode": "code",
+ "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", domain=\"url.domain\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", details=\"airlock.actions.block.details\", block_type=\"airlock.actions.block.block_type\", block_subtype=\"airlock.actions.block.block_subtype\"\n| block_type=~\"${blockType:regex}\"",
+ "hide": false,
+ "queryType": "range",
+ "refId": "Blocks"
+ }
+ ],
+ "title": "Blocked Request logs",
+ "transformations": [
+ {
+ "id": "extractFields",
+ "options": {
+ "format": "json",
+ "source": "labels"
+ }
+ },
+ {
+ "id": "filterFieldsByName",
+ "options": {
+ "byVariable": false,
+ "include": {
+ "names": [
+ "Time",
+ "block_subtype",
+ "block_type",
+ "client_ip",
+ "details",
+ "domain",
+ "http_method",
+ "namespace",
+ "request_id",
+ "request_size",
+ "url"
+ ]
+ }
+ }
+ },
+ {
+ "id": "organize",
+ "options": {
+ "excludeByName": {
+ "Line": true,
+ "id": true,
+ "labelTypes": true,
+ "labels": true,
+ "tsNs": false
+ },
+ "includeByName": {},
+ "indexByName": {
+ "Time": 0,
+ "block_subtype": 7,
+ "block_type": 6,
+ "client_ip": 9,
+ "details": 8,
+ "domain": 2,
+ "http_method": 3,
+ "namespace": 1,
+ "request_id": 10,
+ "request_size": 5,
+ "url": 4
+ },
+ "renameByName": {
+ "Time": "Timestamp",
+ "block_subtype": "Block Subtype",
+ "block_type": "Block Type",
+ "client_ip": "Client IP",
+ "details": "Details",
+ "domain": "URL Domain",
+ "http_method": "HTTP Method",
+ "namespace": "Namespace",
+ "request_id": "Request ID",
+ "request_size": "Request Size",
+ "url": "URL Path"
+ }
+ }
+ }
+ ],
+ "type": "table"
+ }
+ ],
+ "schemaVersion": 39,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "templating": {
+ "list": [
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "DS_LOKI",
+ "multi": false,
+ "name": "DS_LOKI",
+ "options": [],
+ "query": "loki",
+ "refresh": 1,
+ "regex": "",
+ "skipUrlSync": false,
+ "type": "datasource"
+ },
+ {
+ "allValue": ".*",
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_license_http_rq_total,namespace)",
+ "hide": 0,
+ "includeAll": true,
+ "label": "Gateway Namespace",
+ "multi": true,
+ "name": "namespace",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_license_http_rq_total,namespace)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": "",
+ "skipUrlSync": false,
+ "sort": 5,
+ "type": "query"
+ },
+ {
+ "allValue": ".*",
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)",
+ "hide": 0,
+ "includeAll": true,
+ "label": "Block Type",
+ "multi": true,
+ "name": "blockType",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": "",
+ "skipUrlSync": false,
+ "sort": 5,
+ "type": "query"
+ },
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "DS_PROMETHEUS",
+ "multi": false,
+ "name": "DS_PROMETHEUS",
+ "options": [],
+ "query": "prometheus",
+ "refresh": 1,
+ "regex": "",
+ "skipUrlSync": false,
+ "type": "datasource"
+ }
+ ]
+ },
+ "time": {
+ "from": "now-15m",
+ "to": "now"
+ },
+ "timeRangeUpdatedDuringEditOrView": false,
+ "timepicker": {},
+ "timezone": "browser",
+ "title": "Airlock Microgateway Threats Block - Logs",
+ "uid": "adnyzcvwnyadcc",
+ "version": 3,
+ "weekStart": ""
+ }
+kind: ConfigMap
+metadata:
+ annotations:
+ grafana_folder: Airlock Microgateway
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ grafana_dashboard: '1'
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-dashboard-blocklogs
+ namespace: syn-airlock-microgateway
+---
+apiVersion: v1
+data:
+ blockMetrics.json: |-
+ {
+ "__inputs": [
+ {
+ "name": "DS_PROMETHEUS",
+ "label": "Prometheus",
+ "description": "",
+ "type": "datasource",
+ "pluginId": "prometheus",
+ "pluginName": "Prometheus"
+ }
+ ],
+ "__elements": {},
+ "__requires": [
+ {
+ "type": "panel",
+ "id": "barchart",
+ "name": "Bar chart",
+ "version": ""
+ },
+ {
+ "type": "grafana",
+ "id": "grafana",
+ "name": "Grafana",
+ "version": "11.4.0"
+ },
+ {
+ "type": "datasource",
+ "id": "prometheus",
+ "name": "Prometheus",
+ "version": "1.0.0"
+ },
+ {
+ "type": "panel",
+ "id": "stat",
+ "name": "Stat",
+ "version": ""
+ },
+ {
+ "type": "panel",
+ "id": "timeseries",
+ "name": "Time series",
+ "version": ""
+ }
+ ],
+ "annotations": {
+ "list": [
+ {
+ "builtIn": 1,
+ "datasource": {
+ "type": "grafana",
+ "uid": "-- Grafana --"
+ },
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "name": "Annotations & Alerts",
+ "type": "dashboard"
+ }
+ ]
+ },
+ "description": "Metrics on threats blocked by Airlock Microgateway.\n\nDashboard can be filtered by namespaces as well as block types.",
+ "editable": true,
+ "fiscalYearStartMonth": 0,
+ "graphTooltip": 0,
+ "id": null,
+ "links": [
+ {
+ "asDropdown": true,
+ "icon": "external link",
+ "includeVars": true,
+ "keepTime": true,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "targetBlank": true,
+ "title": "Airlock Microgateway",
+ "tooltip": "",
+ "type": "dashboards",
+ "url": ""
+ }
+ ],
+ "panels": [
+ {
+ "collapsed": false,
+ "gridPos": {
+ "h": 1,
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "id": 6,
+ "panels": [],
+ "title": "Airlock Microgateway Threats Block - Metrics",
+ "type": "row"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Total number of requests processed by Airlock Microgateway.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "text",
+ "mode": "fixed"
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "short"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 4,
+ "x": 0,
+ "y": 1
+ },
+ "id": 1,
+ "options": {
+ "colorMode": "value",
+ "graphMode": "none",
+ "justifyMode": "auto",
+ "orientation": "auto",
+ "percentChangeColorMode": "standard",
+ "reduceOptions": {
+ "calcs": [
+ "last"
+ ],
+ "fields": "",
+ "values": false
+ },
+ "showPercentChange": false,
+ "textMode": "auto",
+ "wideLayout": true
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "disableTextWrap": false,
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "round(sum(increase(envoy_cluster_upstream_rq{managed_by=~\"${operator:regex}\",namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range]))+\nsum(increase(microgateway_http_downstream_rq_threats_blocked_total{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range]) or on() vector(0)))",
+ "format": "time_series",
+ "fullMetaSearch": false,
+ "hide": false,
+ "includeNullMetadata": true,
+ "instant": true,
+ "legendFormat": "Processed Requests",
+ "range": false,
+ "refId": "A",
+ "useBackend": false
+ }
+ ],
+ "title": "Requests",
+ "type": "stat"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Ratio of blocked requests vs. processed requests by Airlock Microgateway.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "text",
+ "mode": "fixed"
+ },
+ "mappings": [
+ {
+ "options": {
+ "match": "nan",
+ "result": {
+ "index": 0,
+ "text": "n/a"
+ }
+ },
+ "type": "special"
+ }
+ ],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "percentunit"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 4,
+ "x": 4,
+ "y": 1
+ },
+ "id": 2,
+ "options": {
+ "colorMode": "value",
+ "graphMode": "area",
+ "justifyMode": "auto",
+ "orientation": "auto",
+ "percentChangeColorMode": "standard",
+ "reduceOptions": {
+ "calcs": [
+ "last"
+ ],
+ "fields": "",
+ "values": false
+ },
+ "showPercentChange": false,
+ "textMode": "auto",
+ "wideLayout": true
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "disableTextWrap": false,
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "sum(increase(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range]) or on() vector(0))\n/ \n(\nsum(increase(envoy_cluster_upstream_rq{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range]))\n+\nsum(increase(microgateway_http_downstream_rq_threats_blocked_total{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range]) or on() vector(0))\n)",
+ "fullMetaSearch": false,
+ "includeNullMetadata": true,
+ "instant": true,
+ "legendFormat": "Blocked Requests (%)",
+ "range": false,
+ "refId": "A",
+ "useBackend": false
+ }
+ ],
+ "title": "% Blocked Requests",
+ "type": "stat"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Requests per second processed by Airlock Microgateway along with the corresponding block rate.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "blue",
+ "mode": "fixed"
+ },
+ "custom": {
+ "axisBorderShow": false,
+ "axisCenteredZero": false,
+ "axisColorMode": "text",
+ "axisLabel": "",
+ "axisPlacement": "left",
+ "barAlignment": 0,
+ "barWidthFactor": 0.6,
+ "drawStyle": "line",
+ "fillOpacity": 0,
+ "gradientMode": "none",
+ "hideFrom": {
+ "legend": false,
+ "tooltip": false,
+ "viz": false
+ },
+ "insertNulls": false,
+ "lineInterpolation": "linear",
+ "lineWidth": 1,
+ "pointSize": 5,
+ "scaleDistribution": {
+ "type": "linear"
+ },
+ "showPoints": "auto",
+ "spanNulls": false,
+ "stacking": {
+ "group": "A",
+ "mode": "none"
+ },
+ "thresholdsStyle": {
+ "mode": "off"
+ }
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "blue",
+ "value": null
+ }
+ ]
+ }
+ },
+ "overrides": [
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "% Blocks"
+ },
+ "properties": [
+ {
+ "id": "custom.axisPlacement",
+ "value": "right"
+ },
+ {
+ "id": "unit",
+ "value": "percentunit"
+ },
+ {
+ "id": "color",
+ "value": {
+ "fixedColor": "orange",
+ "mode": "fixed"
+ }
+ },
+ {
+ "id": "max",
+ "value": 1
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Requests per second"
+ },
+ "properties": [
+ {
+ "id": "unit",
+ "value": "short"
+ },
+ {
+ "id": "custom.fillOpacity",
+ "value": 25
+ }
+ ]
+ }
+ ]
+ },
+ "gridPos": {
+ "h": 10,
+ "w": 20,
+ "x": 0,
+ "y": 5
+ },
+ "id": 3,
+ "options": {
+ "legend": {
+ "calcs": [],
+ "displayMode": "list",
+ "placement": "bottom",
+ "showLegend": true
+ },
+ "timezone": [
+ ""
+ ],
+ "tooltip": {
+ "maxHeight": 600,
+ "mode": "single",
+ "sort": "none"
+ }
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "sum(rate(envoy_cluster_upstream_rq{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m]))\n+\nsum(rate(microgateway_http_downstream_rq_threats_blocked_total{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m]) or on() vector(0))",
+ "instant": false,
+ "legendFormat": "Requests per second",
+ "range": true,
+ "refId": "Requests per Second"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "expr": "sum(rate(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m]) or on() vector(0))\n/\n(\nsum(rate(envoy_cluster_upstream_rq{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m]))\n+\nsum(rate(microgateway_http_downstream_rq_threats_blocked_total{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m]) or on() vector(0))\n)",
+ "hide": false,
+ "instant": false,
+ "legendFormat": "% Blocks",
+ "range": true,
+ "refId": "Blocks"
+ }
+ ],
+ "title": "Requests vs. % Blocks",
+ "type": "timeseries"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Blocked threats by block type.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "super-light-orange",
+ "mode": "fixed"
+ },
+ "custom": {
+ "axisBorderShow": false,
+ "axisCenteredZero": false,
+ "axisColorMode": "text",
+ "axisGridShow": true,
+ "axisLabel": "",
+ "axisPlacement": "auto",
+ "fillOpacity": 80,
+ "gradientMode": "none",
+ "hideFrom": {
+ "legend": false,
+ "tooltip": false,
+ "viz": false
+ },
+ "lineWidth": 0,
+ "scaleDistribution": {
+ "type": "linear"
+ },
+ "thresholdsStyle": {
+ "mode": "off"
+ }
+ },
+ "fieldMinMax": false,
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "short"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 11,
+ "w": 10,
+ "x": 0,
+ "y": 15
+ },
+ "id": 4,
+ "options": {
+ "barRadius": 0,
+ "barWidth": 0.8,
+ "fullHighlight": false,
+ "groupWidth": 0.7,
+ "legend": {
+ "calcs": [],
+ "displayMode": "list",
+ "placement": "bottom",
+ "showLegend": false
+ },
+ "orientation": "horizontal",
+ "showValue": "never",
+ "stacking": "none",
+ "tooltip": {
+ "maxHeight": 600,
+ "mode": "single",
+ "sort": "asc"
+ },
+ "xField": "block_type",
+ "xTickLabelRotation": 0,
+ "xTickLabelSpacing": 0
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "round(sum by (block_type) (increase(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range])))",
+ "format": "time_series",
+ "instant": true,
+ "legendFormat": "__auto",
+ "range": false,
+ "refId": "A"
+ }
+ ],
+ "title": "Block Type",
+ "transformations": [
+ {
+ "id": "reduce",
+ "options": {
+ "includeTimeField": false,
+ "labelsToFields": true,
+ "mode": "seriesToRows",
+ "reducers": [
+ "sum"
+ ]
+ }
+ }
+ ],
+ "type": "barchart"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Blocked threats by block subtype, which are subsets of the various block types.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "light-orange",
+ "mode": "fixed"
+ },
+ "custom": {
+ "axisBorderShow": false,
+ "axisCenteredZero": false,
+ "axisColorMode": "text",
+ "axisLabel": "",
+ "axisPlacement": "auto",
+ "fillOpacity": 80,
+ "gradientMode": "none",
+ "hideFrom": {
+ "legend": false,
+ "tooltip": false,
+ "viz": false
+ },
+ "lineWidth": 1,
+ "scaleDistribution": {
+ "type": "linear"
+ },
+ "thresholdsStyle": {
+ "mode": "off"
+ }
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "short"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 11,
+ "w": 10,
+ "x": 10,
+ "y": 15
+ },
+ "id": 5,
+ "options": {
+ "barRadius": 0,
+ "barWidth": 0.8,
+ "fullHighlight": false,
+ "groupWidth": 0.7,
+ "legend": {
+ "calcs": [],
+ "displayMode": "list",
+ "placement": "bottom",
+ "showLegend": false
+ },
+ "orientation": "horizontal",
+ "showValue": "never",
+ "stacking": "none",
+ "tooltip": {
+ "maxHeight": 600,
+ "mode": "single",
+ "sort": "none"
+ },
+ "xField": "block_subtype",
+ "xTickLabelRotation": 0,
+ "xTickLabelSpacing": 0
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "round(sum by (block_subtype) (increase(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range])))",
+ "instant": true,
+ "legendFormat": "__auto",
+ "range": false,
+ "refId": "A"
+ }
+ ],
+ "title": "Block Subtype",
+ "transformations": [
+ {
+ "id": "reduce",
+ "options": {
+ "labelsToFields": true,
+ "reducers": [
+ "sum"
+ ]
+ }
+ }
+ ],
+ "type": "barchart"
+ }
+ ],
+ "refresh": "",
+ "schemaVersion": 40,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "templating": {
+ "list": [
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "Datasource Prometheus",
+ "name": "DS_PROMETHEUS",
+ "options": [],
+ "query": "prometheus",
+ "refresh": 1,
+ "regex": "",
+ "type": "datasource"
+ },
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "DS_LOKI",
+ "name": "DS_LOKI",
+ "options": [],
+ "query": "loki",
+ "refresh": 1,
+ "regex": "",
+ "type": "datasource"
+ },
+ {
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description" : "Allows filtering on the gateway kind.",
+ "definition": "label_values(microgateway_build_info,gateway_kind)",
+ "includeAll": true,
+ "label": "Gateway Kind",
+ "name": "gateway_kind",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_build_info,gateway_kind)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 1,
+ "regex": "",
+ "type": "query"
+ },
+ {
+ "allValue": ".+",
+ "current": {},
+ "description" : "Allows filtering on the managing operator instance.",
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_build_info,managed_by)",
+ "includeAll": true,
+ "label": "Operator",
+ "multi": true,
+ "name": "operator",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_build_info,managed_by)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": ".*",
+ "type": "query"
+ },
+ {
+ "current": {},
+ "description" : "Allows filtering on the namespaces in which gateways are deployed.",
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_build_info{managed_by=~\"$operator\"},namespace)",
+ "includeAll": true,
+ "label": "Gateway Namespace",
+ "multi": true,
+ "name": "namespace",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_build_info{managed_by=~\"$operator\"},namespace)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": "",
+ "sort": 5,
+ "type": "query"
+ },
+ {
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description" : "Allows filtering on specific gateway instance names within the selected namespaces.",
+ "definition": "label_values(microgateway_build_info{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=~\"$gateway_kind\"},gateway)",
+ "includeAll": true,
+ "label": "Gateway Name",
+ "multi": true,
+ "name": "gateway_name",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_build_info{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=~\"$gateway_kind\"},gateway)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 1,
+ "regex": "",
+ "type": "query"
+ },
+ {
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description" : "Allows filtering request metrics of the selected SidecarGateway instances on application container port. This filter is ignored for other gateway kinds.",
+ "definition": "label_values(envoy_cluster_bind_errors{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=~\"SidecarGateway\", gateway=~\"$gateway_name\"},upstream)",
+ "includeAll": true,
+ "label": "Sidecar Application Port",
+ "multi": true,
+ "name": "sidecar_application_port",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(envoy_cluster_bind_errors{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=~\"SidecarGateway\", gateway=~\"$gateway_name\"},upstream)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 1,
+ "regex": "",
+ "type": "query"
+ },
+ {
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description" : "Allows filtering request metrics of the selected Gateway instances on the name of their matching HTTPRoute. This filter is ignored for other gateway kinds.",
+ "definition": "label_values(envoy_cluster_bind_errors{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=\"Gateway\", gateway=~\"$gateway_name\"},upstream)",
+ "includeAll": true,
+ "label": "Gateway HTTPRoute",
+ "multi": true,
+ "name": "gateway_httproute",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(envoy_cluster_bind_errors{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=\"Gateway\", gateway=~\"$gateway_name\"},upstream)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 1,
+ "regex": "",
+ "type": "query"
+ },
+ {
+ "allValue": ".*",
+ "description" : "Allows filtering on the block type of blocked threats.",
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)",
+ "includeAll": true,
+ "label": "Block Type",
+ "multi": true,
+ "name": "blockType",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": "",
+ "sort": 5,
+ "type": "query"
+ }
+ ]
+ },
+ "time": {
+ "from": "now-24h",
+ "to": "now"
+ },
+ "timepicker": {},
+ "timezone": "browser",
+ "title": "Airlock Microgateway Threats Block - Metrics",
+ "uid": "ddnqoczu7qvb4cdd3dd",
+ "version": 3,
+ "weekStart": ""
+ }
+kind: ConfigMap
+metadata:
+ annotations:
+ grafana_folder: Airlock Microgateway
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ grafana_dashboard: '1'
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-dashboard-blockmetrics
+ namespace: syn-airlock-microgateway
+---
+apiVersion: v1
+data:
+ headerLogs.json: |-
+ {
+ "__inputs": [
+ {
+ "name": "DS_LOKI",
+ "label": "Loki",
+ "description": "",
+ "type": "datasource",
+ "pluginId": "loki",
+ "pluginName": "Loki"
+ }
+ ],
+ "__elements": {},
+ "__requires": [
+ {
+ "type": "grafana",
+ "id": "grafana",
+ "name": "Grafana",
+ "version": "11.4.0"
+ },
+ {
+ "type": "datasource",
+ "id": "loki",
+ "name": "Loki",
+ "version": "1.0.0"
+ },
+ {
+ "type": "datasource",
+ "id": "prometheus",
+ "name": "Prometheus",
+ "version": "1.0.0"
+ },
+ {
+ "type": "panel",
+ "id": "table",
+ "name": "Table",
+ "version": ""
+ }
+ ],
+ "annotations": {
+ "list": [
+ {
+ "builtIn": 1,
+ "datasource": {
+ "type": "grafana",
+ "uid": "-- Grafana --"
+ },
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "name": "Annotations & Alerts",
+ "type": "dashboard"
+ }
+ ]
+ },
+ "description": "Logs for header rewrites by Airlock Microgateway, retrieved from corresponding access logs.\n\nThe dashboard can be filtered by namespace. Column filters on the table allow for an even more granular filtering of the logs.",
+ "editable": true,
+ "fiscalYearStartMonth": 0,
+ "graphTooltip": 0,
+ "id": null,
+ "links": [
+ {
+ "asDropdown": true,
+ "icon": "external link",
+ "includeVars": true,
+ "keepTime": true,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "targetBlank": true,
+ "title": "Airlock Microgateway",
+ "tooltip": "",
+ "type": "dashboards",
+ "url": ""
+ }
+ ],
+ "panels": [
+ {
+ "datasource": {
+ "default": false,
+ "type": "loki",
+ "uid": "${DS_LOKI}"
+ },
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "text",
+ "mode": "fixed"
+ },
+ "custom": {
+ "align": "auto",
+ "cellOptions": {
+ "type": "auto"
+ },
+ "filterable": true,
+ "inspect": true
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ }
+ },
+ "overrides": [
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Namespace"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 221
+ },
+ {
+ "id": "custom.filterable"
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Timestamp"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 214
+ },
+ {
+ "id": "unit",
+ "value": "time: YYYY-MM-DD HH:mm:ss.SSS"
+ },
+ {
+ "id": "custom.filterable"
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "HTTP Method"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 140
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Client IP"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 138
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Request ID"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 328
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "HTTP Status"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 126
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Request Size"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 126
+ },
+ {
+ "id": "unit",
+ "value": "bytes"
+ },
+ {
+ "id": "custom.align",
+ "value": "right"
+ }
+ ]
+ }
+ ]
+ },
+ "gridPos": {
+ "h": 27,
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "id": 2,
+ "options": {
+ "cellHeight": "sm",
+ "footer": {
+ "countRows": false,
+ "enablePagination": true,
+ "fields": "",
+ "reducer": [
+ "sum"
+ ],
+ "show": false
+ },
+ "showHeader": true,
+ "sortBy": []
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "loki",
+ "uid": "${DS_LOKI}"
+ },
+ "editorMode": "code",
+ "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"header_rewrites\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", domain=\"url.domain\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", header_request_details=\"airlock.actions.header_rewrites.request\", response_status_code=\"http.response.status_code\", header_response_details=\"airlock.actions.header_rewrites.response\", log_type=\"event.dataset\" | log_type = `envoy.access`",
+ "hide": false,
+ "queryType": "range",
+ "refId": "Header Rewrites"
+ }
+ ],
+ "title": "Header Rewrite Logs",
+ "transformations": [
+ {
+ "id": "extractFields",
+ "options": {
+ "format": "json",
+ "source": "labels"
+ }
+ },
+ {
+ "id": "filterFieldsByName",
+ "options": {
+ "byVariable": false,
+ "include": {
+ "names": [
+ "Time",
+ "client_ip",
+ "domain",
+ "header_request_details",
+ "header_response_details",
+ "http_method",
+ "namespace",
+ "request_id",
+ "request_size",
+ "url",
+ "response_status_code"
+ ]
+ }
+ }
+ },
+ {
+ "id": "organize",
+ "options": {
+ "excludeByName": {
+ "Line": true,
+ "id": true,
+ "labelTypes": true,
+ "labels": true,
+ "tsNs": false
+ },
+ "includeByName": {},
+ "indexByName": {
+ "Time": 0,
+ "client_ip": 9,
+ "domain": 2,
+ "header_request_details": 7,
+ "header_response_details": 8,
+ "http_method": 3,
+ "namespace": 1,
+ "request_id": 10,
+ "request_size": 5,
+ "response_status_code": 6,
+ "url": 4
+ },
+ "renameByName": {
+ "Time": "Timestamp",
+ "client_ip": "Client IP",
+ "details": "Details",
+ "domain": "URL Domain",
+ "header_request_details": "Request Header Actions",
+ "header_response_details": "Response Header Actions",
+ "http_method": "HTTP Method",
+ "namespace": "Namespace",
+ "request_id": "Request ID",
+ "request_size": "Request Size",
+ "response_status_code": "HTTP Status",
+ "url": "URL Path"
+ }
+ }
+ }
+ ],
+ "type": "table"
+ }
+ ],
+ "schemaVersion": 40,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "templating": {
+ "list": [
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "DS_LOKI",
+ "name": "DS_LOKI",
+ "options": [],
+ "query": "loki",
+ "refresh": 1,
+ "regex": "",
+ "type": "datasource"
+ },
+ {
+ "allValue": ".*",
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_license_http_rq_total,namespace)",
+ "includeAll": true,
+ "label": "Gateway Namespace",
+ "multi": true,
+ "name": "namespace",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_license_http_rq_total,namespace)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": "",
+ "sort": 5,
+ "type": "query"
+ },
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "DS_PROMETHEUS",
+ "name": "DS_PROMETHEUS",
+ "options": [],
+ "query": "prometheus",
+ "refresh": 1,
+ "regex": "",
+ "type": "datasource"
+ }
+ ]
+ },
+ "time": {
+ "from": "now-15m",
+ "to": "now"
+ },
+ "timepicker": {},
+ "timezone": "browser",
+ "title": "Airlock Microgateway Header Rewrites - Logs",
+ "uid": "adnydadenyadcc",
+ "version": 1,
+ "weekStart": ""
+ }
+kind: ConfigMap
+metadata:
+ annotations:
+ grafana_folder: Airlock Microgateway
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ grafana_dashboard: '1'
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-dashboard-headerlogs
+ namespace: syn-airlock-microgateway
+---
+apiVersion: v1
+data:
+ license.json: |-
+ {
+ "__inputs": [
+ {
+ "name": "DS_PROMETHEUS",
+ "label": "Prometheus",
+ "description": "",
+ "type": "datasource",
+ "pluginId": "prometheus",
+ "pluginName": "Prometheus"
+ }
+ ],
+ "__elements": {},
+ "__requires": [
+ {
+ "type": "grafana",
+ "id": "grafana",
+ "name": "Grafana",
+ "version": "11.4.0"
+ },
+ {
+ "type": "datasource",
+ "id": "prometheus",
+ "name": "Prometheus",
+ "version": "1.0.0"
+ },
+ {
+ "type": "panel",
+ "id": "stat",
+ "name": "Stat",
+ "version": ""
+ },
+ {
+ "type": "panel",
+ "id": "table",
+ "name": "Table",
+ "version": ""
+ },
+ {
+ "type": "panel",
+ "id": "timeseries",
+ "name": "Time series",
+ "version": ""
+ }
+ ],
+ "annotations": {
+ "list": [
+ {
+ "builtIn": 1,
+ "datasource": {
+ "type": "grafana",
+ "uid": "-- Grafana --"
+ },
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "name": "Annotations & Alerts",
+ "type": "dashboard"
+ }
+ ]
+ },
+ "description": "Overview on Airlock Microgateway License attributes and usage.",
+ "editable": true,
+ "fiscalYearStartMonth": 0,
+ "graphTooltip": 0,
+ "id": null,
+ "links": [
+ {
+ "asDropdown": true,
+ "icon": "external link",
+ "includeVars": true,
+ "keepTime": true,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "targetBlank": true,
+ "title": "Airlock Microgateway",
+ "tooltip": "",
+ "type": "dashboards",
+ "url": ""
+ }
+ ],
+ "panels": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Aggregated status of the Airlock Microgateway licenses selected in the dashboard filter.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "mode": "thresholds"
+ },
+ "mappings": [
+ {
+ "options": {
+ "0": {
+ "color": "red",
+ "index": 1,
+ "text": "Invalid"
+ },
+ "1": {
+ "color": "green",
+ "index": 0,
+ "text": "Valid"
+ }
+ },
+ "type": "value"
+ }
+ ],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ }
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 3,
+ "x": 0,
+ "y": 0
+ },
+ "id": 1,
+ "options": {
+ "colorMode": "value",
+ "graphMode": "area",
+ "justifyMode": "auto",
+ "orientation": "auto",
+ "percentChangeColorMode": "standard",
+ "reduceOptions": {
+ "calcs": [
+ "lastNotNull"
+ ],
+ "fields": "",
+ "values": false
+ },
+ "showPercentChange": false,
+ "textMode": "auto",
+ "wideLayout": true
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "min(microgateway_license_valid * on (service,instance) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"})",
+ "instant": true,
+ "legendFormat": "License Status",
+ "range": false,
+ "refId": "Licenses"
+ }
+ ],
+ "title": "License Status",
+ "type": "stat"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Next upcoming expiry date over all Airlock Microgateway licenses selected in the dashboard filter.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "text",
+ "mode": "fixed"
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "time: L"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 4,
+ "x": 3,
+ "y": 0
+ },
+ "id": 4,
+ "options": {
+ "colorMode": "value",
+ "graphMode": "none",
+ "justifyMode": "auto",
+ "orientation": "auto",
+ "percentChangeColorMode": "standard",
+ "reduceOptions": {
+ "calcs": [
+ "lastNotNull"
+ ],
+ "fields": "",
+ "values": false
+ },
+ "showPercentChange": false,
+ "textMode": "auto",
+ "wideLayout": true
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "min(microgateway_license_expiry_timestamp_seconds * on (service, namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"})*1000",
+ "instant": true,
+ "legendFormat": "Expiry Date (MM/DD/YYYY)",
+ "range": false,
+ "refId": "A"
+ }
+ ],
+ "title": "License Expiry Date",
+ "type": "stat"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Sum of the number licensed requests over all Airlock Microgateway licenses selected in the dashboard filter.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "text",
+ "mode": "fixed"
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "short"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 4,
+ "x": 7,
+ "y": 0
+ },
+ "id": 6,
+ "options": {
+ "colorMode": "value",
+ "graphMode": "none",
+ "justifyMode": "auto",
+ "orientation": "auto",
+ "percentChangeColorMode": "standard",
+ "reduceOptions": {
+ "calcs": [
+ "lastNotNull"
+ ],
+ "fields": "",
+ "values": false
+ },
+ "showPercentChange": false,
+ "textMode": "auto",
+ "wideLayout": true
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "sum(topk(1, (microgateway_license_max_rq_count_per_month > 0) * on (service, namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"}) by (id))",
+ "instant": true,
+ "legendFormat": "Licensed Requests",
+ "range": false,
+ "refId": "A"
+ }
+ ],
+ "title": "Licensed Requests",
+ "type": "stat"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Estimated number of requests over 30 days, based on the request count over the last 7 days across all Microgateway instances using any of the licenses selected in the dashboard filter.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "text",
+ "mode": "fixed"
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "short"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 5,
+ "x": 11,
+ "y": 0
+ },
+ "id": 2,
+ "options": {
+ "colorMode": "value",
+ "graphMode": "none",
+ "justifyMode": "auto",
+ "orientation": "auto",
+ "percentChangeColorMode": "standard",
+ "reduceOptions": {
+ "calcs": [
+ "lastNotNull"
+ ],
+ "fields": "",
+ "values": false
+ },
+ "showPercentChange": false,
+ "textMode": "auto",
+ "wideLayout": true
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "(sum((label_replace(increase(microgateway_license_http_rq_total[7d]), \"namespace\", \"$1\", \"managed_by\", \"(.+)\")) * on(namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"}))/7*30",
+ "instant": true,
+ "legendFormat": "Estimated Requests",
+ "range": false,
+ "refId": "A"
+ }
+ ],
+ "title": "Requests over 30 days (estimated)",
+ "type": "stat"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Estimated number of application health probe requests over 30 days, based on the expected probe count over the last 7 days across all pods with an Airlock Microgateway sidecar using any of the licenses selected in the dashboard filter.\n\nNote: This value is an approximation, not a precise measurement of the actual probe requests. If possible, we recommend serving health endpoints of applications protected by a Microgateway sidecar on a separate port, as the probe traffic can then be excluded via the 'sidecar.microgateway.airlock.com/excludeInboundPorts' annotation (see docs.airlock.com for more information), which prevents it from polluting Microgateway logs and metrics.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "text",
+ "mode": "thresholds"
+ },
+ "mappings": [
+ {
+ "options": {
+ "match": "null",
+ "result": {
+ "index": 0,
+ "text": "0"
+ }
+ },
+ "type": "special"
+ }
+ ],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ },
+ {
+ "color": "#EAB839",
+ "value": 1
+ }
+ ]
+ },
+ "unit": "short"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 5,
+ "x": 16,
+ "y": 0
+ },
+ "id": 9,
+ "options": {
+ "colorMode": "value",
+ "graphMode": "none",
+ "justifyMode": "auto",
+ "orientation": "auto",
+ "percentChangeColorMode": "standard",
+ "reduceOptions": {
+ "calcs": [
+ "lastNotNull"
+ ],
+ "fields": "",
+ "values": false
+ },
+ "showPercentChange": false,
+ "textMode": "auto",
+ "wideLayout": true
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "(sum((label_replace(sum_over_time(microgateway_license_health_probe_approx_rq_per_hour[7d:1m])/60, \"namespace\", \"$1\", \"managed_by\", \"(.+)\")) * on(namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"}))/7*30",
+ "instant": true,
+ "legendFormat": "Estimated Probes",
+ "range": false,
+ "refId": "A"
+ }
+ ],
+ "title": "Probes over 30 days (estimated)",
+ "type": "stat"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Number of requests per week processed by Airlock Microgateway.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "blue",
+ "mode": "fixed"
+ },
+ "custom": {
+ "axisBorderShow": false,
+ "axisCenteredZero": false,
+ "axisColorMode": "text",
+ "axisLabel": "",
+ "axisPlacement": "auto",
+ "barAlignment": 0,
+ "barWidthFactor": 0.6,
+ "drawStyle": "line",
+ "fillOpacity": 0,
+ "gradientMode": "none",
+ "hideFrom": {
+ "legend": false,
+ "tooltip": false,
+ "viz": false
+ },
+ "insertNulls": false,
+ "lineInterpolation": "linear",
+ "lineWidth": 1,
+ "pointSize": 5,
+ "scaleDistribution": {
+ "type": "linear"
+ },
+ "showPoints": "auto",
+ "spanNulls": false,
+ "stacking": {
+ "group": "A",
+ "mode": "none"
+ },
+ "thresholdsStyle": {
+ "mode": "off"
+ }
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "short"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 13,
+ "w": 24,
+ "x": 0,
+ "y": 4
+ },
+ "id": 5,
+ "options": {
+ "legend": {
+ "calcs": [],
+ "displayMode": "list",
+ "placement": "bottom",
+ "showLegend": true
+ },
+ "tooltip": {
+ "maxHeight": 600,
+ "mode": "single",
+ "sort": "none"
+ }
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "expr": "sum((label_replace(avg_over_time(increase(microgateway_license_http_rq_total[7d])[2m:15s]), \"namespace\", \"$1\", \"managed_by\", \"(.+)\")) * on(namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"})",
+ "hide": false,
+ "instant": false,
+ "legendFormat": "# Requests per week",
+ "range": true,
+ "refId": "C"
+ }
+ ],
+ "title": "Processed Requests per week",
+ "type": "timeseries"
+ },
+ {
+ "datasource": {
+ "default": false,
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Estimated number of requests over 30 days based on the last 7 days per operator namespace for the Airlock Microgateway licenses selected in the dashboard filter.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "mode": "thresholds"
+ },
+ "custom": {
+ "align": "auto",
+ "cellOptions": {
+ "type": "auto"
+ },
+ "inspect": false
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ },
+ {
+ "color": "red",
+ "value": 80
+ }
+ ]
+ }
+ },
+ "overrides": [
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "License ID"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 330
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Requests"
+ },
+ "properties": [
+ {
+ "id": "unit",
+ "value": "short"
+ },
+ {
+ "id": "mappings",
+ "value": [
+ {
+ "options": {
+ "match": "null+nan",
+ "result": {
+ "index": 0,
+ "text": "0"
+ }
+ },
+ "type": "special"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Operator Namespace"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 307
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Probes"
+ },
+ "properties": [
+ {
+ "id": "unit",
+ "value": "short"
+ },
+ {
+ "id": "mappings",
+ "value": [
+ {
+ "options": {
+ "result": {
+ "index": 0,
+ "text": "0"
+ }
+ },
+ "type": "special"
+ }
+ ]
+ }
+ ]
+ }
+ ]
+ },
+ "gridPos": {
+ "h": 8,
+ "w": 11,
+ "x": 0,
+ "y": 17
+ },
+ "id": 7,
+ "options": {
+ "cellHeight": "sm",
+ "footer": {
+ "countRows": false,
+ "fields": "",
+ "reducer": [
+ "sum"
+ ],
+ "show": false
+ },
+ "frameIndex": 1,
+ "showHeader": true,
+ "sortBy": []
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "(sum by (namespace, id) ((label_replace(increase(microgateway_license_http_rq_total[7d]), \"namespace\", \"$1\", \"managed_by\", \"(.+)\")) * on(namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"}))/7*30",
+ "format": "table",
+ "hide": false,
+ "instant": true,
+ "legendFormat": "__auto",
+ "range": false,
+ "refId": "Est. Usage over 30 days"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "(min by(namespace) (microgateway_build_info{container=\"manager\"})) * on (namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"}",
+ "format": "table",
+ "hide": false,
+ "instant": true,
+ "legendFormat": "__auto",
+ "range": false,
+ "refId": "Engine License"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "(sum by (namespace, id) ((label_replace((sum_over_time(microgateway_license_health_probe_approx_rq_per_hour[7d:1m])/60), \"namespace\", \"$1\", \"managed_by\", \"(.+)\")) * on(namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"}))/7*30",
+ "format": "table",
+ "hide": false,
+ "instant": true,
+ "legendFormat": "__auto",
+ "range": false,
+ "refId": "Est. Probes over 30 days"
+ }
+ ],
+ "title": "Estimated usage over 30 days by Operator Namespace",
+ "transformations": [
+ {
+ "id": "merge",
+ "options": {}
+ },
+ {
+ "id": "organize",
+ "options": {
+ "excludeByName": {
+ "Time": true,
+ "Value #Engine License": true,
+ "Value #Licensed Req": false,
+ "container": true,
+ "endpoint": true,
+ "instance": true,
+ "job": true,
+ "namespace": false,
+ "pod": true,
+ "service": true,
+ "version": true
+ },
+ "includeByName": {},
+ "indexByName": {
+ "Time": 0,
+ "Value": 3,
+ "id": 2,
+ "namespace": 1
+ },
+ "renameByName": {
+ "Value #Est. Probes over 30 days": "Probes",
+ "Value #Est. Usage over 30 days": "Requests",
+ "Value #License Expiry Date": "Expiry Date",
+ "Value #License Type": "License Type",
+ "Value #Licensed Req": "Licensed Requests",
+ "Value #Validity": "Valid",
+ "id": "License ID",
+ "namespace": "Operator Namespace"
+ }
+ }
+ }
+ ],
+ "type": "table"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Metadata for the Airlock Microgateway licenses selected in the dashboard filter.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "mode": "thresholds"
+ },
+ "custom": {
+ "align": "auto",
+ "cellOptions": {
+ "type": "auto"
+ },
+ "inspect": false
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ },
+ {
+ "color": "red",
+ "value": 80
+ }
+ ]
+ }
+ },
+ "overrides": [
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "License ID"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 321
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Valid"
+ },
+ "properties": [
+ {
+ "id": "mappings",
+ "value": [
+ {
+ "options": {
+ "0": {
+ "color": "red",
+ "index": 1,
+ "text": "Invalid"
+ },
+ "1": {
+ "color": "green",
+ "index": 0,
+ "text": "Valid"
+ }
+ },
+ "type": "value"
+ },
+ {
+ "options": {
+ "match": "null+nan",
+ "result": {
+ "color": "red",
+ "index": 2,
+ "text": "Invalid"
+ }
+ },
+ "type": "special"
+ }
+ ]
+ },
+ {
+ "id": "custom.width",
+ "value": 65
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "License Type"
+ },
+ "properties": [
+ {
+ "id": "mappings",
+ "value": [
+ {
+ "options": {
+ "0": {
+ "index": 1,
+ "text": "Community"
+ },
+ "1": {
+ "index": 0,
+ "text": "Premium"
+ }
+ },
+ "type": "value"
+ },
+ {
+ "options": {
+ "match": "null+nan",
+ "result": {
+ "index": 2,
+ "text": "n/a"
+ }
+ },
+ "type": "special"
+ }
+ ]
+ },
+ {
+ "id": "custom.width",
+ "value": 109
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Expiry Date"
+ },
+ "properties": [
+ {
+ "id": "unit",
+ "value": "time:L"
+ },
+ {
+ "id": "custom.width",
+ "value": 130
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Requests over 30 days (estimated)"
+ },
+ "properties": [
+ {
+ "id": "unit",
+ "value": "short"
+ },
+ {
+ "id": "mappings",
+ "value": [
+ {
+ "options": {
+ "match": "null+nan",
+ "result": {
+ "index": 0,
+ "text": "0"
+ }
+ },
+ "type": "special"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Licensed Requests"
+ },
+ "properties": [
+ {
+ "id": "unit",
+ "value": "short"
+ },
+ {
+ "id": "custom.width",
+ "value": 120
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Probes over 30 days (estimated)"
+ },
+ "properties": [
+ {
+ "id": "unit",
+ "value": "short"
+ }
+ ]
+ }
+ ]
+ },
+ "gridPos": {
+ "h": 8,
+ "w": 13,
+ "x": 11,
+ "y": 17
+ },
+ "id": 8,
+ "options": {
+ "cellHeight": "sm",
+ "footer": {
+ "countRows": false,
+ "fields": "",
+ "reducer": [
+ "sum"
+ ],
+ "show": false
+ },
+ "frameIndex": 1,
+ "showHeader": true,
+ "sortBy": [
+ {
+ "desc": false,
+ "displayName": "Expiry Date"
+ }
+ ]
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "min by (id) (microgateway_license_valid * on (service, namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"})",
+ "format": "table",
+ "instant": true,
+ "legendFormat": "__auto",
+ "range": false,
+ "refId": "Validity"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "topk(1,microgateway_license_max_rq_count_per_month * on (service, namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"})by (id)",
+ "format": "table",
+ "hide": false,
+ "instant": true,
+ "legendFormat": "__auto",
+ "range": false,
+ "refId": "Licensed Req"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "min by (id) (microgateway_license_is_premium * on (service, namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"})",
+ "format": "table",
+ "hide": false,
+ "instant": true,
+ "legendFormat": "__auto",
+ "range": false,
+ "refId": "License Type"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "min by (id) (microgateway_license_expiry_timestamp_seconds * on (service, namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"})*1000",
+ "format": "table",
+ "hide": false,
+ "instant": true,
+ "legendFormat": "__auto",
+ "range": false,
+ "refId": "License Expiry Date"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "(sum by (id) ((label_replace(increase(microgateway_license_http_rq_total[7d]), \"namespace\", \"$1\", \"managed_by\", \"(.+)\")) * on(namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"}))/7*30",
+ "format": "table",
+ "hide": false,
+ "instant": true,
+ "legendFormat": "__auto",
+ "range": false,
+ "refId": "Est. Usage over 30 days"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "(sum by (id) ((label_replace(sum_over_time(microgateway_license_health_probe_approx_rq_per_hour[7d:1m])/60, \"namespace\", \"$1\", \"managed_by\", \"(.+)\")) * on(namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"}))/7*30",
+ "format": "table",
+ "hide": false,
+ "instant": true,
+ "legendFormat": "__auto",
+ "range": false,
+ "refId": "Est. Probes over 30 days"
+ }
+ ],
+ "title": "License Overview",
+ "transformations": [
+ {
+ "id": "merge",
+ "options": {}
+ },
+ {
+ "id": "organize",
+ "options": {
+ "excludeByName": {
+ "Time": true,
+ "Value #Licensed Req": false,
+ "container": true,
+ "endpoint": true,
+ "instance": true,
+ "job": true,
+ "namespace": true,
+ "pod": true,
+ "service": true
+ },
+ "includeByName": {},
+ "indexByName": {},
+ "renameByName": {
+ "Value #Est. Probes over 30 days": "Probes over 30 days (estimated)",
+ "Value #Est. Usage over 30 days": "Requests over 30 days (estimated)",
+ "Value #License Expiry Date": "Expiry Date",
+ "Value #License Type": "License Type",
+ "Value #Licensed Req": "Licensed Requests",
+ "Value #Validity": "Valid",
+ "id": "License ID",
+ "namespace": "Operator Namespace"
+ }
+ }
+ },
+ {
+ "id": "filterByValue",
+ "options": {
+ "filters": [
+ {
+ "config": {
+ "id": "equal",
+ "options": {
+ "value": ""
+ }
+ },
+ "fieldName": "License ID"
+ }
+ ],
+ "match": "any",
+ "type": "exclude"
+ }
+ }
+ ],
+ "type": "table"
+ }
+ ],
+ "refresh": "",
+ "schemaVersion": 40,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "templating": {
+ "list": [
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "DS_PROMETHEUS",
+ "name": "DS_PROMETHEUS",
+ "options": [],
+ "query": "prometheus",
+ "refresh": 1,
+ "regex": "",
+ "type": "datasource"
+ },
+ {
+ "allValue": ".*",
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_license_info,id)",
+ "description": "",
+ "includeAll": true,
+ "label": "License ID",
+ "multi": true,
+ "name": "license_id",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_license_info,id)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": "",
+ "type": "query"
+ }
+ ]
+ },
+ "time": {
+ "from": "now-7d",
+ "to": "now"
+ },
+ "timepicker": {},
+ "timezone": "browser",
+ "title": "Airlock Microgateway License",
+ "uid": "cdpq79bzrr01se",
+ "version": 2,
+ "weekStart": ""
+ }
+kind: ConfigMap
+metadata:
+ annotations:
+ grafana_folder: Airlock Microgateway
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ grafana_dashboard: '1'
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-dashboard-license
+ namespace: syn-airlock-microgateway
+---
+apiVersion: v1
+data:
+ logOnlyLogs.json: |-
+ {
+ "__inputs": [
+ {
+ "name": "DS_LOKI",
+ "label": "Loki",
+ "description": "",
+ "type": "datasource",
+ "pluginId": "loki",
+ "pluginName": "Loki"
+ },
+ {
+ "name": "DS_PROMETHEUS",
+ "label": "Prometheus",
+ "description": "",
+ "type": "datasource",
+ "pluginId": "prometheus",
+ "pluginName": "Prometheus"
+ }
+ ],
+ "__elements": {},
+ "__requires": [
+ {
+ "type": "grafana",
+ "id": "grafana",
+ "name": "Grafana",
+ "version": "10.2.0"
+ },
+ {
+ "type": "datasource",
+ "id": "loki",
+ "name": "Loki",
+ "version": "1.0.0"
+ },
+ {
+ "type": "datasource",
+ "id": "prometheus",
+ "name": "Prometheus",
+ "version": "1.0.0"
+ },
+ {
+ "type": "panel",
+ "id": "table",
+ "name": "Table",
+ "version": ""
+ }
+ ],
+ "annotations": {
+ "list": [
+ {
+ "builtIn": 1,
+ "datasource": {
+ "type": "grafana",
+ "uid": "-- Grafana --"
+ },
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "name": "Annotations & Alerts",
+ "type": "dashboard"
+ }
+ ]
+ },
+ "description": "Log entries of threats logged in log-only mode by Airlock Microgateway.\n\nThe dashboard can be filtered by namespace. Column filters on the table allow for an even more granular filtering of the logs.",
+ "editable": true,
+ "fiscalYearStartMonth": 0,
+ "graphTooltip": 0,
+ "id": null,
+ "links": [
+ {
+ "asDropdown": true,
+ "icon": "external link",
+ "includeVars": true,
+ "keepTime": true,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "targetBlank": true,
+ "title": "Airlock Microgateway",
+ "tooltip": "",
+ "type": "dashboards",
+ "url": ""
+ }
+ ],
+ "panels": [
+ {
+ "datasource": {
+ "default": false,
+ "type": "loki",
+ "uid": "${DS_LOKI}"
+ },
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "text",
+ "mode": "fixed"
+ },
+ "custom": {
+ "align": "auto",
+ "cellOptions": {
+ "type": "auto"
+ },
+ "filterable": true,
+ "inspect": true
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ }
+ },
+ "overrides": [
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Namespace"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 328
+ },
+ {
+ "id": "custom.filterable"
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Timestamp"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 176
+ },
+ {
+ "id": "unit",
+ "value": "time: YYYY-MM-DD HH:mm:ss.SSS"
+ },
+ {
+ "id": "custom.filterable"
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "HTTP Method"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 132
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Client IP"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 137
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Request ID"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 328
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Request Size"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 126
+ },
+ {
+ "id": "unit",
+ "value": "bytes"
+ },
+ {
+ "id": "custom.align",
+ "value": "right"
+ }
+ ]
+ }
+ ]
+ },
+ "gridPos": {
+ "h": 27,
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "id": 2,
+ "options": {
+ "cellHeight": "sm",
+ "footer": {
+ "countRows": false,
+ "enablePagination": true,
+ "fields": "",
+ "reducer": [
+ "sum"
+ ],
+ "show": false
+ },
+ "showHeader": true,
+ "sortBy": []
+ },
+ "pluginVersion": "10.2.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "loki",
+ "uid": "${DS_LOKI}"
+ },
+ "editorMode": "code",
+ "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= `log_only` |= `envoy.access` | json http_method=\"http.request.method\", url=\"url.path\", domain=\"url.domain\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", details=\"airlock.actions.log_only\", log_type=\"event.dataset\" | label_format log_count=`{{ len (fromJson .details) }}` | log_type = `envoy.access` | log_count > 0",
+ "hide": false,
+ "queryType": "range",
+ "refId": "Log Only Logs"
+ }
+ ],
+ "title": "Threats Logs Log-Only",
+ "transformations": [
+ {
+ "id": "extractFields",
+ "options": {
+ "format": "json",
+ "source": "labels"
+ }
+ },
+ {
+ "id": "filterFieldsByName",
+ "options": {
+ "byVariable": false,
+ "include": {
+ "names": [
+ "Time",
+ "client_ip",
+ "details",
+ "domain",
+ "http_method",
+ "namespace",
+ "request_id",
+ "request_size",
+ "url"
+ ]
+ }
+ }
+ },
+ {
+ "id": "organize",
+ "options": {
+ "excludeByName": {
+ "Line": true,
+ "id": true,
+ "labelTypes": true,
+ "labels": true,
+ "tsNs": false
+ },
+ "includeByName": {},
+ "indexByName": {
+ "Time": 0,
+ "client_ip": 8,
+ "details": 7,
+ "domain": 2,
+ "http_method": 4,
+ "namespace": 1,
+ "request_id": 9,
+ "request_size": 6,
+ "url": 5
+ },
+ "renameByName": {
+ "Time": "Timestamp",
+ "client_ip": "Client IP",
+ "details": "Details",
+ "domain": "URL Domain",
+ "http_method": "HTTP Method",
+ "namespace": "Namespace",
+ "request_id": "Request ID",
+ "request_size": "Request Size",
+ "url": "URL Path"
+ }
+ }
+ }
+ ],
+ "type": "table"
+ }
+ ],
+ "schemaVersion": 39,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "templating": {
+ "list": [
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "DS_LOKI",
+ "multi": false,
+ "name": "DS_LOKI",
+ "options": [],
+ "query": "loki",
+ "refresh": 1,
+ "regex": "",
+ "skipUrlSync": false,
+ "type": "datasource"
+ },
+ {
+ "allValue": ".*",
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_license_http_rq_total,namespace)",
+ "hide": 0,
+ "includeAll": true,
+ "label": "Gateway Namespace",
+ "multi": true,
+ "name": "namespace",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_license_http_rq_total,namespace)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": "",
+ "skipUrlSync": false,
+ "sort": 5,
+ "type": "query"
+ },
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "DS_PROMETHEUS",
+ "multi": false,
+ "name": "DS_PROMETHEUS",
+ "options": [],
+ "query": "prometheus",
+ "refresh": 1,
+ "regex": "",
+ "skipUrlSync": false,
+ "type": "datasource"
+ }
+ ]
+ },
+ "time": {
+ "from": "now-15m",
+ "to": "now"
+ },
+ "timepicker": {},
+ "timezone": "browser",
+ "title": "Airlock Microgateway Threats LogOnly - Logs",
+ "uid": "adnasdfdwnyadcc",
+ "version": 7,
+ "weekStart": ""
+ }
+kind: ConfigMap
+metadata:
+ annotations:
+ grafana_folder: Airlock Microgateway
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ grafana_dashboard: '1'
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-dashboard-logonlylogs
+ namespace: syn-airlock-microgateway
+---
+apiVersion: v1
+data:
+ logOnlyMetrics.json: |-
+ {
+ "__inputs": [
+ {
+ "name": "DS_PROMETHEUS",
+ "label": "Prometheus",
+ "description": "",
+ "type": "datasource",
+ "pluginId": "prometheus",
+ "pluginName": "Prometheus"
+ }
+ ],
+ "__elements": {},
+ "__requires": [
+ {
+ "type": "panel",
+ "id": "barchart",
+ "name": "Bar chart",
+ "version": ""
+ },
+ {
+ "type": "grafana",
+ "id": "grafana",
+ "name": "Grafana",
+ "version": "11.4.0"
+ },
+ {
+ "type": "datasource",
+ "id": "prometheus",
+ "name": "Prometheus",
+ "version": "1.0.0"
+ },
+ {
+ "type": "panel",
+ "id": "stat",
+ "name": "Stat",
+ "version": ""
+ },
+ {
+ "type": "panel",
+ "id": "timeseries",
+ "name": "Time series",
+ "version": ""
+ }
+ ],
+ "annotations": {
+ "list": [
+ {
+ "builtIn": 1,
+ "datasource": {
+ "type": "grafana",
+ "uid": "-- Grafana --"
+ },
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "name": "Annotations & Alerts",
+ "type": "dashboard"
+ }
+ ]
+ },
+ "description": "Metrics on threats logged by Airlock Microgateway in threat handling mode LogOnly.\n\nDashboard can be filtered by namespaces as well as block types.",
+ "editable": true,
+ "fiscalYearStartMonth": 0,
+ "graphTooltip": 0,
+ "id": null,
+ "links": [
+ {
+ "asDropdown": true,
+ "icon": "external link",
+ "includeVars": true,
+ "keepTime": true,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "targetBlank": true,
+ "title": "Airlock Microgateway",
+ "tooltip": "",
+ "type": "dashboards",
+ "url": ""
+ }
+ ],
+ "panels": [
+ {
+ "collapsed": false,
+ "gridPos": {
+ "h": 1,
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "id": 6,
+ "panels": [],
+ "title": "Airlock Microgateway Threats LogOnly - Metrics",
+ "type": "row"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Number of threats logged by Airlock Microgateway in threat handling mode LogOnly.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "text",
+ "mode": "fixed"
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "short"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 4,
+ "x": 0,
+ "y": 1
+ },
+ "id": 2,
+ "options": {
+ "colorMode": "value",
+ "graphMode": "area",
+ "justifyMode": "auto",
+ "orientation": "auto",
+ "percentChangeColorMode": "standard",
+ "reduceOptions": {
+ "calcs": [
+ "last"
+ ],
+ "fields": "",
+ "values": false
+ },
+ "showPercentChange": false,
+ "textMode": "auto",
+ "wideLayout": true
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "disableTextWrap": false,
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "round(sum(increase(microgateway_http_downstream_rq_threats_logged_total{block_type=~\"${blockType:regex}\", managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range])))",
+ "fullMetaSearch": false,
+ "includeNullMetadata": true,
+ "instant": true,
+ "legendFormat": "Logged threats in LogOnly mode",
+ "range": false,
+ "refId": "A",
+ "useBackend": false
+ }
+ ],
+ "title": "Threats - LogOnly",
+ "type": "stat"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Number of threats per second handled in LogOnly mode.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "orange",
+ "mode": "fixed"
+ },
+ "custom": {
+ "axisBorderShow": false,
+ "axisCenteredZero": false,
+ "axisColorMode": "text",
+ "axisLabel": "",
+ "axisPlacement": "left",
+ "barAlignment": 0,
+ "barWidthFactor": 0.6,
+ "drawStyle": "line",
+ "fillOpacity": 25,
+ "gradientMode": "none",
+ "hideFrom": {
+ "legend": false,
+ "tooltip": false,
+ "viz": false
+ },
+ "insertNulls": false,
+ "lineInterpolation": "linear",
+ "lineWidth": 1,
+ "pointSize": 5,
+ "scaleDistribution": {
+ "type": "linear"
+ },
+ "showPoints": "auto",
+ "spanNulls": false,
+ "stacking": {
+ "group": "A",
+ "mode": "none"
+ },
+ "thresholdsStyle": {
+ "mode": "off"
+ }
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "blue",
+ "value": null
+ }
+ ]
+ },
+ "unit": "short"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 10,
+ "w": 20,
+ "x": 0,
+ "y": 5
+ },
+ "id": 3,
+ "options": {
+ "legend": {
+ "calcs": [],
+ "displayMode": "list",
+ "placement": "bottom",
+ "showLegend": true
+ },
+ "timezone": [
+ ""
+ ],
+ "tooltip": {
+ "maxHeight": 600,
+ "mode": "single",
+ "sort": "none"
+ }
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "sum(rate(microgateway_http_downstream_rq_threats_logged_total{block_type=~\"${blockType:regex}\", managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\",gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m]))",
+ "instant": false,
+ "legendFormat": "Number of threats per second",
+ "range": true,
+ "refId": "LogOnly Events"
+ }
+ ],
+ "title": "Threats - LogOnly",
+ "type": "timeseries"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Number of threats in LogOnly mode by block type.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "super-light-orange",
+ "mode": "fixed"
+ },
+ "custom": {
+ "axisBorderShow": false,
+ "axisCenteredZero": false,
+ "axisColorMode": "text",
+ "axisGridShow": true,
+ "axisLabel": "",
+ "axisPlacement": "auto",
+ "fillOpacity": 80,
+ "gradientMode": "none",
+ "hideFrom": {
+ "legend": false,
+ "tooltip": false,
+ "viz": false
+ },
+ "lineWidth": 0,
+ "scaleDistribution": {
+ "type": "linear"
+ },
+ "thresholdsStyle": {
+ "mode": "off"
+ }
+ },
+ "fieldMinMax": false,
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "short"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 11,
+ "w": 10,
+ "x": 0,
+ "y": 15
+ },
+ "id": 4,
+ "options": {
+ "barRadius": 0,
+ "barWidth": 0.8,
+ "fullHighlight": false,
+ "groupWidth": 0.7,
+ "legend": {
+ "calcs": [],
+ "displayMode": "list",
+ "placement": "bottom",
+ "showLegend": false
+ },
+ "orientation": "horizontal",
+ "showValue": "never",
+ "stacking": "none",
+ "tooltip": {
+ "maxHeight": 600,
+ "mode": "single",
+ "sort": "asc"
+ },
+ "xField": "block_type",
+ "xTickLabelRotation": 0,
+ "xTickLabelSpacing": 0
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "round(sum by (block_type) (increase(microgateway_http_downstream_rq_threats_logged_total{block_type=~\"${blockType:regex}\",managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\",gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range])))",
+ "format": "time_series",
+ "instant": true,
+ "legendFormat": "__auto",
+ "range": false,
+ "refId": "A"
+ }
+ ],
+ "title": "Block Type",
+ "transformations": [
+ {
+ "id": "reduce",
+ "options": {
+ "includeTimeField": false,
+ "labelsToFields": true,
+ "mode": "seriesToRows",
+ "reducers": [
+ "sum"
+ ]
+ }
+ }
+ ],
+ "type": "barchart"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Number of threats in LogOnly mode by block subtype, which are subsets of the various block types.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "light-orange",
+ "mode": "fixed"
+ },
+ "custom": {
+ "axisBorderShow": false,
+ "axisCenteredZero": false,
+ "axisColorMode": "text",
+ "axisLabel": "",
+ "axisPlacement": "auto",
+ "fillOpacity": 80,
+ "gradientMode": "none",
+ "hideFrom": {
+ "legend": false,
+ "tooltip": false,
+ "viz": false
+ },
+ "lineWidth": 1,
+ "scaleDistribution": {
+ "type": "linear"
+ },
+ "thresholdsStyle": {
+ "mode": "off"
+ }
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "short"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 11,
+ "w": 10,
+ "x": 10,
+ "y": 15
+ },
+ "id": 5,
+ "options": {
+ "barRadius": 0,
+ "barWidth": 0.8,
+ "fullHighlight": false,
+ "groupWidth": 0.7,
+ "legend": {
+ "calcs": [],
+ "displayMode": "list",
+ "placement": "bottom",
+ "showLegend": false
+ },
+ "orientation": "horizontal",
+ "showValue": "never",
+ "stacking": "none",
+ "tooltip": {
+ "maxHeight": 600,
+ "mode": "single",
+ "sort": "none"
+ },
+ "xField": "block_subtype",
+ "xTickLabelRotation": 0,
+ "xTickLabelSpacing": 0
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "round(sum by (block_subtype) (increase(microgateway_http_downstream_rq_threats_logged_total{block_type=~\"${blockType:regex}\", managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\",gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range])))",
+ "instant": true,
+ "legendFormat": "__auto",
+ "range": false,
+ "refId": "A"
+ }
+ ],
+ "title": "Block Subtype",
+ "transformations": [
+ {
+ "id": "reduce",
+ "options": {
+ "labelsToFields": true,
+ "reducers": [
+ "sum"
+ ]
+ }
+ }
+ ],
+ "type": "barchart"
+ }
+ ],
+ "refresh": "",
+ "schemaVersion": 40,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "templating": {
+ "list": [
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "Datasource Prometheus",
+ "name": "DS_PROMETHEUS",
+ "options": [],
+ "query": "prometheus",
+ "refresh": 1,
+ "regex": "",
+ "type": "datasource"
+ },
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "DS_LOKI",
+ "name": "DS_LOKI",
+ "options": [],
+ "query": "loki",
+ "refresh": 1,
+ "regex": "",
+ "type": "datasource"
+ },
+ {
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description" : "Allows filtering on the gateway kind.",
+ "definition": "label_values(microgateway_build_info,gateway_kind)",
+ "includeAll": true,
+ "label": "Gateway Kind",
+ "name": "gateway_kind",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_build_info,gateway_kind)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 1,
+ "regex": "",
+ "type": "query"
+ },
+ {
+ "allValue": ".+",
+ "current": {},
+ "description" : "Allows filtering on the managing operator instance.",
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_build_info,managed_by)",
+ "includeAll": true,
+ "label": "Operator",
+ "multi": true,
+ "name": "operator",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_build_info,managed_by)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": ".*",
+ "type": "query"
+ },
+ {
+ "current": {},
+ "description" : "Allows filtering on the namespaces in which gateways are deployed.",
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_build_info{managed_by=~\"$operator\"},namespace)",
+ "includeAll": true,
+ "label": "Gateway Namespace",
+ "multi": true,
+ "name": "namespace",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_build_info{managed_by=~\"$operator\"},namespace)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": "",
+ "sort": 5,
+ "type": "query"
+ },
+ {
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description" : "Allows filtering on specific gateway instance names within the selected namespaces.",
+ "definition": "label_values(microgateway_build_info{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=~\"$gateway_kind\"},gateway)",
+ "includeAll": true,
+ "label": "Gateway Name",
+ "multi": true,
+ "name": "gateway_name",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_build_info{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=~\"$gateway_kind\"},gateway)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 1,
+ "regex": "",
+ "type": "query"
+ },
+ {
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description" : "Allows filtering request metrics of the selected SidecarGateway instances on application container port. This filter is ignored for other gateway kinds.",
+ "definition": "label_values(envoy_cluster_bind_errors{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=~\"SidecarGateway\", gateway=~\"$gateway_name\"},upstream)",
+ "includeAll": true,
+ "label": "Sidecar Application Port",
+ "multi": true,
+ "name": "sidecar_application_port",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(envoy_cluster_bind_errors{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=~\"SidecarGateway\", gateway=~\"$gateway_name\"},upstream)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 1,
+ "regex": "",
+ "type": "query"
+ },
+ {
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description" : "Allows filtering request metrics of the selected Gateway instances on the name of their matching HTTPRoute. This filter is ignored for other gateway kinds.",
+ "definition": "label_values(envoy_cluster_bind_errors{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=\"Gateway\", gateway=~\"$gateway_name\"},upstream)",
+ "includeAll": true,
+ "label": "Gateway HTTPRoute",
+ "multi": true,
+ "name": "gateway_httproute",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(envoy_cluster_bind_errors{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=\"Gateway\", gateway=~\"$gateway_name\"},upstream)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 1,
+ "regex": "",
+ "type": "query"
+ },
+ {
+ "allValue": ".*",
+ "description" : "Allows filtering on the block type of logged threats.",
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_http_downstream_rq_threats_logged_total,block_type)",
+ "includeAll": true,
+ "label": "Block Type",
+ "multi": true,
+ "name": "blockType",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_http_downstream_rq_threats_logged_total,block_type)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": "",
+ "sort": 5,
+ "type": "query"
+ }
+ ]
+ },
+ "time": {
+ "from": "now-24h",
+ "to": "now"
+ },
+ "timepicker": {},
+ "timezone": "browser",
+ "title": "Airlock Microgateway Threats LogOnly - Metrics",
+ "uid": "ddnqoczu7qv2mfmsd3dd",
+ "version": 1,
+ "weekStart": ""
+ }
+kind: ConfigMap
+metadata:
+ annotations:
+ grafana_folder: Airlock Microgateway
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ grafana_dashboard: '1'
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-dashboard-logonlymetrics
+ namespace: syn-airlock-microgateway
+---
+apiVersion: v1
+data:
+ overview.json: |-
+ {
+ "__inputs": [
+ {
+ "name": "DS_PROMETHEUS",
+ "label": "Prometheus",
+ "description": "",
+ "type": "datasource",
+ "pluginId": "prometheus",
+ "pluginName": "Prometheus"
+ }
+ ],
+ "__elements": {},
+ "__requires": [
+ {
+ "type": "grafana",
+ "id": "grafana",
+ "name": "Grafana",
+ "version": "11.4.0"
+ },
+ {
+ "type": "datasource",
+ "id": "prometheus",
+ "name": "Prometheus",
+ "version": "1.0.0"
+ },
+ {
+ "type": "panel",
+ "id": "stat",
+ "name": "Stat",
+ "version": ""
+ },
+ {
+ "type": "panel",
+ "id": "table",
+ "name": "Table",
+ "version": ""
+ },
+ {
+ "type": "panel",
+ "id": "timeseries",
+ "name": "Time series",
+ "version": ""
+ }
+ ],
+ "annotations": {
+ "list": [
+ {
+ "builtIn": 1,
+ "datasource": {
+ "type": "grafana",
+ "uid": "-- Grafana --"
+ },
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "name": "Annotations & Alerts",
+ "type": "dashboard"
+ }
+ ]
+ },
+ "editable": true,
+ "fiscalYearStartMonth": 0,
+ "graphTooltip": 0,
+ "id": null,
+ "links": [
+ {
+ "asDropdown": true,
+ "icon": "external link",
+ "includeVars": true,
+ "keepTime": true,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "targetBlank": true,
+ "title": "Airlock Microgateway",
+ "tooltip": "",
+ "type": "dashboards",
+ "url": ""
+ }
+ ],
+ "panels": [
+ {
+ "collapsed": false,
+ "gridPos": {
+ "h": 1,
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "id": 3,
+ "panels": [],
+ "title": "Overview",
+ "type": "row"
+ },
+ {
+ "datasource": {
+ "default": false,
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Aggregated status of Airlock Microgateway resources.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "mode": "thresholds"
+ },
+ "fieldMinMax": false,
+ "mappings": [
+ {
+ "options": {
+ "0": {
+ "color": "orange",
+ "index": 1,
+ "text": "Warn"
+ },
+ "1": {
+ "color": "green",
+ "index": 0,
+ "text": "OK"
+ }
+ },
+ "type": "value"
+ }
+ ],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "string"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 3,
+ "x": 0,
+ "y": 1
+ },
+ "id": 12,
+ "options": {
+ "colorMode": "value",
+ "graphMode": "area",
+ "justifyMode": "auto",
+ "orientation": "auto",
+ "percentChangeColorMode": "standard",
+ "reduceOptions": {
+ "calcs": [
+ "firstNotNull"
+ ],
+ "fields": "",
+ "values": true
+ },
+ "showPercentChange": false,
+ "textMode": "auto",
+ "wideLayout": true
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "disableTextWrap": false,
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "min(microgateway_config_resource_condition{namespace=~\"${operator.regex}\", exported_namespace=~\"${namespace.regex}\", kind=~\"${gateway_kind:regex}\", name=~\"${gateway_name:regex}\"})",
+ "format": "table",
+ "fullMetaSearch": false,
+ "includeNullMetadata": true,
+ "instant": true,
+ "legendFormat": "__auto",
+ "range": false,
+ "refId": "Errors",
+ "useBackend": false
+ }
+ ],
+ "title": "System Status",
+ "transformations": [
+ {
+ "id": "organize",
+ "options": {
+ "excludeByName": {},
+ "includeByName": {},
+ "indexByName": {},
+ "renameByName": {
+ "Value": "System Status"
+ }
+ }
+ }
+ ],
+ "type": "stat"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Total number of requests processed by Airlock Microgateway.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "text",
+ "mode": "fixed"
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "short"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 3,
+ "x": 3,
+ "y": 1
+ },
+ "id": 4,
+ "options": {
+ "colorMode": "value",
+ "graphMode": "none",
+ "justifyMode": "auto",
+ "orientation": "auto",
+ "percentChangeColorMode": "standard",
+ "reduceOptions": {
+ "calcs": [
+ "last"
+ ],
+ "fields": "",
+ "values": false
+ },
+ "showPercentChange": false,
+ "textMode": "auto",
+ "wideLayout": true
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "disableTextWrap": false,
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "round(sum(increase(envoy_cluster_upstream_rq{managed_by=~\"${operator:regex}\",namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range]))+\nsum(increase(microgateway_http_downstream_rq_threats_blocked_total{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range]) or on() vector(0)))",
+ "format": "time_series",
+ "fullMetaSearch": false,
+ "hide": false,
+ "includeNullMetadata": true,
+ "instant": true,
+ "legendFormat": "Processed Requests",
+ "range": false,
+ "refId": "Requests",
+ "useBackend": false
+ }
+ ],
+ "title": "Requests",
+ "type": "stat"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Ratio of blocked requests vs. processed requests by Airlock Microgateway.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "text",
+ "mode": "fixed"
+ },
+ "mappings": [
+ {
+ "options": {
+ "match": "nan",
+ "result": {
+ "index": 0,
+ "text": "n/a"
+ }
+ },
+ "type": "special"
+ }
+ ],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "percentunit"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 3,
+ "x": 6,
+ "y": 1
+ },
+ "id": 5,
+ "options": {
+ "colorMode": "value",
+ "graphMode": "area",
+ "justifyMode": "auto",
+ "orientation": "auto",
+ "percentChangeColorMode": "standard",
+ "reduceOptions": {
+ "calcs": [
+ "last"
+ ],
+ "fields": "",
+ "values": false
+ },
+ "showPercentChange": false,
+ "textMode": "auto",
+ "wideLayout": true
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "disableTextWrap": false,
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "sum(increase(microgateway_http_downstream_rq_threats_blocked_total{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\",gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range]) or on() vector(0))\n/ \n(\nsum(increase(envoy_cluster_upstream_rq{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range]))\n+\nsum(increase(microgateway_http_downstream_rq_threats_blocked_total{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range]) or on() vector(0))\n)",
+ "fullMetaSearch": false,
+ "includeNullMetadata": true,
+ "instant": true,
+ "legendFormat": "Blocked Requests (%)",
+ "range": false,
+ "refId": "A",
+ "useBackend": false
+ }
+ ],
+ "title": "% Blocked Requests",
+ "type": "stat"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "License status of Airlock Microgateway.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "mode": "thresholds"
+ },
+ "mappings": [
+ {
+ "options": {
+ "0": {
+ "color": "red",
+ "index": 1,
+ "text": "Invalid"
+ },
+ "1": {
+ "color": "green",
+ "index": 0,
+ "text": "Valid"
+ }
+ },
+ "type": "value"
+ }
+ ],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ }
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 3,
+ "x": 9,
+ "y": 1
+ },
+ "id": 10,
+ "options": {
+ "colorMode": "value",
+ "graphMode": "area",
+ "justifyMode": "auto",
+ "orientation": "auto",
+ "percentChangeColorMode": "standard",
+ "reduceOptions": {
+ "calcs": [
+ "lastNotNull"
+ ],
+ "fields": "",
+ "values": false
+ },
+ "showPercentChange": false,
+ "textMode": "auto",
+ "wideLayout": true
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "min(microgateway_license_valid{namespace=~\"${operator.regex}\"})",
+ "instant": true,
+ "legendFormat": "License Status",
+ "range": false,
+ "refId": "Licenses"
+ }
+ ],
+ "title": "License",
+ "type": "stat"
+ },
+ {
+ "collapsed": false,
+ "gridPos": {
+ "h": 1,
+ "w": 24,
+ "x": 0,
+ "y": 5
+ },
+ "id": 2,
+ "panels": [],
+ "title": "Blocks",
+ "type": "row"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Requests per second processed by Airlock Microgateway along with the corresponding block rate.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "blue",
+ "mode": "fixed"
+ },
+ "custom": {
+ "axisBorderShow": false,
+ "axisCenteredZero": false,
+ "axisColorMode": "text",
+ "axisLabel": "",
+ "axisPlacement": "left",
+ "barAlignment": 0,
+ "barWidthFactor": 0.6,
+ "drawStyle": "line",
+ "fillOpacity": 0,
+ "gradientMode": "none",
+ "hideFrom": {
+ "legend": false,
+ "tooltip": false,
+ "viz": false
+ },
+ "insertNulls": false,
+ "lineInterpolation": "linear",
+ "lineWidth": 1,
+ "pointSize": 5,
+ "scaleDistribution": {
+ "type": "linear"
+ },
+ "showPoints": "auto",
+ "spanNulls": false,
+ "stacking": {
+ "group": "A",
+ "mode": "none"
+ },
+ "thresholdsStyle": {
+ "mode": "off"
+ }
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "blue",
+ "value": null
+ }
+ ]
+ }
+ },
+ "overrides": [
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "% Blocks"
+ },
+ "properties": [
+ {
+ "id": "custom.axisPlacement",
+ "value": "right"
+ },
+ {
+ "id": "unit",
+ "value": "percentunit"
+ },
+ {
+ "id": "color",
+ "value": {
+ "fixedColor": "orange",
+ "mode": "fixed"
+ }
+ },
+ {
+ "id": "max",
+ "value": 1
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Requests per second"
+ },
+ "properties": [
+ {
+ "id": "unit",
+ "value": "short"
+ },
+ {
+ "id": "custom.fillOpacity",
+ "value": 25
+ }
+ ]
+ }
+ ]
+ },
+ "gridPos": {
+ "h": 10,
+ "w": 12,
+ "x": 0,
+ "y": 6
+ },
+ "id": 6,
+ "options": {
+ "legend": {
+ "calcs": [],
+ "displayMode": "list",
+ "placement": "bottom",
+ "showLegend": true
+ },
+ "timezone": [
+ ""
+ ],
+ "tooltip": {
+ "maxHeight": 600,
+ "mode": "single",
+ "sort": "none"
+ }
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "sum(rate(envoy_cluster_upstream_rq{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m]))\n+\nsum(rate(microgateway_http_downstream_rq_threats_blocked_total{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m]) or on() vector(0))",
+ "instant": false,
+ "legendFormat": "Requests per second",
+ "range": true,
+ "refId": "Requests per Second"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "expr": "sum(rate(microgateway_http_downstream_rq_threats_blocked_total{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m]) or on() vector(0))\n/\n(\nsum(rate(envoy_cluster_upstream_rq{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m]))\n+\nsum(rate(microgateway_http_downstream_rq_threats_blocked_total{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m]) or on() vector(0))\n)",
+ "hide": false,
+ "instant": false,
+ "legendFormat": "% Blocks",
+ "range": true,
+ "refId": "Blocks"
+ }
+ ],
+ "title": "Requests vs. % Blocks",
+ "type": "timeseries"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Threats blocked by Airlock Microgateway categorized by their corresponding block type.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "mode": "thresholds"
+ },
+ "custom": {
+ "align": "auto",
+ "cellOptions": {
+ "barAlignment": 0,
+ "drawStyle": "line",
+ "gradientMode": "none",
+ "hideValue": false,
+ "lineInterpolation": "linear",
+ "lineStyle": {
+ "dash": [
+ 10,
+ 10
+ ],
+ "fill": "solid"
+ },
+ "showPoints": "never",
+ "spanNulls": false,
+ "type": "sparkline"
+ },
+ "inspect": false
+ },
+ "displayName": "Block Type",
+ "fieldMinMax": false,
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ }
+ },
+ "overrides": [
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "block_type"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 153
+ },
+ {
+ "id": "custom.cellOptions",
+ "value": {
+ "type": "auto"
+ }
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Trend #Block Types"
+ },
+ "properties": [
+ {
+ "id": "color",
+ "value": {
+ "fixedColor": "orange",
+ "mode": "fixed"
+ }
+ }
+ ]
+ }
+ ]
+ },
+ "gridPos": {
+ "h": 10,
+ "w": 12,
+ "x": 12,
+ "y": 6
+ },
+ "id": 7,
+ "options": {
+ "cellHeight": "lg",
+ "footer": {
+ "countRows": false,
+ "enablePagination": false,
+ "fields": [
+ "Value"
+ ],
+ "reducer": [
+ "sum"
+ ],
+ "show": false
+ },
+ "frameIndex": 0,
+ "showHeader": false,
+ "sortBy": [
+ {
+ "desc": true,
+ "displayName": "block_type"
+ }
+ ]
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "expr": "sum by (block_type) (increase(microgateway_http_downstream_rq_threats_blocked_total{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m] offset -1m))/(60000/$__interval_ms)",
+ "format": "time_series",
+ "hide": false,
+ "instant": false,
+ "legendFormat": "__auto",
+ "range": true,
+ "refId": "Block Types"
+ }
+ ],
+ "title": "Blocked Threats by Block Type",
+ "transformations": [
+ {
+ "id": "timeSeriesTable",
+ "options": {
+ "Block Types": {
+ "stat": "sum",
+ "timeField": "Time"
+ }
+ }
+ }
+ ],
+ "type": "table"
+ },
+ {
+ "collapsed": false,
+ "gridPos": {
+ "h": 1,
+ "w": 24,
+ "x": 0,
+ "y": 16
+ },
+ "id": 1,
+ "panels": [],
+ "title": "Latency",
+ "type": "row"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Percentiles of the application downstream latency over one minute.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "mode": "palette-classic"
+ },
+ "custom": {
+ "axisBorderShow": false,
+ "axisCenteredZero": false,
+ "axisColorMode": "text",
+ "axisLabel": "",
+ "axisPlacement": "auto",
+ "barAlignment": 0,
+ "barWidthFactor": 0.6,
+ "drawStyle": "line",
+ "fillOpacity": 0,
+ "gradientMode": "none",
+ "hideFrom": {
+ "legend": false,
+ "tooltip": false,
+ "viz": false
+ },
+ "insertNulls": false,
+ "lineInterpolation": "linear",
+ "lineWidth": 1,
+ "pointSize": 5,
+ "scaleDistribution": {
+ "type": "linear"
+ },
+ "showPoints": "auto",
+ "spanNulls": false,
+ "stacking": {
+ "group": "A",
+ "mode": "none"
+ },
+ "thresholdsStyle": {
+ "mode": "off"
+ }
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "ms"
+ },
+ "overrides": [
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "25th Percentile"
+ },
+ "properties": [
+ {
+ "id": "color",
+ "value": {
+ "fixedColor": "super-light-purple",
+ "mode": "fixed"
+ }
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "50th Percentile"
+ },
+ "properties": [
+ {
+ "id": "color",
+ "value": {
+ "fixedColor": "purple",
+ "mode": "fixed"
+ }
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "95th Percentile"
+ },
+ "properties": [
+ {
+ "id": "color",
+ "value": {
+ "fixedColor": "dark-purple",
+ "mode": "fixed"
+ }
+ }
+ ]
+ }
+ ]
+ },
+ "gridPos": {
+ "h": 9,
+ "w": 12,
+ "x": 0,
+ "y": 17
+ },
+ "id": 8,
+ "options": {
+ "legend": {
+ "calcs": [],
+ "displayMode": "list",
+ "placement": "bottom",
+ "showLegend": true
+ },
+ "tooltip": {
+ "maxHeight": 600,
+ "mode": "single",
+ "sort": "none"
+ }
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "expr": "histogram_quantile(0.25, sum(rate(envoy_http_downstream_rq_time_bucket{envoy_http_conn_manager_prefix=\"http\", managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\"}[1m])) by (le))",
+ "instant": false,
+ "legendFormat": "25th Percentile",
+ "range": true,
+ "refId": "25th Percentile"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "expr": "histogram_quantile(0.5, sum(rate(envoy_http_downstream_rq_time_bucket{envoy_http_conn_manager_prefix=\"http\", managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\"}[1m])) by (le))",
+ "hide": false,
+ "instant": false,
+ "legendFormat": "50th Percentile",
+ "range": true,
+ "refId": "50th Percentile"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "expr": "histogram_quantile(0.95, sum(rate(envoy_http_downstream_rq_time_bucket{envoy_http_conn_manager_prefix=\"http\", managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\",gateway=~\"${gateway_name:regex}\"}[1m])) by (le))",
+ "hide": false,
+ "instant": false,
+ "legendFormat": "95th Percentile",
+ "range": true,
+ "refId": "95th Percentile"
+ }
+ ],
+ "title": "Application Downstream Latency",
+ "type": "timeseries"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Percentiles of the Airlock Microgateway processing time over one minute.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "mode": "palette-classic"
+ },
+ "custom": {
+ "axisBorderShow": false,
+ "axisCenteredZero": false,
+ "axisColorMode": "text",
+ "axisLabel": "",
+ "axisPlacement": "auto",
+ "barAlignment": 0,
+ "barWidthFactor": 0.6,
+ "drawStyle": "line",
+ "fillOpacity": 0,
+ "gradientMode": "none",
+ "hideFrom": {
+ "legend": false,
+ "tooltip": false,
+ "viz": false
+ },
+ "insertNulls": false,
+ "lineInterpolation": "linear",
+ "lineWidth": 1,
+ "pointSize": 5,
+ "scaleDistribution": {
+ "type": "linear"
+ },
+ "showPoints": "auto",
+ "spanNulls": false,
+ "stacking": {
+ "group": "A",
+ "mode": "none"
+ },
+ "thresholdsStyle": {
+ "mode": "off"
+ }
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "ms"
+ },
+ "overrides": [
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "25th Percentile"
+ },
+ "properties": [
+ {
+ "id": "color",
+ "value": {
+ "fixedColor": "super-light-purple",
+ "mode": "fixed"
+ }
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "50th Percentile"
+ },
+ "properties": [
+ {
+ "id": "color",
+ "value": {
+ "fixedColor": "purple",
+ "mode": "fixed"
+ }
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "95th Percentile"
+ },
+ "properties": [
+ {
+ "id": "color",
+ "value": {
+ "fixedColor": "dark-purple",
+ "mode": "fixed"
+ }
+ }
+ ]
+ }
+ ]
+ },
+ "gridPos": {
+ "h": 9,
+ "w": 12,
+ "x": 12,
+ "y": 17
+ },
+ "id": 9,
+ "options": {
+ "legend": {
+ "calcs": [],
+ "displayMode": "list",
+ "placement": "bottom",
+ "showLegend": true
+ },
+ "tooltip": {
+ "maxHeight": 600,
+ "mode": "single",
+ "sort": "none"
+ }
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "expr": "histogram_quantile(0.25, sum(rate(microgateway_rq_processing_time_ms_bucket{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m])) by (le))",
+ "instant": false,
+ "legendFormat": "25th Percentile",
+ "range": true,
+ "refId": "0.25 Percentile"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "expr": "histogram_quantile(0.5, sum(rate(microgateway_rq_processing_time_ms_bucket{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m])) by (le))",
+ "hide": false,
+ "instant": false,
+ "legendFormat": "50th Percentile",
+ "range": true,
+ "refId": "0.5 Percentile"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "expr": "histogram_quantile(0.95, sum(rate(microgateway_rq_processing_time_ms_bucket{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m])) by (le))",
+ "hide": false,
+ "instant": false,
+ "legendFormat": "95th Percentile",
+ "range": true,
+ "refId": "0.95 Percentile"
+ }
+ ],
+ "title": "Airlock Microgateway Processing Time",
+ "type": "timeseries"
+ }
+ ],
+ "refresh": "",
+ "schemaVersion": 40,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "templating": {
+ "list": [
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "DS_PROMETHEUS",
+ "name": "DS_PROMETHEUS",
+ "options": [],
+ "query": "prometheus",
+ "refresh": 1,
+ "regex": "",
+ "type": "datasource"
+ },
+ {
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_build_info,gateway_kind)",
+ "description": "Allows filtering on the gateway kind.",
+ "includeAll": true,
+ "label": "Gateway Kind",
+ "name": "gateway_kind",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_build_info,gateway_kind)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 1,
+ "regex": "",
+ "type": "query"
+ },
+ {
+ "allValue": ".+",
+ "description" : "Allows filtering on the managing operator instance.",
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_build_info,managed_by)",
+ "includeAll": true,
+ "label": "Microgateway Operator",
+ "multi": true,
+ "name": "operator",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_build_info,managed_by)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": ".*",
+ "type": "query"
+ },
+ {
+ "allValue": ".+",
+ "current": {},
+ "description" : "Allows filtering on the namespaces in which gateways are deployed.",
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_build_info{managed_by=~\"$operator\"},namespace)",
+ "includeAll": true,
+ "label": "Gateway Namespace",
+ "multi": true,
+ "name": "namespace",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_build_info{managed_by=~\"$operator\"},namespace)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": "",
+ "type": "query"
+ },
+ {
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description" : "Allows filtering on specific gateway instance names within the selected namespaces.",
+ "definition": "label_values(microgateway_build_info{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=~\"$gateway_kind\"},gateway)",
+ "includeAll": true,
+ "label": "Gateway Name",
+ "multi": true,
+ "name": "gateway_name",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_build_info{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=~\"$gateway_kind\"},gateway)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": "",
+ "sort": 1,
+ "type": "query"
+ },
+ {
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description" : "Allows filtering request metrics of the selected SidecarGateway instances on application container port. This filter is ignored for other gateway kinds.",
+ "definition": "label_values(envoy_cluster_bind_errors{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=~\"SidecarGateway\", gateway=~\"$gateway_name\"},upstream)",
+ "includeAll": true,
+ "label": "Sidecar Application Port",
+ "multi": true,
+ "name": "sidecar_application_port",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(envoy_cluster_bind_errors{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=~\"SidecarGateway\", gateway=~\"$gateway_name\"},upstream)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 1,
+ "regex": "",
+ "type": "query"
+ },
+ {
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description" : "Allows filtering request metrics of the selected Gateway instances on the name of their matching HTTPRoute. This filter is ignored for other gateway kinds.",
+ "definition": "label_values(envoy_cluster_bind_errors{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=~\"Gateway\", gateway=~\"$gateway_name\"},upstream)",
+ "includeAll": true,
+ "label": "Gateway HTTPRoute",
+ "multi": true,
+ "name": "gateway_httproute",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(envoy_cluster_bind_errors{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=~\"Gateway\", gateway=~\"$gateway_name\"},upstream)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 1,
+ "regex": "",
+ "type": "query"
+ }
+ ]
+ },
+ "time": {
+ "from": "now-24h",
+ "to": "now"
+ },
+ "timepicker": {},
+ "timezone": "browser",
+ "title": "Airlock Microgateway Overview",
+ "uid": "fdp5jb8fnrmyoa",
+ "version": 1,
+ "weekStart": ""
+ }
+kind: ConfigMap
+metadata:
+ annotations:
+ grafana_folder: Airlock Microgateway
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ grafana_dashboard: '1'
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-dashboard-overview
+ namespace: syn-airlock-microgateway
+---
+apiVersion: v1
+data:
+ requestLogs.json: |-
+ {
+ "__inputs": [
+ {
+ "name": "DS_LOKI",
+ "label": "Loki",
+ "description": "",
+ "type": "datasource",
+ "pluginId": "loki",
+ "pluginName": "Loki"
+ }
+ ],
+ "__elements": {},
+ "__requires": [
+ {
+ "type": "grafana",
+ "id": "grafana",
+ "name": "Grafana",
+ "version": "11.4.0"
+ },
+ {
+ "type": "datasource",
+ "id": "loki",
+ "name": "Loki",
+ "version": "1.0.0"
+ },
+ {
+ "type": "datasource",
+ "id": "prometheus",
+ "name": "Prometheus",
+ "version": "1.0.0"
+ },
+ {
+ "type": "panel",
+ "id": "table",
+ "name": "Table",
+ "version": ""
+ }
+ ],
+ "annotations": {
+ "list": [
+ {
+ "builtIn": 1,
+ "datasource": {
+ "type": "grafana",
+ "uid": "-- Grafana --"
+ },
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "name": "Annotations & Alerts",
+ "type": "dashboard"
+ }
+ ]
+ },
+ "editable": true,
+ "fiscalYearStartMonth": 0,
+ "graphTooltip": 0,
+ "id": null,
+ "links": [
+ {
+ "asDropdown": true,
+ "icon": "external link",
+ "includeVars": true,
+ "keepTime": true,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "targetBlank": true,
+ "title": "Airlock Microgateway",
+ "tooltip": "",
+ "type": "dashboards",
+ "url": ""
+ }
+ ],
+ "panels": [
+ {
+ "datasource": {
+ "default": false,
+ "type": "loki",
+ "uid": "${DS_LOKI}"
+ },
+ "description": "Request logs by Airlock Microgateway.\n\nThe dashboard can be filtered by namespace. Column filters on the table allow for an even more granular filtering of the logs.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "text",
+ "mode": "fixed"
+ },
+ "custom": {
+ "align": "auto",
+ "cellOptions": {
+ "type": "auto"
+ },
+ "filterable": true,
+ "inspect": true
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ }
+ },
+ "overrides": [
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Namespace"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 221
+ },
+ {
+ "id": "custom.filterable"
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Timestamp"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 214
+ },
+ {
+ "id": "unit",
+ "value": "time: YYYY-MM-DD HH:mm:ss.SSS"
+ },
+ {
+ "id": "custom.filterable"
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "HTTP Method"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 140
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Client IP"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 138
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Request ID"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 328
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Request Size"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 126
+ },
+ {
+ "id": "unit",
+ "value": "bytes"
+ },
+ {
+ "id": "custom.align",
+ "value": "right"
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "URL Path"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 373
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "HTTP Status"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 127
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Airlock Action"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 139
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Response Size"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 148
+ },
+ {
+ "id": "unit",
+ "value": "bytes"
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "URL Domain"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 272
+ }
+ ]
+ }
+ ]
+ },
+ "gridPos": {
+ "h": 27,
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "id": 2,
+ "options": {
+ "cellHeight": "sm",
+ "footer": {
+ "countRows": false,
+ "enablePagination": true,
+ "fields": "",
+ "reducer": [
+ "sum"
+ ],
+ "show": false
+ },
+ "showHeader": true,
+ "sortBy": []
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "loki",
+ "uid": "${DS_LOKI}"
+ },
+ "editorMode": "code",
+ "expr": "{container=\"airlock-microgateway-engine\"} |= \"envoy.access\" | json http_method=\"http.request.method\", url=\"url.path\", domain=\"url.domain\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", response_status=\"http.response.status_code\", response_size=\"http.response.bytes\", action=\"airlock.summary.action\", log_type=\"event.dataset\" | log_type = `envoy.access`",
+ "hide": false,
+ "queryType": "range",
+ "refId": "Request Logs"
+ }
+ ],
+ "title": "Request Logs",
+ "transformations": [
+ {
+ "id": "extractFields",
+ "options": {
+ "format": "json",
+ "source": "labels"
+ }
+ },
+ {
+ "id": "filterFieldsByName",
+ "options": {
+ "byVariable": false,
+ "include": {
+ "names": [
+ "Time",
+ "Line",
+ "client_ip",
+ "domain",
+ "http_method",
+ "namespace",
+ "request_id",
+ "request_size",
+ "response_size",
+ "response_status",
+ "url",
+ "action"
+ ]
+ }
+ }
+ },
+ {
+ "id": "organize",
+ "options": {
+ "excludeByName": {
+ "Line": false,
+ "id": true,
+ "labelTypes": true,
+ "labels": true,
+ "tsNs": false
+ },
+ "includeByName": {},
+ "indexByName": {
+ "Line": 9,
+ "Time": 0,
+ "action": 8,
+ "client_ip": 10,
+ "domain": 2,
+ "http_method": 3,
+ "namespace": 1,
+ "request_id": 11,
+ "request_size": 6,
+ "response_size": 7,
+ "response_status": 5,
+ "url": 4
+ },
+ "renameByName": {
+ "Line": "Details",
+ "Time": "Timestamp",
+ "action": "Airlock Action",
+ "client_ip": "Client IP",
+ "domain": "URL Domain",
+ "http_method": "HTTP Method",
+ "namespace": "Namespace",
+ "request_id": "Request ID",
+ "request_size": "Request Size",
+ "response_size": "Response Size",
+ "response_status": "HTTP Status",
+ "url": "URL Path"
+ }
+ }
+ }
+ ],
+ "type": "table"
+ }
+ ],
+ "schemaVersion": 40,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "templating": {
+ "list": [
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "DS_LOKI",
+ "name": "DS_LOKI",
+ "options": [],
+ "query": "loki",
+ "refresh": 1,
+ "regex": "",
+ "type": "datasource"
+ },
+ {
+ "allValue": ".*",
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_license_http_rq_total,namespace)",
+ "includeAll": true,
+ "label": "Gateway Namespace",
+ "multi": true,
+ "name": "namespace",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_license_http_rq_total,namespace)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": "",
+ "sort": 5,
+ "type": "query"
+ },
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "DS_PROMETHEUS",
+ "name": "DS_PROMETHEUS",
+ "options": [],
+ "query": "prometheus",
+ "refresh": 1,
+ "regex": "",
+ "type": "datasource"
+ }
+ ]
+ },
+ "time": {
+ "from": "now-15m",
+ "to": "now"
+ },
+ "timepicker": {},
+ "timezone": "browser",
+ "title": "Airlock Microgateway Requests - Logs",
+ "uid": "ee99ioci6gydcb",
+ "version": 1,
+ "weekStart": ""
+ }
+kind: ConfigMap
+metadata:
+ annotations:
+ grafana_folder: Airlock Microgateway
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ grafana_dashboard: '1'
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-dashboard-requestlogs
+ namespace: syn-airlock-microgateway
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/deployment.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/deployment.yaml
new file mode 100644
index 0000000..f5a0fbf
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/deployment.yaml
@@ -0,0 +1,141 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator
+ namespace: syn-airlock-microgateway
+spec:
+ replicas: 2
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/name: microgateway-operator
+ strategy:
+ type: RollingUpdate
+ template:
+ metadata:
+ annotations:
+ checksum/config: a736ed8f573b40093b83b2ea1ad793dd11e73f27bbce66df35847fca5d798ffe
+ kubectl.kubernetes.io/default-container: manager
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ spec:
+ containers:
+ - args:
+ - --config=/app/config/operator_config.yaml
+ env:
+ - name: ENGINE_IMAGE
+ value: quay.io/airlock/microgateway-engine@sha256:a9d92f42adbc10a96ab9a029d0c7f51658418946a657ca06f2301c0c5df2c0ab
+ - name: SESSION_AGENT_IMAGE
+ value: quay.io/airlock/microgateway-session-agent@sha256:7c14b0cd10bb302b71f84a074eac7c8caa70869abff8e9327d113bbc7f466637
+ - name: OPERATOR_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: OPERATOR_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: LOG_LEVEL
+ value: info
+ - name: GATEWAY_API_ENABLED
+ value: 'true'
+ - name: GATEWAY_API_CONTROLLER_NAME
+ value: microgateway.airlock.com/gatewayclass-controller
+ - name: GATEWAY_API_POD_MONITOR_CREATE
+ value: 'true'
+ - name: GATEWAY_API_POD_MONITOR_ADDITIONAL_LABELS
+ value: release=kube-prometheus-stack
+ image: quay.io/airlock/microgateway-operator@sha256:0e78a1afdc055537435a937d27dcf9b23bb9886756319858290a3e58d29ec2f6
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ httpGet:
+ path: /healthz
+ port: 8081
+ initialDelaySeconds: 15
+ periodSeconds: 20
+ timeoutSeconds: 5
+ name: manager
+ ports:
+ - containerPort: 9443
+ name: webhook-server
+ protocol: TCP
+ - containerPort: 13377
+ name: xds-server
+ protocol: TCP
+ - containerPort: 8080
+ protocol: TCP
+ - containerPort: 8081
+ protocol: TCP
+ readinessProbe:
+ httpGet:
+ path: /readyz
+ port: 8081
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 5
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: FallbackToLogsOnError
+ volumeMounts:
+ - mountPath: /tmp/k8s-webhook-server/serving-certs
+ name: cert
+ readOnly: true
+ - mountPath: /app/config/license/
+ name: airlock-microgateway-license
+ readOnly: true
+ - mountPath: /app/config/operator_config.yaml
+ name: operator-config
+ subPath: operator_config.yaml
+ - mountPath: /app/config/sidecar/engine_container_template.yaml
+ name: operator-config
+ subPath: engine_container_template.yaml
+ - mountPath: /app/config/sidecar/network_validator_container_template.yaml
+ name: operator-config
+ subPath: network_validator_container_template.yaml
+ - mountPath: /app/config/sidecar/session_agent_container_template.yaml
+ name: operator-config
+ subPath: session_agent_container_template.yaml
+ - mountPath: /app/config/engine_bootstrap_config_template.yaml
+ name: operator-config
+ subPath: engine_bootstrap_config_template.yaml
+ securityContext:
+ runAsNonRoot: true
+ serviceAccountName: airlock-microgateway-operator
+ terminationGracePeriodSeconds: 10
+ volumes:
+ - name: cert
+ secret:
+ defaultMode: 420
+ secretName: airlock-microgateway-operator-webhook-server-cert
+ - name: airlock-microgateway-license
+ secret:
+ defaultMode: 292
+ optional: true
+ secretName: airlock-microgateway-license
+ - configMap:
+ name: airlock-microgateway-operator-config
+ name: operator-config
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/manager-role.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/manager-role.yaml
new file mode 100644
index 0000000..132040d
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/manager-role.yaml
@@ -0,0 +1,232 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator-manager-syn-airlock-microgateway
+rules:
+ - apiGroups:
+ - ''
+ resources:
+ - configmaps
+ - namespaces
+ - nodes
+ - replicasets
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ''
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - ''
+ resources:
+ - pods
+ verbs:
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - ''
+ resources:
+ - pods/finalizers
+ verbs:
+ - update
+ - apiGroups:
+ - ''
+ resources:
+ - pods/status
+ verbs:
+ - patch
+ - update
+ - apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - ''
+ resources:
+ - services
+ verbs:
+ - create
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - apps
+ resources:
+ - deployments
+ verbs:
+ - create
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - apps
+ resources:
+ - replicasets
+ verbs:
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - apps
+ resources:
+ - replicasets/finalizers
+ verbs:
+ - patch
+ - update
+ - apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - backendtlspolicies
+ - gateways
+ - httproutes
+ - referencegrants
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - backendtlspolicies/status
+ - gatewayclasses/finalizers
+ - gatewayclasses/status
+ - gateways/finalizers
+ - gateways/status
+ - httproutes/status
+ verbs:
+ - patch
+ - update
+ - apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - gatewayclasses
+ verbs:
+ - get
+ - list
+ - patch
+ - watch
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - accesscontrolpolicies
+ - accesscontrols
+ - apiprotections
+ - contentsecurities
+ - contentsecuritypolicies
+ - csrfprotections
+ - denyrules
+ - envoyclusters
+ - envoyhttpfilters
+ - gatewayparameters
+ - graphqls
+ - headerrewrites
+ - identitypropagations
+ - jwks
+ - limits
+ - oidcproviders
+ - oidcrelyingparties
+ - openapis
+ - parsers
+ - redisproviders
+ - sessionhandlings
+ - telemetries
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - accesscontrolpolicies/status
+ - contentsecuritypolicies/status
+ verbs:
+ - patch
+ - update
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - envoyconfigurations
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - envoyconfigurations/status
+ - sidecargateways/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - sidecargateways
+ verbs:
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - sidecargateways/finalizers
+ verbs:
+ - update
+ - apiGroups:
+ - monitoring.coreos.com
+ resources:
+ - podmonitors
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/manager-rolebinding.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/manager-rolebinding.yaml
new file mode 100644
index 0000000..643e7db
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/manager-rolebinding.yaml
@@ -0,0 +1,20 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator-manager-syn-airlock-microgateway
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: airlock-microgateway-operator-manager-syn-airlock-microgateway
+subjects:
+ - kind: ServiceAccount
+ name: airlock-microgateway-operator
+ namespace: syn-airlock-microgateway
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/metrics-service.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/metrics-service.yaml
new file mode 100644
index 0000000..4ec2d93
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/metrics-service.yaml
@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator-metrics
+ namespace: syn-airlock-microgateway
+spec:
+ ports:
+ - appProtocol: http
+ name: metrics
+ port: 8080
+ protocol: TCP
+ selector:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/name: microgateway-operator
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ operator.microgateway.airlock.com/isLeader: 'true'
+ name: airlock-microgateway-operator-leader-metrics
+ namespace: syn-airlock-microgateway
+spec:
+ ports:
+ - appProtocol: http
+ name: metrics
+ port: 8080
+ protocol: TCP
+ selector:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/name: microgateway-operator
+ operator.microgateway.airlock.com/isLeader: 'true'
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/mutating-webhook.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/mutating-webhook.yaml
new file mode 100644
index 0000000..8433b71
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/mutating-webhook.yaml
@@ -0,0 +1,39 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+ annotations:
+ cert-manager.io/inject-ca-from: syn-airlock-microgateway/airlock-microgateway-operator-serving-cert
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator-webhook-syn-airlock-microgateway
+ namespace: syn-airlock-microgateway
+webhooks:
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /mutate-v1-pod
+ failurePolicy: Fail
+ name: mutate-pod.microgateway.airlock.com
+ objectSelector:
+ matchLabels:
+ sidecar.microgateway.airlock.com/inject: 'true'
+ reinvocationPolicy: IfNeeded
+ rules:
+ - apiGroups:
+ - ''
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ resources:
+ - pods
+ sideEffects: None
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/role.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/role.yaml
new file mode 100644
index 0000000..2f4a11e
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/role.yaml
@@ -0,0 +1,45 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator-leader-election
+ namespace: syn-airlock-microgateway
+rules:
+ - apiGroups:
+ - ''
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - ''
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/rolebinding.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/rolebinding.yaml
new file mode 100644
index 0000000..75d0bdd
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/rolebinding.yaml
@@ -0,0 +1,20 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator-leader-election
+ namespace: syn-airlock-microgateway
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: airlock-microgateway-operator-leader-election
+subjects:
+ - kind: ServiceAccount
+ name: airlock-microgateway-operator
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/selfsigned-issuer.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/selfsigned-issuer.yaml
new file mode 100644
index 0000000..c38f476
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/selfsigned-issuer.yaml
@@ -0,0 +1,15 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator-selfsigned-issuer
+ namespace: syn-airlock-microgateway
+spec:
+ selfSigned: {}
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/serviceaccount.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/serviceaccount.yaml
new file mode 100644
index 0000000..b417d83
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/serviceaccount.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator
+ namespace: syn-airlock-microgateway
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/servicemonitor.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/servicemonitor.yaml
new file mode 100644
index 0000000..f0800f0
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/servicemonitor.yaml
@@ -0,0 +1,63 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ release: kube-prometheus-stack
+ name: airlock-microgateway-operator
+ namespace: syn-airlock-microgateway
+spec:
+ endpoints:
+ - metricRelabelings:
+ - action: drop
+ regex: ^(microgateway_license|microgateway_sidecars).*$
+ sourceLabels:
+ - __name__
+ path: /metrics
+ port: metrics
+ scheme: http
+ selector:
+ matchExpressions:
+ - key: operator.microgateway.airlock.com/isLeader
+ operator: DoesNotExist
+ matchLabels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/name: microgateway-operator
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ release: kube-prometheus-stack
+ name: airlock-microgateway-operator-leader
+ namespace: syn-airlock-microgateway
+spec:
+ endpoints:
+ - metricRelabelings:
+ - action: keep
+ regex: ^(microgateway_license|microgateway_sidecars).*$
+ sourceLabels:
+ - __name__
+ path: /metrics
+ port: metrics
+ scheme: http
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/name: microgateway-operator
+ operator.microgateway.airlock.com/isLeader: 'true'
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/serving-certificate.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/serving-certificate.yaml
new file mode 100644
index 0000000..37e0445
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/serving-certificate.yaml
@@ -0,0 +1,21 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator-serving-cert
+ namespace: syn-airlock-microgateway
+spec:
+ dnsNames:
+ - airlock-microgateway-operator-webhook.syn-airlock-microgateway.svc
+ - airlock-microgateway-operator-webhook.syn-airlock-microgateway.svc.cluster.local
+ issuerRef:
+ kind: Issuer
+ name: airlock-microgateway-operator-selfsigned-issuer
+ secretName: airlock-microgateway-operator-webhook-server-cert
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/validating-admission-policy-binding.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/validating-admission-policy-binding.yaml
new file mode 100644
index 0000000..df80a71
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/validating-admission-policy-binding.yaml
@@ -0,0 +1,18 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+ annotations: null
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator-immutable-labels-syn-airlock-microgateway
+spec:
+ matchResources: null
+ policyName: airlock-microgateway-operator-immutable-labels-syn-airlock-microgateway
+ validationActions:
+ - Deny
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/validating-admission-policy.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/validating-admission-policy.yaml
new file mode 100644
index 0000000..5fef008
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/validating-admission-policy.yaml
@@ -0,0 +1,60 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+ annotations: null
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator-immutable-labels-syn-airlock-microgateway
+spec:
+ failurePolicy: Fail
+ matchConstraints:
+ objectSelector:
+ matchLabels:
+ microgateway.airlock.com/managedBy: syn-airlock-microgateway
+ resourceRules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - UPDATE
+ resources:
+ - envoyconfigurations
+ - apiGroups:
+ - apps
+ apiVersions:
+ - v1
+ operations:
+ - UPDATE
+ resources:
+ - deployments
+ - replicasets
+ - apiGroups:
+ - ''
+ apiVersions:
+ - v1
+ operations:
+ - UPDATE
+ resources:
+ - services
+ - apiGroups:
+ - monitoring.coreos.com
+ apiVersions:
+ - v1
+ operations:
+ - UPDATE
+ resources:
+ - podmonitors
+ validations:
+ - expression: object.metadata.?labels[?'microgateway.airlock.com/managedBy'] ==
+ oldObject.metadata.?labels[?'microgateway.airlock.com/managedBy']
+ message: label 'microgateway.airlock.com/managedBy' is immutable
+ - expression: object.metadata.?labels[?'gateway.networking.k8s.io/gateway-name']
+ == oldObject.metadata.?labels[?'gateway.networking.k8s.io/gateway-name']
+ message: label 'gateway.networking.k8s.io/gateway-name' is immutable
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/validating-webhook.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/validating-webhook.yaml
new file mode 100644
index 0000000..798ad18
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/validating-webhook.yaml
@@ -0,0 +1,479 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ annotations:
+ cert-manager.io/inject-ca-from: syn-airlock-microgateway/airlock-microgateway-operator-serving-cert
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator-webhook-syn-airlock-microgateway
+ namespace: syn-airlock-microgateway
+webhooks:
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-accesscontrol
+ failurePolicy: Fail
+ name: validate-accesscontrol.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - accesscontrols
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-accesscontrolpolicy
+ failurePolicy: Fail
+ name: validate-accesscontrolpolicy.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - accesscontrolpolicies
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-apiprotection
+ failurePolicy: Fail
+ name: validate-apiprotection.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - apiprotections
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-contentsecurity
+ failurePolicy: Fail
+ name: validate-contentsecurity.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - contentsecurities
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-contentsecuritypolicy
+ failurePolicy: Fail
+ name: validate-contentsecuritypolicy.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - contentsecuritypolicies
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-csrfprotection
+ failurePolicy: Fail
+ name: validate-csrfprotection.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - csrfprotections
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-denyrules
+ failurePolicy: Fail
+ name: validate-denyrules.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - denyrules
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-envoycluster
+ failurePolicy: Fail
+ name: validate-envoycluster.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - envoyclusters
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-envoyhttpfilter
+ failurePolicy: Fail
+ name: validate-envoyhttpfilter.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - envoyhttpfilters
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-gatewayparameters
+ failurePolicy: Fail
+ name: validate-gatewayparameters.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - gatewayparameters
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-graphql
+ failurePolicy: Fail
+ name: validate-graphql.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - graphqls
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-headerrewrites
+ failurePolicy: Fail
+ name: validate-headerrewrites.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - headerrewrites
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-identitypropagation
+ failurePolicy: Fail
+ name: validate-identitypropagation.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - identitypropagations
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-jwks
+ failurePolicy: Fail
+ name: validate-jwks.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - jwks
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-limits
+ failurePolicy: Fail
+ name: validate-limits.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - limits
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-oidcprovider
+ failurePolicy: Fail
+ name: validate-oidcprovider.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - oidcproviders
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-oidcrelyingparty
+ failurePolicy: Fail
+ name: validate-oidcrelyingparty.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - oidcrelyingparties
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-openapi
+ failurePolicy: Fail
+ name: validate-openapi.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - openapis
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-parser
+ failurePolicy: Fail
+ name: validate-parser.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - parsers
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-redisprovider
+ failurePolicy: Fail
+ name: validate-redisprovider.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - redisproviders
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-sessionhandling
+ failurePolicy: Fail
+ name: validate-sessionhandling.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - sessionhandlings
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-sidecargateway
+ failurePolicy: Fail
+ name: validate-sidecargateway.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - sidecargateways
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-v1-pod
+ failurePolicy: Fail
+ name: validate-pod.microgateway.airlock.com
+ objectSelector:
+ matchLabels:
+ sidecar.microgateway.airlock.com/inject: 'true'
+ rules:
+ - apiGroups:
+ - ''
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - pods
+ sideEffects: None
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/webhook-service.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/webhook-service.yaml
new file mode 100644
index 0000000..9a0c652
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/webhook-service.yaml
@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+spec:
+ ports:
+ - appProtocol: https
+ name: webhook
+ port: 443
+ protocol: TCP
+ targetPort: 9443
+ selector:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/name: microgateway-operator
diff --git a/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/xds-service.yaml b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/xds-service.yaml
new file mode 100644
index 0000000..889840c
--- /dev/null
+++ b/tests/golden/defaults/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/xds-service.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator-xds
+ namespace: syn-airlock-microgateway
+spec:
+ ports:
+ - appProtocol: grpc
+ name: xds
+ port: 13377
+ protocol: TCP
+ targetPort: 13377
+ selector:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/name: microgateway-operator
+ operator.microgateway.airlock.com/isLeader: 'true'
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/00_prerequisites/00_namespace.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/00_prerequisites/00_namespace.yaml
new file mode 100644
index 0000000..91c261c
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/00_prerequisites/00_namespace.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ annotations: {}
+ labels:
+ name: syn-airlock-microgateway
+ name: syn-airlock-microgateway
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/00_prerequisites/01_license_secret.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/00_prerequisites/01_license_secret.yaml
new file mode 100644
index 0000000..2aedd0f
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/00_prerequisites/01_license_secret.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+data:
+ microgateway-license.txt: ''
+kind: Secret
+metadata:
+ annotations: {}
+ labels:
+ name: airlock-microgateway-license
+ name: airlock-microgateway-license
+ namespace: syn-airlock-microgateway
+type: Opaque
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/00_prerequisites/01_network_policy.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/00_prerequisites/01_network_policy.yaml
new file mode 100644
index 0000000..33d7a9d
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/00_prerequisites/01_network_policy.yaml
@@ -0,0 +1,16 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ annotations: {}
+ labels:
+ name: allow-from-waf-namespaces
+ name: allow-from-waf-namespaces
+ namespace: syn-airlock-microgateway
+spec:
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ appuio.ch/waf: airlock
+ policyTypes:
+ - Ingress
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/accesscontrolpolicies.microgateway.airlock.com.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/accesscontrolpolicies.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..ee697b7
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/accesscontrolpolicies.microgateway.airlock.com.yaml
@@ -0,0 +1,933 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ gateway.networking.k8s.io/policy: direct
+ name: accesscontrolpolicies.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: AccessControlPolicy
+ listKind: AccessControlPolicyList
+ plural: accesscontrolpolicies
+ singular: accesscontrolpolicy
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: AccessControlPolicy is a Direct Attached Policy for the Kubernetes
+ Gateway API. It specifies the options to perform access control with a
+ Microgateway.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of AccessControlPolicy.
+ properties:
+ policies:
+ description: Policies configures access control policies. The first
+ matching policy (from top to bottom) applies.
+ items:
+ properties:
+ authorization:
+ description: Authorization configures how requests are authorized.
+ An empty object value {} disables authorization.
+ properties:
+ authentication:
+ description: Authentication specifies that clients need
+ to be authenticated with the provided method.
+ properties:
+ oidc:
+ description: OIDC configures client authentication
+ using OpenID Connect.
+ properties:
+ introspection:
+ description: Introspection configures how token
+ introspection is performed. An empty object
+ value {} defaults to the _always_ strategy.
+ properties:
+ strategy:
+ description: Strategy defines the behavior
+ for token introspection.
+ properties:
+ always:
+ description: Always strategy defines a
+ strategy for checking every request.
+ type: object
+ random:
+ description: Random strategy defines a
+ probabilistic strategy for checking
+ the `x-th` request.
+ properties:
+ probability:
+ description: |-
+ Probability specifies the probability in % with which a request is selected to be introspected.
+ A valid value for probability must be from the range: [`0.01%`,`99.99%`].
+ To introspect the token on every request the _always_ strategy must be used.
+ maxLength: 6
+ minLength: 2
+ type: string
+ x-kubernetes-validations:
+ - message: 'Probability must have
+ a value from the valid range:
+ [`0.01%`,`99.99%`]'
+ rule: self.matches(r"""^[1-9]?[0-9](\.[0-9]{1,2})?%$""")
+ && self != '0%' && self != '0.0%'
+ && self != '0.00%'
+ required:
+ - probability
+ type: object
+ type: object
+ type: object
+ oidcRelyingPartyRef:
+ description: OIDCRelyingPartyRef configures how
+ the Airlock Microgateway Engine interacts with
+ the OpenID provider.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - oidcRelyingPartyRef
+ type: object
+ type: object
+ deny:
+ description: Deny specifies to deny access for all requests
+ matching this policy.
+ type: object
+ requireAll:
+ description: RequireAll specifies conditions which must
+ all be satisfied for the request to be authorized.
+ items:
+ properties:
+ oidc:
+ description: OIDC specifies a condition on the result
+ of an OpenID Connect flow.
+ properties:
+ claim:
+ description: Claim specifies a condition on
+ a JWT claim.
+ properties:
+ name:
+ description: Name of the claim.
+ minLength: 1
+ type: string
+ value:
+ description: |-
+ Value of the claim. If not specified, only existence of the claim is checked (any value is allowed).
+
+ Value matching is only supported if the data type of the claim is either primitive (`number`, `boolean`, `string`) or `array` of primitives.
+ In case of a non-string value, the match will be performed against the stringified value.
+
+ If the claim has an unsupported data type (e.g. `object` or `null`), its value will never match.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be
+ case-insensitive. In case of a
+ regex match, the regex gets wrapped
+ with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ required:
+ - name
+ type: object
+ required:
+ - claim
+ type: object
+ required:
+ - oidc
+ type: object
+ minItems: 1
+ type: array
+ requireAny:
+ description: RequireAny specifies conditions of which
+ at least one must be satisfied for the request to be
+ authorized.
+ items:
+ properties:
+ oidc:
+ description: OIDC specifies a condition on the result
+ of an OpenID Connect flow.
+ properties:
+ claim:
+ description: Claim specifies a condition on
+ a JWT claim.
+ properties:
+ name:
+ description: Name of the claim.
+ minLength: 1
+ type: string
+ value:
+ description: |-
+ Value of the claim. If not specified, only existence of the claim is checked (any value is allowed).
+
+ Value matching is only supported if the data type of the claim is either primitive (`number`, `boolean`, `string`) or `array` of primitives.
+ In case of a non-string value, the match will be performed against the stringified value.
+
+ If the claim has an unsupported data type (e.g. `object` or `null`), its value will never match.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be
+ case-insensitive. In case of a
+ regex match, the regex gets wrapped
+ with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ required:
+ - name
+ type: object
+ required:
+ - claim
+ type: object
+ required:
+ - oidc
+ type: object
+ minItems: 1
+ type: array
+ type: object
+ identityPropagation:
+ description: IdentityPropagation configures how the authenticated
+ user's identity is communicated to the protected application.
+ properties:
+ actions:
+ description: Actions specifies the propagation actions.
+ items:
+ properties:
+ identityPropagationRef:
+ description: IdentityPropagationRef selects an IdentityPropagation
+ to apply.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - identityPropagationRef
+ type: object
+ type: array
+ onFailure:
+ description: |-
+ OnFailure configures what should happen, if an identity propagation fails. Meaning of the possible values:
+ _Pass_: The request should be forwarded to the upstream, without including the information from the failed identity propagations.
+ enum:
+ - Pass
+ type: string
+ required:
+ - actions
+ - onFailure
+ type: object
+ requestConditions:
+ description: |-
+ RequestConditions defines additional request properties which must be matched in order for this policy to apply. A policy without request conditions will always match.
+
+ WARNING: There is currently a limitation that if `authentication.oidc` is configured for this policy, you must ensure that the request condition also matches logout requests and callback redirects from the OIDC Provider as configured in the OIDCRelyingParty (`pathMapping.logoutPath` / `pathMapping.redirectPath`).
+ properties:
+ header:
+ description: Header defines the matching headers of a
+ request.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to match
+ a string. In comparison to a normal StringMatcher,
+ a value is always matched ignoring the case
+ and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a header.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to
+ match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex gets
+ wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the request condition
+ should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching media type
+ from the content-type header of a request.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods of a
+ request.
+ items:
+ description: Method defines common HTTP methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path of a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match
+ a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the
+ matching should be case-insensitive. In case
+ of a regex match, the regex gets wrapped with
+ a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines the matching remote IPs of a request.
+ Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4 or IPv6 CIDR
+ ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``.
+ items:
+ description: "CIDRRange defines an IPv4 or IPv6\
+ \ CIDR range, e.g. \u201C196.148.3.128/26\u201C\
+ \ or \u201C2001:db8::/28\u201C."
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether the match should
+ be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ required:
+ - authorization
+ type: object
+ maxItems: 128
+ minItems: 1
+ type: array
+ targetRefs:
+ description: |-
+ TargetRefs are the resources this policy is being attached to. Referenced resources must be in the same namespace as the policy.
+ Support: HTTPRoute.
+ items:
+ description: |-
+ LocalPolicyTargetReference identifies an API object to apply a direct or
+ inherited policy to. This should be used as part of Policy resources
+ that can target Gateway API resources. For more information on how this
+ policy attachment model works, and a sample Policy resource, refer to
+ the policy attachment documentation for Gateway API.
+ properties:
+ group:
+ description: Group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ x-kubernetes-validations:
+ - message: 'TargetRef Kind must be: HTTPRoute'
+ rule: self.all(t, t.kind == 'HTTPRoute')
+ - message: TargetRef Group must be gateway.networking.k8s.io.
+ rule: self.all(t, t.group == 'gateway.networking.k8s.io')
+ - message: Combination of name, group and kind must be unique
+ for each TargetRef
+ rule: self.all(t1, self.exists_one(t2, t1.group == t2.group
+ && t1.kind == t2.kind && t1.name == t2.name))
+ required:
+ - policies
+ - targetRefs
+ type: object
+ status:
+ description: Status defines the state of the AccessControlPolicy.
+ properties:
+ ancestors:
+ description: |-
+ Ancestors is a list of ancestor resources (usually Gateways) that are
+ associated with the policy, and the status of the policy with respect to
+ each ancestor. When this policy attaches to a parent, the controller that
+ manages the parent and the ancestors MUST add an entry to this list when
+ the controller first sees the policy and SHOULD update the entry as
+ appropriate when the relevant ancestor is modified.
+
+ Note that choosing the relevant ancestor is left to the Policy designers;
+ an important part of Policy design is designing the right object level at
+ which to namespace this status.
+
+ Note also that implementations MUST ONLY populate ancestor status for
+ the Ancestor resources they are responsible for. Implementations MUST
+ use the ControllerName field to uniquely identify the entries in this list
+ that they are responsible for.
+
+ Note that to achieve this, the list of PolicyAncestorStatus structs
+ MUST be treated as a map with a composite key, made up of the AncestorRef
+ and ControllerName fields combined.
+
+ A maximum of 16 ancestors will be represented in this list. An empty list
+ means the Policy is not relevant for any ancestors.
+
+ If this slice is full, implementations MUST NOT add further entries.
+ Instead they MUST consider the policy unimplementable and signal that
+ on any related resources such as the ancestor that would be referenced
+ here. For example, if this list was full on BackendTLSPolicy, no
+ additional Gateways would be able to reference the Service targeted by
+ the BackendTLSPolicy.
+ items:
+ description: |-
+ PolicyAncestorStatus describes the status of a route with respect to an
+ associated Ancestor.
+
+ Ancestors refer to objects that are either the Target of a policy or above it
+ in terms of object hierarchy. For example, if a policy targets a Service, the
+ Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+ the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+ useful object to place Policy status on, so we recommend that implementations
+ SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+ have a _very_ good reason otherwise.
+
+ In the context of policy attachment, the Ancestor is used to distinguish which
+ resource results in a distinct application of this policy. For example, if a policy
+ targets a Service, it may have a distinct result per attached Gateway.
+
+ Policies targeting the same resource may have different effects depending on the
+ ancestors of those resources. For example, different Gateways targeting the same
+ Service may have different capabilities, especially if they have different underlying
+ implementations.
+
+ For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+ used as a backend in a HTTPRoute that is itself attached to a Gateway.
+ In this case, the relevant object for status is the Gateway, and that is the
+ ancestor object referred to in this status.
+
+ Note that a parent is also an ancestor, so for objects where the parent is the
+ relevant object for status, this struct SHOULD still be used.
+
+ This struct is intended to be used in a slice that's effectively a map,
+ with a composite key made up of the AncestorRef and the ControllerName.
+ properties:
+ ancestorRef:
+ description: |-
+ AncestorRef corresponds with a ParentRef in the spec that this
+ PolicyAncestorStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ conditions:
+ description: Conditions describes the status of the Policy
+ with respect to the given Ancestor.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - 'True'
+ - 'False'
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ required:
+ - ancestorRef
+ - controllerName
+ type: object
+ maxItems: 16
+ type: array
+ required:
+ - ancestors
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/accesscontrols.microgateway.airlock.com.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/accesscontrols.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..e9f2a41
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/accesscontrols.microgateway.airlock.com.yaml
@@ -0,0 +1,589 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: accesscontrols.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: AccessControl
+ listKind: AccessControlList
+ plural: accesscontrols
+ singular: accesscontrol
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: AccessControl specifies the options to perform access control
+ with a Microgateway Engine container.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specifies how the Airlock Microgateway Engine performs
+ access control.
+ properties:
+ policies:
+ description: Policies configures access control policies. The first
+ matching policy (from top to bottom) applies.
+ items:
+ properties:
+ authorization:
+ description: Authorization configures how requests are authorized.
+ An empty object value {} disables authorization.
+ properties:
+ authentication:
+ description: Authentication specifies that clients need
+ to be authenticated with the provided method.
+ properties:
+ oidc:
+ description: OIDC configures client authentication
+ using OpenID Connect.
+ properties:
+ introspection:
+ description: Introspection configures how token
+ introspection is performed. An empty object
+ value {} defaults to the _always_ strategy.
+ properties:
+ strategy:
+ description: Strategy defines the behavior
+ for token introspection.
+ properties:
+ always:
+ description: Always strategy defines a
+ strategy for checking every request.
+ type: object
+ random:
+ description: Random strategy defines a
+ probabilistic strategy for checking
+ the `x-th` request.
+ properties:
+ probability:
+ description: |-
+ Probability specifies the probability in % with which a request is selected to be introspected.
+ A valid value for probability must be from the range: [`0.01%`,`99.99%`].
+ To introspect the token on every request the _always_ strategy must be used.
+ maxLength: 6
+ minLength: 2
+ type: string
+ x-kubernetes-validations:
+ - message: 'Probability must have
+ a value from the valid range:
+ [`0.01%`,`99.99%`]'
+ rule: self.matches(r"""^[1-9]?[0-9](\.[0-9]{1,2})?%$""")
+ && self != '0%' && self != '0.0%'
+ && self != '0.00%'
+ required:
+ - probability
+ type: object
+ type: object
+ type: object
+ oidcRelyingPartyRef:
+ description: OIDCRelyingPartyRef configures how
+ the Airlock Microgateway Engine interacts with
+ the OpenID provider.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - oidcRelyingPartyRef
+ type: object
+ type: object
+ deny:
+ description: Deny specifies to deny access for all requests
+ matching this policy.
+ type: object
+ requireAll:
+ description: RequireAll specifies conditions which must
+ all be satisfied for the request to be authorized.
+ items:
+ properties:
+ oidc:
+ description: OIDC specifies a condition on the result
+ of an OpenID Connect flow.
+ properties:
+ claim:
+ description: Claim specifies a condition on
+ a JWT claim.
+ properties:
+ name:
+ description: Name of the claim.
+ minLength: 1
+ type: string
+ value:
+ description: |-
+ Value of the claim. If not specified, only existence of the claim is checked (any value is allowed).
+
+ Value matching is only supported if the data type of the claim is either primitive (`number`, `boolean`, `string`) or `array` of primitives.
+ In case of a non-string value, the match will be performed against the stringified value.
+
+ If the claim has an unsupported data type (e.g. `object` or `null`), its value will never match.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be
+ case-insensitive. In case of a
+ regex match, the regex gets wrapped
+ with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ required:
+ - name
+ type: object
+ required:
+ - claim
+ type: object
+ required:
+ - oidc
+ type: object
+ minItems: 1
+ type: array
+ requireAny:
+ description: RequireAny specifies conditions of which
+ at least one must be satisfied for the request to be
+ authorized.
+ items:
+ properties:
+ oidc:
+ description: OIDC specifies a condition on the result
+ of an OpenID Connect flow.
+ properties:
+ claim:
+ description: Claim specifies a condition on
+ a JWT claim.
+ properties:
+ name:
+ description: Name of the claim.
+ minLength: 1
+ type: string
+ value:
+ description: |-
+ Value of the claim. If not specified, only existence of the claim is checked (any value is allowed).
+
+ Value matching is only supported if the data type of the claim is either primitive (`number`, `boolean`, `string`) or `array` of primitives.
+ In case of a non-string value, the match will be performed against the stringified value.
+
+ If the claim has an unsupported data type (e.g. `object` or `null`), its value will never match.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be
+ case-insensitive. In case of a
+ regex match, the regex gets wrapped
+ with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ required:
+ - name
+ type: object
+ required:
+ - claim
+ type: object
+ required:
+ - oidc
+ type: object
+ minItems: 1
+ type: array
+ type: object
+ identityPropagation:
+ description: IdentityPropagation configures how the authenticated
+ user's identity is communicated to the protected application.
+ properties:
+ actions:
+ description: Actions specifies the propagation actions.
+ items:
+ properties:
+ identityPropagationRef:
+ description: IdentityPropagationRef selects an IdentityPropagation
+ to apply.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - identityPropagationRef
+ type: object
+ type: array
+ onFailure:
+ description: |-
+ OnFailure configures what should happen, if an identity propagation fails. Meaning of the possible values:
+ _Pass_: The request should be forwarded to the upstream, without including the information from the failed identity propagations.
+ enum:
+ - Pass
+ type: string
+ required:
+ - actions
+ - onFailure
+ type: object
+ requestConditions:
+ description: |-
+ RequestConditions defines additional request properties which must be matched in order for this policy to apply. A policy without request conditions will always match.
+
+ WARNING: There is currently a limitation that if `authentication.oidc` is configured for this policy, you must ensure that the request condition also matches logout requests and callback redirects from the OIDC Provider as configured in the OIDCRelyingParty (`pathMapping.logoutPath` / `pathMapping.redirectPath`).
+ properties:
+ header:
+ description: Header defines the matching headers of a
+ request.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to match
+ a string. In comparison to a normal StringMatcher,
+ a value is always matched ignoring the case
+ and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a header.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to
+ match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex gets
+ wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the request condition
+ should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching media type
+ from the content-type header of a request.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods of a
+ request.
+ items:
+ description: Method defines common HTTP methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path of a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match
+ a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the
+ matching should be case-insensitive. In case
+ of a regex match, the regex gets wrapped with
+ a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines the matching remote IPs of a request.
+ Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4 or IPv6 CIDR
+ ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``.
+ items:
+ description: "CIDRRange defines an IPv4 or IPv6\
+ \ CIDR range, e.g. \u201C196.148.3.128/26\u201C\
+ \ or \u201C2001:db8::/28\u201C."
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether the match should
+ be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ required:
+ - authorization
+ type: object
+ maxItems: 128
+ minItems: 1
+ type: array
+ required:
+ - policies
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources: {}
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/apiprotections.microgateway.airlock.com.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/apiprotections.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..9db86a1
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/apiprotections.microgateway.airlock.com.yaml
@@ -0,0 +1,337 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: apiprotections.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: APIProtection
+ listKind: APIProtectionList
+ plural: apiprotections
+ singular: apiprotection
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: APIProtection contains the configuration for API security.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specifies the options to define API protection settings.
+ properties:
+ policies:
+ description: Policies defines the policies for API protection of
+ downstream requests.
+ items:
+ properties:
+ graphQLRef:
+ description: |-
+ GraphQLRef enables and configures GraphQL validation for requests matching this policy.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ name:
+ description: Name describing the configured policy. Must be
+ unique.
+ minLength: 1
+ type: string
+ noValidation:
+ description: NoValidation disables API protection for requests
+ matching this policy.
+ type: object
+ openAPIRef:
+ description: |-
+ OpenAPIRef enables and configures OpenAPI validation for requests matching this policy.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ requestConditions:
+ description: RequestConditions defines additional request
+ properties which must be matched in order for this policy
+ to apply.
+ properties:
+ header:
+ description: Header defines the matching headers of a
+ request.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to match
+ a string. In comparison to a normal StringMatcher,
+ a value is always matched ignoring the case
+ and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a header.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to
+ match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex gets
+ wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the request condition
+ should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching media type
+ from the content-type header of a request.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods of a
+ request.
+ items:
+ description: Method defines common HTTP methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path of a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match
+ a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the
+ matching should be case-insensitive. In case
+ of a regex match, the regex gets wrapped with
+ a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines the matching remote IPs of a request.
+ Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4 or IPv6 CIDR
+ ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``.
+ items:
+ description: "CIDRRange defines an IPv4 or IPv6\
+ \ CIDR range, e.g. \u201C196.148.3.128/26\u201C\
+ \ or \u201C2001:db8::/28\u201C."
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether the match should
+ be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type: object
+ served: true
+ storage: true
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/contentsecurities.microgateway.airlock.com.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/contentsecurities.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..e68cd79
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/contentsecurities.microgateway.airlock.com.yaml
@@ -0,0 +1,168 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: contentsecurities.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: ContentSecurity
+ listKind: ContentSecurityList
+ plural: contentsecurities
+ singular: contentsecurity
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: ContentSecurity specifies the options to secure an upstream
+ web application with a Microgateway Engine container.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specifies the options to secure an upstream web application
+ with a Microgateway Engine container.
+ properties:
+ apiProtection:
+ description: |-
+ APIProtection defines the relevant configurations to protect APIs.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ **Deprecated:** Use policies in APIProtection CRD instead.
+ properties:
+ graphQLRef:
+ description: |-
+ GraphQLRef selects the relevant GraphQL configuration resource.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ **Deprecated:** Use policies in APIProtection CRD instead.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ openAPIRef:
+ description: |-
+ OpenAPIRef selects the relevant OpenAPI configuration resource.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ **Deprecated:** Use policies in APIProtection CRD instead.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ apiProtectionRef:
+ description: |-
+ APIProtectionRef defines the relevant configurations to protect multiple APIs on different paths.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ csrfProtectionRef:
+ description: |-
+ CSRFProtectionRef selects the relevant CSRF configuration resource.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ filter:
+ description: |-
+ Filter defines the set of filters, e.g. Airlock Deny Rules, to be applied to incoming requests
+ to protect against various attack patterns.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ denyRulesRef:
+ description: |-
+ DenyRulesRef selects the relevant DenyRules configuration resource.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ headerRewritesRef:
+ description: |-
+ HeaderRewritesRef selects the relevant HeaderRewrites.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ limitsRef:
+ description: |-
+ LimitsRef selects the relevant Limits configuration resource.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ parserRef:
+ description: |-
+ ParserRef selects the relevant Parser configuration resource.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources: {}
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/contentsecuritypolicies.microgateway.airlock.com.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/contentsecuritypolicies.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..4db787d
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/contentsecuritypolicies.microgateway.airlock.com.yaml
@@ -0,0 +1,492 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ gateway.networking.k8s.io/policy: direct
+ name: contentsecuritypolicies.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: ContentSecurityPolicy
+ listKind: ContentSecurityPolicyList
+ plural: contentsecuritypolicies
+ singular: contentsecuritypolicy
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: ContentSecurityPolicy is a Direct Attached Policy for the Kubernetes
+ Gateway API. It specifies the options to secure an upstream web application
+ with a Microgateway.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of ContentSecurityPolicy.
+ properties:
+ secured:
+ description: Secured enables WAF processing for the routes attached
+ to this policy.
+ properties:
+ apiProtectionRef:
+ description: |-
+ APIProtectionRef defines the relevant configurations to protect multiple APIs on different paths.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ csrfProtectionRef:
+ description: |-
+ CSRFProtectionRef selects the relevant CSRF configuration resource.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ filter:
+ description: |-
+ Filter defines the set of filters, e.g. Airlock Deny Rules, to be applied to incoming requests
+ to protect against various attack patterns.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ denyRulesRef:
+ description: |-
+ DenyRulesRef selects the relevant DenyRules configuration resource.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ headerRewritesRef:
+ description: |-
+ HeaderRewritesRef selects the relevant HeaderRewrites.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ limitsRef:
+ description: |-
+ LimitsRef selects the relevant Limits configuration resource.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ parserRef:
+ description: |-
+ ParserRef selects the relevant Parser configuration resource.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ targetRefs:
+ description: |-
+ TargetRefs are the resources this policy is being attached to. Referenced resources must be in the same namespace as the policy.
+ Support: HTTPRoute.
+ items:
+ description: |-
+ LocalPolicyTargetReference identifies an API object to apply a direct or
+ inherited policy to. This should be used as part of Policy resources
+ that can target Gateway API resources. For more information on how this
+ policy attachment model works, and a sample Policy resource, refer to
+ the policy attachment documentation for Gateway API.
+ properties:
+ group:
+ description: Group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ x-kubernetes-validations:
+ - message: 'TargetRef Kind must be: HTTPRoute'
+ rule: self.all(t, t.kind == 'HTTPRoute')
+ - message: TargetRef Group must be gateway.networking.k8s.io.
+ rule: self.all(t, t.group == 'gateway.networking.k8s.io')
+ - message: Combination of name, group and kind must be unique
+ for each TargetRef
+ rule: self.all(t1, self.exists_one(t2, t1.group == t2.group
+ && t1.kind == t2.kind && t1.name == t2.name))
+ unsecured:
+ description: |-
+ Unsecured disables all WAF functionality and therefore protection for the routes attached to this policy.
+ WARNING: Using this setting when the application is exposed to untrusted downstream traffic is highly discouraged.
+ type: object
+ required:
+ - targetRefs
+ type: object
+ status:
+ description: Status defines the state of the ContentSecurityPolicy.
+ properties:
+ ancestors:
+ description: |-
+ Ancestors is a list of ancestor resources (usually Gateways) that are
+ associated with the policy, and the status of the policy with respect to
+ each ancestor. When this policy attaches to a parent, the controller that
+ manages the parent and the ancestors MUST add an entry to this list when
+ the controller first sees the policy and SHOULD update the entry as
+ appropriate when the relevant ancestor is modified.
+
+ Note that choosing the relevant ancestor is left to the Policy designers;
+ an important part of Policy design is designing the right object level at
+ which to namespace this status.
+
+ Note also that implementations MUST ONLY populate ancestor status for
+ the Ancestor resources they are responsible for. Implementations MUST
+ use the ControllerName field to uniquely identify the entries in this list
+ that they are responsible for.
+
+ Note that to achieve this, the list of PolicyAncestorStatus structs
+ MUST be treated as a map with a composite key, made up of the AncestorRef
+ and ControllerName fields combined.
+
+ A maximum of 16 ancestors will be represented in this list. An empty list
+ means the Policy is not relevant for any ancestors.
+
+ If this slice is full, implementations MUST NOT add further entries.
+ Instead they MUST consider the policy unimplementable and signal that
+ on any related resources such as the ancestor that would be referenced
+ here. For example, if this list was full on BackendTLSPolicy, no
+ additional Gateways would be able to reference the Service targeted by
+ the BackendTLSPolicy.
+ items:
+ description: |-
+ PolicyAncestorStatus describes the status of a route with respect to an
+ associated Ancestor.
+
+ Ancestors refer to objects that are either the Target of a policy or above it
+ in terms of object hierarchy. For example, if a policy targets a Service, the
+ Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+ the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+ useful object to place Policy status on, so we recommend that implementations
+ SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+ have a _very_ good reason otherwise.
+
+ In the context of policy attachment, the Ancestor is used to distinguish which
+ resource results in a distinct application of this policy. For example, if a policy
+ targets a Service, it may have a distinct result per attached Gateway.
+
+ Policies targeting the same resource may have different effects depending on the
+ ancestors of those resources. For example, different Gateways targeting the same
+ Service may have different capabilities, especially if they have different underlying
+ implementations.
+
+ For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+ used as a backend in a HTTPRoute that is itself attached to a Gateway.
+ In this case, the relevant object for status is the Gateway, and that is the
+ ancestor object referred to in this status.
+
+ Note that a parent is also an ancestor, so for objects where the parent is the
+ relevant object for status, this struct SHOULD still be used.
+
+ This struct is intended to be used in a slice that's effectively a map,
+ with a composite key made up of the AncestorRef and the ControllerName.
+ properties:
+ ancestorRef:
+ description: |-
+ AncestorRef corresponds with a ParentRef in the spec that this
+ PolicyAncestorStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ conditions:
+ description: Conditions describes the status of the Policy
+ with respect to the given Ancestor.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - 'True'
+ - 'False'
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ required:
+ - ancestorRef
+ - controllerName
+ type: object
+ maxItems: 16
+ type: array
+ required:
+ - ancestors
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/csrfprotections.microgateway.airlock.com.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/csrfprotections.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..e3993ca
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/csrfprotections.microgateway.airlock.com.yaml
@@ -0,0 +1,316 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: csrfprotections.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: CSRFProtection
+ listKind: CSRFProtectionList
+ plural: csrfprotections
+ singular: csrfprotection
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: CSRFProtection contains the configuration for CSRF.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired CSRF behavior.
+ properties:
+ exceptions:
+ description: Exceptions defines CSRF exceptions.
+ items:
+ description: CSRFProtectionException defines an exception for
+ a CSRF protection. Exceptions may be defined for requestConditions
+ (properties of a request without taking into consideration the
+ reason why a request has been blocked).
+ properties:
+ requestConditions:
+ description: RequestConditions defines an exception based
+ on a property of a request without taking into consideration
+ the reason why a request has been blocked.
+ properties:
+ header:
+ description: Header defines the matching headers of a
+ request.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to match
+ a string. In comparison to a normal StringMatcher,
+ a value is always matched ignoring the case
+ and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a header.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to
+ match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex gets
+ wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the request condition
+ should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching media type
+ from the content-type header of a request.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods of a
+ request.
+ items:
+ description: Method defines common HTTP methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path of a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match
+ a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the
+ matching should be case-insensitive. In case
+ of a regex match, the regex gets wrapped with
+ a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines the matching remote IPs of a request.
+ Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4 or IPv6 CIDR
+ ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``.
+ items:
+ description: "CIDRRange defines an IPv4 or IPv6\
+ \ CIDR range, e.g. \u201C196.148.3.128/26\u201C\
+ \ or \u201C2001:db8::/28\u201C."
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether the match should
+ be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ required:
+ - requestConditions
+ type: object
+ type: array
+ settings:
+ description: Settings configures the CSRF filter.
+ properties:
+ threatHandlingMode:
+ default: Block
+ description: ThreatHandlingMode specifies how threats should
+ be handled if a CSRF attack is detected.
+ enum:
+ - Block
+ - LogOnly
+ type: string
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/denyrules.microgateway.airlock.com.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/denyrules.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..73b2a80
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/denyrules.microgateway.airlock.com.yaml
@@ -0,0 +1,1977 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: denyrules.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: DenyRules
+ listKind: DenyRulesList
+ plural: denyrules
+ singular: denyrules
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ DenyRules configures request filtering using Airlock built-in and custom deny rules.
+ Deny rules establish a negative security model. They define prohibited patterns which, when a match is found in a request, lead to it being blocked from reaching the upstream web application.
+ To handle possible false positives, lower the security level or define fine-granular deny rule exceptions
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired deny rules behavior.
+ properties:
+ request:
+ description: Request configures deny rules for downstream requests.
+ properties:
+ builtIn:
+ description: BuiltIn configures the built-in deny rules.
+ properties:
+ exceptions:
+ description: Exceptions allows to define exceptions for
+ specific requests and deny rules.
+ items:
+ description: |-
+ DenyRulesException defines an exception for deny rules. Exceptions may be defined by any or a combination of the following elements: blockedData (the request data causing a block) or requestConditions (properties of a request without taking into consideration the reason why a request has been blocked).
+ At least one of blockedData and requestConditions must be set.
+ properties:
+ blockedData:
+ description: BlockedData defines an exception based
+ on the request data causing the block.
+ properties:
+ graphQL:
+ description: |-
+ GraphQL defines an exception based on a blocked GraphQL query.
+ Only one of parameter, header, path, pathSegment, json or graphQL can be set.
+ properties:
+ argument:
+ description: |-
+ Argument defines an argument of a field of the GraphQL query.
+ At least one of field, argument and value must be set.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ field:
+ description: |-
+ Field defines a field of the GraphQL query.
+ At least one of field, argument and value must be set.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: |-
+ Value defines the value of an argument of the GraphQL query.
+ At least one of field, argument and value must be set.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ header:
+ description: |-
+ Header defines an exception based on a blocked header.
+ Only one of parameter, header, path, pathSegment, json or graphQL can be set.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to
+ match a string. In comparison to a normal
+ StringMatcher, a value is always matched
+ ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a
+ header.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ json:
+ description: |-
+ JSON defines an exception based on a blocked JSON property.
+ Only one of parameter, header, path, pathSegment, json or graphQL can be set.
+ properties:
+ jsonPath:
+ description: |-
+ JSONPath defines the JSONPath pattern to match the path within the JSON.
+ Expressions in JSONPath i.e. `?(expr)` are not supported.
+ minLength: 1
+ type: string
+ key:
+ description: |-
+ Key defines the key of the JSON property.
+ At most one of key and value can be set.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: |-
+ Value defines the value of the JSON property.
+ At most one of key and value can be set.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ parameter:
+ description: |-
+ Parameter defines an exception based on a blocked parameter.
+ Only one of parameter, header, path, pathSegment, json or graphQL can be set.
+ properties:
+ name:
+ description: Name defines the name of a parameter.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ source:
+ default: Any
+ description: Source defines the source of
+ the parameter.
+ enum:
+ - Query
+ - Post
+ - Any
+ type: string
+ value:
+ description: Value defines the value of a
+ parameter.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ path:
+ description: |-
+ Path defines an exception based on the blocked path.
+ Only one of parameter, header, path, pathSegment, json or graphQL can be set.
+ properties:
+ matcher:
+ description: StringMatcher defines the way
+ to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ pathSegment:
+ description: |-
+ PathSegment defines an exception based on a blocked path segment.
+ Only one of parameter, header, path, pathSegment, json or graphQL can be set.
+ properties:
+ segments:
+ description: Segments defines the position
+ of a segment within the path.
+ properties:
+ index:
+ description: Index specifies an exact
+ path segment position by index (0-based).
+ minimum: 0
+ type: integer
+ type: object
+ value:
+ description: Value defines the value of a
+ path segment.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ type: object
+ requestConditions:
+ description: RequestConditions defines an exception
+ based on a property of a request without taking
+ into consideration the reason why a request has
+ been blocked.
+ properties:
+ header:
+ description: Header defines the matching headers
+ of a request.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to
+ match a string. In comparison to a normal
+ StringMatcher, a value is always matched
+ ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a
+ header.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the request
+ condition should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching media
+ type from the content-type header of a request.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods
+ of a request.
+ items:
+ description: Method defines common HTTP methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path of
+ a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the way
+ to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines the matching remote IPs of a request.
+ Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4 or
+ IPv6 CIDR ranges, e.g. ``196.148.3.128/26``
+ or ``2001:db8::/28``.
+ items:
+ description: "CIDRRange defines an IPv4\
+ \ or IPv6 CIDR range, e.g. \u201C196.148.3.128/26\u201C\
+ \ or \u201C2001:db8::/28\u201C."
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether the
+ match should be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ ruleKeys:
+ description: RuleKeys restricts the exception to a
+ set of deny rules.
+ items:
+ description: |-
+ A deny rule name can be any of the following values:
+ ENCODING |
+ EXPLOIT |
+ HPP |
+ HTML |
+ IDOR |
+ LDAP |
+ NOSQL |
+ OGNL |
+ PHP |
+ PROTOCOL |
+ SANITY |
+ SCANNING |
+ SQL |
+ TEMPLATE |
+ UNIXCMD |
+ WINCMD |
+ XSS |
+ SSRF |
+ BOT
+ enum:
+ - ENCODING
+ - EXPLOIT
+ - HPP
+ - HTML
+ - IDOR
+ - LDAP
+ - NOSQL
+ - OGNL
+ - PHP
+ - PROTOCOL
+ - SANITY
+ - SCANNING
+ - SQL
+ - TEMPLATE
+ - UNIXCMD
+ - WINCMD
+ - XSS
+ - SSRF
+ - BOT
+ type: string
+ minItems: 1
+ type: array
+ type: object
+ type: array
+ overrides:
+ description: Overrides allows to override the builtIn settings
+ for specific deny rules.
+ items:
+ description: DenyRulesOverride allows to override the
+ builtIn settings for specific deny rules.
+ properties:
+ conditions:
+ description: Conditions select which built-in deny
+ rules' settings will be adjusted.
+ properties:
+ ruleKeys:
+ description: RuleKeys is a list of built-in deny
+ rule names.
+ items:
+ description: |-
+ A deny rule name can be any of the following values:
+ ENCODING |
+ EXPLOIT |
+ HPP |
+ HTML |
+ IDOR |
+ LDAP |
+ NOSQL |
+ OGNL |
+ PHP |
+ PROTOCOL |
+ SANITY |
+ SCANNING |
+ SQL |
+ TEMPLATE |
+ UNIXCMD |
+ WINCMD |
+ XSS |
+ SSRF |
+ BOT
+ enum:
+ - ENCODING
+ - EXPLOIT
+ - HPP
+ - HTML
+ - IDOR
+ - LDAP
+ - NOSQL
+ - OGNL
+ - PHP
+ - PROTOCOL
+ - SANITY
+ - SCANNING
+ - SQL
+ - TEMPLATE
+ - UNIXCMD
+ - WINCMD
+ - XSS
+ - SSRF
+ - BOT
+ type: string
+ minItems: 1
+ type: array
+ types:
+ description: Types defines the type of attributes
+ the override should be applied on. If Types
+ are defined without any RuleKeys the override
+ is applied to all deny rules.
+ items:
+ description: |-
+ A deny rule override type name can be any of the following values:
+ Header |
+ Parameter |
+ Path |
+ JSON |
+ GraphQL
+ enum:
+ - Header
+ - Parameter
+ - Path
+ - PathSegment
+ - JSON
+ - GraphQL
+ type: string
+ minItems: 0
+ type: array
+ type: object
+ settings:
+ description: Settings override the corresponding properties
+ for the selected rules.
+ properties:
+ level:
+ description: Level specifies the filter strength.
+ enum:
+ - Unfiltered
+ - Basic
+ - Standard
+ - Strict
+ type: string
+ threatHandlingMode:
+ description: ThreatHandlingMode specifies how
+ threats should be handled.
+ enum:
+ - Block
+ - LogOnly
+ type: string
+ type: object
+ type: object
+ type: array
+ settings:
+ description: Settings contains the keys which will be adjusted.
+ properties:
+ level:
+ default: Standard
+ description: Level represents a set of deny rules with
+ different filter strengths.
+ enum:
+ - Unfiltered
+ - Basic
+ - Standard
+ - Strict
+ type: string
+ threatHandlingMode:
+ default: Block
+ description: ThreatHandlingMode specifies how threats
+ should be handled when a deny rule matches.
+ enum:
+ - Block
+ - LogOnly
+ type: string
+ type: object
+ type: object
+ custom:
+ description: Custom allows configuring additional deny rules.
+ properties:
+ rules:
+ description: Rules defines list of additional deny rules.
+ items:
+ properties:
+ blockData:
+ description: BlockData specifies the request data
+ which should cause a block.
+ properties:
+ graphQL:
+ description: |-
+ GraphQL specifies to block requests containing a matching GraphQL property.
+ At least one of field, argument and value must be set.
+ properties:
+ argument:
+ description: |-
+ Argument defines an argument of a field of the GraphQL query.
+ At least one of field, argument and value must be set.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ field:
+ description: |-
+ Field defines a field of the GraphQL query.
+ At least one of field, argument and value must be set.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: |-
+ Value defines the value of an argument of the GraphQL query.
+ At least one of field, argument and value must be set.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ header:
+ description: |-
+ Header specifies to block requests containing a matching header.
+ Only one of parameter, header, path, pathSegment or json can be set.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a
+ header.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ json:
+ description: |-
+ JSON specifies to block requests containing a matching JSON property in the body.
+ Only one of parameter, header, path, pathSegment or json can be set.
+ properties:
+ key:
+ description: Key defines the key of a JSON
+ object.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a
+ JSON object.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ parameter:
+ description: |-
+ Parameter specifies to block requests containing a matching parameter.
+ Only one of parameter, header, path, pathSegment or json can be set.
+ properties:
+ name:
+ description: Name defines the name of a parameter.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a
+ parameter.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ path:
+ description: |-
+ Path specifies to block requests with a matching path.
+ Only one of parameter, header, path, pathSegment or json can be set.
+ properties:
+ matcher:
+ description: Matcher specifies which path
+ to block.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ pathSegment:
+ description: |-
+ PathSegment specifies to block requests containing a matching path segment.
+ Only one of parameter, header, path, pathSegment or json can be set.
+ properties:
+ segments:
+ description: |-
+ Segments restricts which path segments are filtered by this rule.
+ If not specified, all segments of a path are filtered.
+ properties:
+ index:
+ description: Index restricts the rule
+ to the path segment at this index (0-based).
+ minimum: 0
+ type: integer
+ type: object
+ value:
+ description: Value specifies which path segment
+ values to block.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ required:
+ - value
+ type: object
+ type: object
+ requestConditions:
+ description: RequestConditions defines additional
+ request properties which must be matched in order
+ for this rule to apply.
+ properties:
+ header:
+ description: Header defines the matching headers
+ of a request.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to
+ match a string. In comparison to a normal
+ StringMatcher, a value is always matched
+ ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a
+ header.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the request
+ condition should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching media
+ type from the content-type header of a request.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods
+ of a request.
+ items:
+ description: Method defines common HTTP methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path of
+ a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the way
+ to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines the matching remote IPs of a request.
+ Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4 or
+ IPv6 CIDR ranges, e.g. ``196.148.3.128/26``
+ or ``2001:db8::/28``.
+ items:
+ description: "CIDRRange defines an IPv4\
+ \ or IPv6 CIDR range, e.g. \u201C196.148.3.128/26\u201C\
+ \ or \u201C2001:db8::/28\u201C."
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether the
+ match should be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ ruleKey:
+ description: RuleKey defines a technical key for the
+ deny rule. Must be unique.
+ minLength: 1
+ pattern: ^[A-Z][A-Z0-9_]*$
+ type: string
+ threatHandlingMode:
+ default: Block
+ description: ThreatHandlingMode specifies how threats
+ should be handled when a deny rule matches.
+ enum:
+ - Block
+ - LogOnly
+ type: string
+ required:
+ - blockData
+ - ruleKey
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - ruleKey
+ x-kubernetes-list-type: map
+ type: object
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources: {}
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/envoyclusters.microgateway.airlock.com.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/envoyclusters.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..4abc45c
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/envoyclusters.microgateway.airlock.com.yaml
@@ -0,0 +1,60 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: envoyclusters.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: EnvoyCluster
+ listKind: EnvoyClusterList
+ plural: envoyclusters
+ singular: envoycluster
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: EnvoyCluster is an additional Envoy Cluster resource which
+ is added to those defined by the Airlock Microgateway.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired additional Envoy cluster.
+ properties:
+ value:
+ description: Value defines the Envoy Cluster which is added to those
+ configured by the Airlock Microgateway.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources: {}
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/envoyconfigurations.microgateway.airlock.com.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/envoyconfigurations.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..e8b2d5e
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/envoyconfigurations.microgateway.airlock.com.yaml
@@ -0,0 +1,207 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: envoyconfigurations.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: EnvoyConfiguration
+ listKind: EnvoyConfigurationList
+ plural: envoyconfigurations
+ singular: envoyconfiguration
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .status.status
+ name: Status
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ EnvoyConfiguration is the Schema for the envoyconfigurations API
+ {{% notice warning %}} EnvoyConfiguration resources may contain sensitive information and thus RBAC permissions should be granted with care. {{% /notice %}}
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: EnvoyConfigurationSpec defines the desired state of EnvoyConfiguration
+ properties:
+ envoyResources:
+ properties:
+ clusters:
+ items:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: array
+ endpoints:
+ items:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: array
+ extensions:
+ items:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: array
+ listeners:
+ items:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: array
+ routes:
+ items:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: array
+ runtimes:
+ items:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: array
+ scopedRoutes:
+ items:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: array
+ secrets:
+ items:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: array
+ type: object
+ envoyResourcesRaw:
+ description: |-
+ EnvoyResourcesRaw defines the desired state for each resource type. The resources are stored as zstd compressed JSON bytes.
+ For debugging purposes, the resources can be inspected with the following command: `kubectl get envoyconfiguration -ojsonpath='{.spec.envoyResourcesRaw}' | base64 -d | zstd -d | jq`
+ format: byte
+ type: string
+ nodeID:
+ description: '**Deprecated:** This field is now ignored as NodeID
+ is always derived from the resource name.'
+ type: string
+ type: object
+ status:
+ description: EnvoyConfigurationStatus defines the observed state of
+ EnvoyConfiguration
+ properties:
+ conditions:
+ items:
+ properties:
+ lastTransitionTime:
+ description: Last time the condition transitioned from one
+ status to another.
+ format: date-time
+ type: string
+ message:
+ description: A human-readable message indicating details about
+ the transition.
+ type: string
+ observedGeneration:
+ description: |-
+ ObservedGeneration represents the `.metadata.generation` based on which the condition was set.
+ For instance, if `.metadata.generation` is currently 12, but the `.status.conditions[x].observedGeneration` is 9, the condition is out of date with respect to the current state of the EnvoyConfiguration.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: The reason for the condition's last transition.
+ type: string
+ status:
+ description: Status of the condition, one of True, False,
+ Unknown.
+ type: string
+ type:
+ description: Type of EnvoyConfiguration condition.
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ status:
+ type: string
+ xds:
+ properties:
+ resourceTypes:
+ additionalProperties:
+ description: XdsResourceTypeSyncStatus defines the sync status
+ of xDS for a specific resource type
+ properties:
+ errorMessage:
+ description: ErrorMessage defines an optional message
+ why the currently served resources of this resource
+ type are rejected by the client.
+ type: string
+ resources:
+ additionalProperties:
+ description: XdsResourceStatus defines the status of
+ xDS for a specific resource
+ properties:
+ version:
+ description: Version defines the version which is
+ currently served for this resource.
+ type: string
+ required:
+ - version
+ type: object
+ description: Resources defines the resources which are
+ currently served for this resource type.
+ type: object
+ status:
+ description: Status defines the current sync status of
+ this resource type.
+ type: string
+ version:
+ description: Version defines the version which is currently
+ served for this resource type.
+ type: string
+ required:
+ - resources
+ - status
+ - version
+ type: object
+ description: ResourceTypes defines the sync statuses for each
+ resource type.
+ type: object
+ version:
+ description: Version defines the version of the underlying xDS
+ snapshot.
+ type: integer
+ required:
+ - version
+ type: object
+ required:
+ - status
+ - xds
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/envoyhttpfilters.microgateway.airlock.com.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/envoyhttpfilters.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..5b89569
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/envoyhttpfilters.microgateway.airlock.com.yaml
@@ -0,0 +1,60 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: envoyhttpfilters.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: EnvoyHTTPFilter
+ listKind: EnvoyHTTPFilterList
+ plural: envoyhttpfilters
+ singular: envoyhttpfilter
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: EnvoyHTTPFilter is an additional Envoy HTTP Filter resource
+ which is added to those defined by the Airlock Microgateway.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired additional Envoy HTTP filter.
+ properties:
+ value:
+ description: Value defines the HTTP filter which is added to those
+ configured by the Airlock Microgateway.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources: {}
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/gatewayparameters.microgateway.airlock.com.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/gatewayparameters.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..a7ca2e3
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/gatewayparameters.microgateway.airlock.com.yaml
@@ -0,0 +1,1534 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: gatewayparameters.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: GatewayParameters
+ listKind: GatewayParametersList
+ plural: gatewayparameters
+ singular: gatewayparameters
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ GatewayParameters defines the configuration settings for deploying a Gateway in a Kubernetes, including options for logging, service type, deployment strategy, and resource management. It can be referenced by either a GatewayClass or a Gateway.
+ Note: More specific GatewayParameters takes precedence, e.g., if a Gateway references GatewayParameters, the parameters from its associated GatewayClass are completely overridden without merging.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: GatewayParametersSpec defines additional configuration
+ parameters for the Gateway.
+ properties:
+ defaults:
+ description: Defaults specifies default configurations and policies
+ for the Gateway.
+ properties:
+ downstream:
+ description: Downstream defines the downstream configuration
+ for this Gateway.
+ properties:
+ remoteIP:
+ description: |-
+ RemoteIP defines how the remote IP of a client is propagated.
+ Default: connectionIP: {...}
+ properties:
+ connectionIP:
+ description: ConnectionIP configures to use the source
+ IP address of the direct downstream connection.
+ type: object
+ customHeader:
+ description: CustomHeader specifies to use a custom
+ header for remote IP extraction.
+ properties:
+ headerName:
+ description: HeaderName specifies the name of the
+ custom header containing the remote IP.
+ minLength: 1
+ type: string
+ required:
+ default: true
+ description: Required specifies if the custom header
+ is required. If true and not available the request
+ will be rejected with 403.
+ type: boolean
+ required:
+ - headerName
+ type: object
+ xff:
+ description: XFF configures to use the standard 'X-Forwarded-For'
+ header for IP extraction.
+ properties:
+ numTrustedHops:
+ default: 1
+ description: NumTrustedHops specifies to extract
+ the client's originating IP from the nth rightmost
+ entry in the X-Forwarded-For header. With the
+ default value of 1, the IP is extracted from the
+ rightmost entry.
+ format: int32
+ minimum: 1
+ type: integer
+ type: object
+ type: object
+ type: object
+ sessionHandlingRef:
+ description: SessionHandlingRef selects the default SessionHandling
+ configuration for the Gateway.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ kubernetes:
+ description: Kubernetes defines the configuration for Kubernetes
+ resources provisioned for the Gateway.
+ properties:
+ deployment:
+ description: Deployment configures the Kubernetes Deployment
+ provisioned for the Gateway.
+ properties:
+ automountServiceAccountToken:
+ default: false
+ description: AutomountServiceAccountToken configures whether
+ a service account token should be automatically mounted.
+ Set this to `true` only if a sidecar that requires a service
+ account token (e.g., OpenShift ServiceMesh) is injected
+ to the Gateway Deployment.
+ type: boolean
+ engineContainer:
+ description: EngineContainer configures the container running
+ the Airlock Microgateway Engine.
+ properties:
+ resources:
+ description: |-
+ Resources specifies the compute resources required for this container.
+ See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for details.
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry
+ in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ type: object
+ imagePullSecrets:
+ description: |-
+ ImagePullSecrets configures the list of references to secrets in the same namespace, which will be used in the Gateway deployment for pulling any of the images.
+ More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod
+ items:
+ description: |-
+ LocalObjectReference contains enough information to let you locate the
+ referenced object inside the same namespace.
+ properties:
+ name:
+ default: ''
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ placement:
+ description: Placement configures scheduling of the Airlock
+ Microgateway Engine pod.
+ properties:
+ affinity:
+ description: Affinity specifies affinity and anti-affinity
+ rules for the Airlock Microgateway Engine pods.
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling
+ rules for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated
+ with the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with matching
+ the corresponding nodeSelectorTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node selector
+ terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling rules
+ (e.g. co-locate this pod in the same node, zone,
+ etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a
+ list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a
+ list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the same
+ node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a
+ list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a
+ list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: NodeSelector is a selector which must be
+ true for the Airlock Microgateway Engine pods to fit
+ on a node.
+ type: object
+ tolerations:
+ description: Tolerations allows scheduling of Airlock
+ Microgateway Engine pods on tainted nodes.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ topologySpreadConstraints:
+ description: |-
+ TopologySpreadConstraints describes how the Airlock Microgateway Engine pods ought to spread across topology domains (e.g., nodes, zones).
+ If the label selector of the constraints is undefined, the label selector of the deployment will be used instead.
+ items:
+ description: TopologySpreadConstraint specifies how
+ to spread matching pods among the given topology.
+ properties:
+ labelSelector:
+ description: |-
+ LabelSelector is used to find matching pods.
+ Pods that match this label selector are counted to determine the number of pods
+ in their corresponding topology domain.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select the pods over which
+ spreading will be calculated. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are ANDed with labelSelector
+ to select the group of existing pods over which spreading will be calculated
+ for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ MatchLabelKeys cannot be set when LabelSelector isn't set.
+ Keys that don't exist in the incoming pod labels will
+ be ignored. A null or empty list means only match against labelSelector.
+
+ This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ description: |-
+ MaxSkew describes the degree to which pods may be unevenly distributed.
+ When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+ between the number of matching pods in the target topology and the global minimum.
+ The global minimum is the minimum number of matching pods in an eligible domain
+ or zero if the number of eligible domains is less than MinDomains.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 2/2/1:
+ In this case, the global minimum is 1.
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P |
+ - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+ scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+ violate MaxSkew(1).
+ - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+ When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+ to topologies that satisfy it.
+ It's a required field. Default value is 1 and 0 is not allowed.
+ format: int32
+ type: integer
+ minDomains:
+ description: |-
+ MinDomains indicates a minimum number of eligible domains.
+ When the number of eligible domains with matching topology keys is less than minDomains,
+ Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+ And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+ this value has no effect on scheduling.
+ As a result, when the number of eligible domains is less than minDomains,
+ scheduler won't schedule more than maxSkew Pods to those domains.
+ If value is nil, the constraint behaves as if MinDomains is equal to 1.
+ Valid values are integers greater than 0.
+ When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+ For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+ labelSelector spread as 2/2/2:
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P P |
+ The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+ In this situation, new pod with the same labelSelector cannot be scheduled,
+ because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+ it will violate MaxSkew.
+ format: int32
+ type: integer
+ nodeAffinityPolicy:
+ description: |-
+ NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+ when calculating pod topology spread skew. Options are:
+ - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+ - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+ If this value is nil, the behavior is equivalent to the Honor policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ nodeTaintsPolicy:
+ description: |-
+ NodeTaintsPolicy indicates how we will treat node taints when calculating
+ pod topology spread skew. Options are:
+ - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+ has a toleration, are included.
+ - Ignore: node taints are ignored. All nodes are included.
+
+ If this value is nil, the behavior is equivalent to the Ignore policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ topologyKey:
+ description: |-
+ TopologyKey is the key of node labels. Nodes that have a label with this key
+ and identical values are considered to be in the same topology.
+ We consider each as a "bucket", and try to put balanced number
+ of pods into each bucket.
+ We define a domain as a particular instance of a topology.
+ Also, we define an eligible domain as a domain whose nodes meet the requirements of
+ nodeAffinityPolicy and nodeTaintsPolicy.
+ e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+ And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+ It's a required field.
+ type: string
+ whenUnsatisfiable:
+ description: |-
+ WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+ the spread constraint.
+ - DoNotSchedule (default) tells the scheduler not to schedule it.
+ - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+ but giving higher precedence to topologies that would help reduce the
+ skew.
+ A constraint is considered "Unsatisfiable" for an incoming pod
+ if and only if every possible node assignment for that pod would violate
+ "MaxSkew" on some topology.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 3/1/1:
+ | zone1 | zone2 | zone3 |
+ | P P P | P | P |
+ If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+ to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+ MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+ won't make it *more* imbalanced.
+ It's a required field.
+ type: string
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ type: object
+ type: array
+ type: object
+ replicas:
+ default: 2
+ description: Replicas sets the number of Gateway Deployment
+ replicas.
+ format: int32
+ minimum: 1
+ type: integer
+ strategy:
+ description: |-
+ Strategy configures the deployment strategy which is used to replace existing Airlock Microgateway Engine pods with new ones.
+ If undefined, default settings (RollingUpdate) are applied.
+ properties:
+ rollingUpdate:
+ description: |-
+ Rolling update config params. Present only if DeploymentStrategyType =
+ RollingUpdate.
+ properties:
+ maxSurge:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of pods that can be scheduled above the desired number of
+ pods.
+ Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+ This can not be 0 if MaxUnavailable is 0.
+ Absolute number is calculated from percentage by rounding up.
+ Defaults to 25%.
+ Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
+ the rolling update starts, such that the total number of old and new pods do not exceed
+ 130% of desired pods. Once old pods have been killed,
+ new ReplicaSet can be scaled up further, ensuring that total number of pods running
+ at any time during the update is at most 130% of desired pods.
+ x-kubernetes-int-or-string: true
+ maxUnavailable:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of pods that can be unavailable during the update.
+ Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+ Absolute number is calculated from percentage by rounding down.
+ This can not be 0 if MaxSurge is 0.
+ Defaults to 25%.
+ Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
+ immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
+ can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
+ that the total number of pods available at all times during the update is at
+ least 70% of desired pods.
+ x-kubernetes-int-or-string: true
+ type: object
+ type:
+ description: Type of deployment. Can be "Recreate" or
+ "RollingUpdate". Default is RollingUpdate.
+ type: string
+ type: object
+ type: object
+ service:
+ description: Service configures the Kubernetes Service provisioned
+ for the Gateway.
+ properties:
+ allocateLoadBalancerNodePorts:
+ description: |-
+ AllocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer.
+ If undefined, the default is `true`. It may be set to `false` if the cluster load-balancer does not rely on NodePorts.
+ type: boolean
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations specifies additional annotations
+ for the Service, e.g., for configuring cloud LoadBalancers.
+ maxProperties: 8
+ type: object
+ x-kubernetes-validations:
+ - message: Annotation keys must be in the form of an optional
+ DNS subdomain prefix followed by a required name segment
+ of up to 63 characters.
+ rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))
+ - message: If specified, the annotation key's prefix must
+ be a DNS subdomain not longer than 253 characters
+ in total.
+ rule: self.all(key, key.split("/")[0].size() < 253)
+ - message: Annotation values may not be longer than 4096
+ characters.
+ rule: self.all(key, size(self[key]) <= 4096)
+ externalTrafficPolicy:
+ description: |-
+ ExternalTrafficPolicy describes how nodes distribute service traffic they receive on one of the Service's "externally-facing" addresses (NodePorts, and LoadBalancer IPs). Meaning of the possible values:
+ _Local_: preserves the source IP of the traffic by routing only to endpoints on the same node as the traffic was received on (dropping the traffic if there are no local endpoints).
+ _Cluster_: routes traffic to all endpoints. Be aware that this may break client IP detection and dependent features (e.g., deny rule exceptions or access control policies with request conditions matching remote IPs).
+ If undefined, the `Local` policy is applied.
+ enum:
+ - Cluster
+ - Local
+ type: string
+ type:
+ default: ClusterIP
+ description: Type specifies the type of Kubernetes Service.
+ enum:
+ - ClusterIP
+ - NodePort
+ - LoadBalancer
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: ExternalTrafficPolicy can only be set for externally-accessible
+ service types (i.e., NodePort, LoadBalancer)
+ rule: '!has(self.externalTrafficPolicy) || self.type ==
+ "NodePort" || self.type == "LoadBalancer"'
+ - message: AllocateLoadBalancerNodePorts can only be set for
+ service type LoadBalancer
+ rule: '!has(self.allocateLoadBalancerNodePorts) || self.type
+ == "LoadBalancer"'
+ type: object
+ logging:
+ description: Logging specifies Envoy system logging settings for
+ the Gateway.
+ properties:
+ level:
+ default: info
+ description: Level specifies the logging level for the Envoy
+ system logs of the Airlock Microgateway Engine.
+ enum:
+ - 'off'
+ - critical
+ - error
+ - warn
+ - info
+ - debug
+ - trace
+ type: string
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources: {}
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/graphqls.microgateway.airlock.com.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/graphqls.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..86de4a1
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/graphqls.microgateway.airlock.com.yaml
@@ -0,0 +1,94 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: graphqls.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: GraphQL
+ listKind: GraphQLList
+ plural: graphqls
+ singular: graphql
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: GraphQL contains the configuration for the GraphQL specification.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired GraphQL specification.
+ properties:
+ settings:
+ description: Settings defines the settings to configure GraphQL.
+ properties:
+ allowIntrospection:
+ default: true
+ description: AllowIntrospection specifies if the introspection
+ system is exposed.
+ type: boolean
+ allowMutations:
+ default: true
+ description: AllowMutations specifies if mutations are allowed.
+ type: boolean
+ schema:
+ description: Specifies the GraphQL schema.
+ properties:
+ source:
+ description: Source specifies the GraphQL schema to be enforced.
+ properties:
+ configMapRef:
+ description: ConfigMapRef references the configmap by
+ its name containing the well-known key `schema.graphql`.
+ Use the `data` field for plaintext or the `binaryData`
+ for compressed data. Supported compression formats
+ are zstd, gzip or zip.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ required:
+ - source
+ type: object
+ threatHandlingMode:
+ default: Block
+ description: ThreatHandlingMode specifies how threats should
+ be handled.
+ enum:
+ - Block
+ - LogOnly
+ type: string
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/headerrewrites.microgateway.airlock.com.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/headerrewrites.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..f8be6ad
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/headerrewrites.microgateway.airlock.com.yaml
@@ -0,0 +1,2338 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: headerrewrites.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: HeaderRewrites
+ listKind: HeaderRewritesList
+ plural: headerrewrites
+ singular: headerrewrites
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: HeaderRewrites is the Schema for the headerrewrites API
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired header rewriting behavior.
+ properties:
+ request:
+ description: Request defines manipulations on upstream request headers.
+ properties:
+ add:
+ description: Add defines which request headers will be added
+ before forwarding to the upstream.
+ properties:
+ custom:
+ description: |-
+ Custom allows configuring additional upstream request headers.
+ Add selected headers.
+ items:
+ properties:
+ headers:
+ description: Headers to add.
+ items:
+ description: HeaderRewritesHeader specifies a header
+ with a particular value
+ properties:
+ name:
+ description: Name defines the name of a header.
+ minLength: 1
+ type: string
+ value:
+ description: Value defines the value of a header.
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ minItems: 1
+ type: array
+ mode:
+ default: AddIfAbsent
+ description: Mode defines the header addition strategy.
+ enum:
+ - AddIfAbsent
+ - OverwriteOrAdd
+ type: string
+ name:
+ description: Name describing the configured operation.
+ minLength: 1
+ type: string
+ requestConditions:
+ description: RequestConditions defines additional
+ request properties which must be matched in order
+ for this operation to be applied.
+ properties:
+ header:
+ description: Header defines the matching headers
+ of a request.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to
+ match a string. In comparison to a normal
+ StringMatcher, a value is always matched
+ ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a
+ header.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the request
+ condition should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching media
+ type from the content-type header of a request.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods
+ of a request.
+ items:
+ description: Method defines common HTTP methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path of
+ a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the way
+ to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines the matching remote IPs of a request.
+ Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4 or
+ IPv6 CIDR ranges, e.g. ``196.148.3.128/26``
+ or ``2001:db8::/28``.
+ items:
+ description: "CIDRRange defines an IPv4\
+ \ or IPv6 CIDR range, e.g. \u201C196.148.3.128/26\u201C\
+ \ or \u201C2001:db8::/28\u201C."
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether the
+ match should be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ required:
+ - headers
+ - name
+ type: object
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ allow:
+ description: |-
+ Allow defines which request headers will be forwarded to the upstream.
+ This can either be allHeaders or matchingHeaders.
+ Default: matchingHeaders: {...}
+ properties:
+ allHeaders:
+ description: AllHeaders specifies that all request headers
+ should be forwarded.
+ type: object
+ matchingHeaders:
+ description: MatchingHeaders specifies which request headers
+ should be forwarded.
+ properties:
+ builtIn:
+ description: BuiltIn allows configuring a set of predefined
+ upstream request headers.
+ properties:
+ standardHeaders:
+ default: true
+ description: StandardHeaders defines whether the
+ request headers which are forwarded to the upstream
+ will be restricted to a set of common request
+ headers.
+ type: boolean
+ tracingHeaders:
+ default: false
+ description: TracingHeaders defines whether to allow
+ common tracing headers to be forwarded to the
+ upstream.
+ type: boolean
+ type: object
+ custom:
+ description: Custom allows configuring additional upstream
+ request headers.
+ items:
+ properties:
+ headers:
+ description: Headers to allow.
+ items:
+ description: |-
+ HeaderMatcher defines a matcher for an HTTP header.
+ At least one of name and value must be set.
+ properties:
+ name:
+ description: Name defines the name of a
+ header.
+ properties:
+ matcher:
+ description: Matcher defines the way
+ to match a string. In comparison to
+ a normal StringMatcher, a value is
+ always matched ignoring the case and
+ can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of
+ a header.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be
+ case-insensitive. In case of a
+ regex match, the regex gets wrapped
+ with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ minItems: 1
+ type: array
+ name:
+ description: Name describing the configured operation.
+ Must be unique.
+ minLength: 1
+ type: string
+ requestConditions:
+ description: RequestConditions defines additional
+ request properties which must be matched in
+ order for this operation to be applied.
+ properties:
+ header:
+ description: Header defines the matching headers
+ of a request.
+ properties:
+ name:
+ description: Name defines the name of
+ a header.
+ properties:
+ matcher:
+ description: Matcher defines the way
+ to match a string. In comparison
+ to a normal StringMatcher, a value
+ is always matched ignoring the case
+ and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of
+ a header.
+ properties:
+ matcher:
+ description: StringMatcher defines
+ the way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should
+ be case-insensitive. In case
+ of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the
+ request condition should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching
+ media type from the content-type header
+ of a request.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods
+ of a request.
+ items:
+ description: Method defines common HTTP
+ methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path
+ of a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines the matching remote IPs of a request.
+ Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4
+ or IPv6 CIDR ranges, e.g. ``196.148.3.128/26``
+ or ``2001:db8::/28``.
+ items:
+ description: "CIDRRange defines an IPv4\
+ \ or IPv6 CIDR range, e.g. \u201C\
+ 196.148.3.128/26\u201C or \u201C2001:db8::/28\u201C\
+ ."
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether
+ the match should be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ required:
+ - headers
+ - name
+ type: object
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type: object
+ remove:
+ description: Remove defines which request headers will be removed
+ before forwarding to the upstream.
+ properties:
+ builtIn:
+ description: BuiltIn allows configuring a set of predefined
+ upstream request headers.
+ properties:
+ alternativeForwardedHeaders:
+ default: true
+ description: |-
+ AlternativeForwardedHeaders removes downstream request headers which could potentially
+ be abused to alter the upstream's view of the remote connection.
+ type: boolean
+ type: object
+ custom:
+ description: Custom allows configuring additional upstream
+ request headers.
+ items:
+ properties:
+ headers:
+ description: Headers to remove.
+ items:
+ description: |-
+ HeaderMatcher defines a matcher for an HTTP header.
+ At least one of name and value must be set.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to
+ match a string. In comparison to a normal
+ StringMatcher, a value is always matched
+ ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a header.
+ properties:
+ matcher:
+ description: StringMatcher defines the way
+ to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ minItems: 1
+ type: array
+ name:
+ description: Name describing the configured operation.
+ Must be unique.
+ minLength: 1
+ type: string
+ requestConditions:
+ description: RequestConditions defines additional
+ request properties which must be matched in order
+ for this operation to be applied.
+ properties:
+ header:
+ description: Header defines the matching headers
+ of a request.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to
+ match a string. In comparison to a normal
+ StringMatcher, a value is always matched
+ ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a
+ header.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the request
+ condition should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching media
+ type from the content-type header of a request.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods
+ of a request.
+ items:
+ description: Method defines common HTTP methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path of
+ a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the way
+ to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines the matching remote IPs of a request.
+ Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4 or
+ IPv6 CIDR ranges, e.g. ``196.148.3.128/26``
+ or ``2001:db8::/28``.
+ items:
+ description: "CIDRRange defines an IPv4\
+ \ or IPv6 CIDR range, e.g. \u201C196.148.3.128/26\u201C\
+ \ or \u201C2001:db8::/28\u201C."
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether the
+ match should be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ required:
+ - headers
+ - name
+ type: object
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type: object
+ response:
+ description: Response defines manipulations on upstream response
+ headers.
+ properties:
+ add:
+ description: Add defines which response headers will be added
+ before forwarding to the downstream.
+ properties:
+ builtIn:
+ description: BuiltIn allows configuring a set of predefined
+ upstream response headers.
+ properties:
+ csp:
+ default: true
+ description: |-
+ CSP sets a content security policy which allows only same-origin requests except for images
+ if the 'Content-Security-Policy' header is not set by the upstream.
+ type: boolean
+ featurePolicy:
+ default: false
+ description: |-
+ FeaturePolicy sets a feature policy which prevents cross-origin use of several browser features
+ if the 'Feature-Policy' header is not set by the upstream.
+ **Deprecated:** Use permissionsPolicy instead.
+ type: boolean
+ hsts:
+ default: true
+ description: HSTS enforces the use of HTTPS if the 'Strict-Transport-Security'
+ header is not already set by the upstream.
+ type: boolean
+ hstsPreload:
+ default: false
+ description: HSTSPreload enforces the use of HTTPS including
+ for subdomains and enables HSTS preload.
+ type: boolean
+ permissionsPolicy:
+ default: true
+ description: |-
+ PermissionsPolicy sets a permissions policy which prevents cross-origin use of several browser features
+ if the 'Permissions-Policy' header is not set by the upstream.
+ type: boolean
+ referrerPolicy:
+ default: true
+ description: |-
+ ReferrerPolicy ensures that no 'Referer' header is sent for cross-origin requests
+ if the 'Referrer-Policy' header is not set by the upstream.
+ type: boolean
+ xContentTypeOptions:
+ default: true
+ description: XContentTypeOptions sets 'X-Content-Type-Options'
+ to 'nosniff' if it is not set by the upstream.
+ type: boolean
+ xFrameOptions:
+ default: true
+ description: XFrameOptions sets 'X-Frame-Options' to
+ SAMEORIGIN if it is not set by the upstream.
+ type: boolean
+ type: object
+ custom:
+ description: Custom allows configuring additional upstream
+ response headers.
+ items:
+ properties:
+ headers:
+ description: Headers to add.
+ items:
+ description: HeaderRewritesHeader specifies a header
+ with a particular value
+ properties:
+ name:
+ description: Name defines the name of a header.
+ minLength: 1
+ type: string
+ value:
+ description: Value defines the value of a header.
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ minItems: 1
+ type: array
+ mode:
+ default: AddIfAbsent
+ description: Mode defines the header addition strategy.
+ enum:
+ - AddIfAbsent
+ - OverwriteOrAdd
+ type: string
+ name:
+ description: Name describing the configured operation.
+ minLength: 1
+ type: string
+ requestConditions:
+ description: RequestConditions defines additional
+ request properties which must be matched in order
+ for this operation to be applied.
+ properties:
+ header:
+ description: Header defines the matching headers
+ of a request.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to
+ match a string. In comparison to a normal
+ StringMatcher, a value is always matched
+ ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a
+ header.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the request
+ condition should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching media
+ type from the content-type header of a request.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods
+ of a request.
+ items:
+ description: Method defines common HTTP methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path of
+ a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the way
+ to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines the matching remote IPs of a request.
+ Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4 or
+ IPv6 CIDR ranges, e.g. ``196.148.3.128/26``
+ or ``2001:db8::/28``.
+ items:
+ description: "CIDRRange defines an IPv4\
+ \ or IPv6 CIDR range, e.g. \u201C196.148.3.128/26\u201C\
+ \ or \u201C2001:db8::/28\u201C."
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether the
+ match should be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ required:
+ - headers
+ - name
+ type: object
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ allow:
+ description: |-
+ Allow defines which response headers will be forwarded to the downstream.
+ This can either be allHeaders or matchingHeaders.
+ Default: allHeaders: {}
+ properties:
+ allHeaders:
+ description: AllHeaders specifies that all response headers
+ should be forwarded.
+ type: object
+ matchingHeaders:
+ description: MatchingHeaders specifies which response headers
+ should be forwarded.
+ properties:
+ builtIn:
+ description: BuiltIn allows configuring a set of predefined
+ upstream response header.
+ properties:
+ standardHeaders:
+ default: false
+ description: StandardHeaders defines whether the
+ response headers which are forwarded to the downstream
+ will be restricted to a set of common response
+ headers.
+ type: boolean
+ type: object
+ custom:
+ description: Custom allows configuring additional upstream
+ response headers.
+ items:
+ properties:
+ headers:
+ description: Headers to allow.
+ items:
+ description: |-
+ HeaderMatcher defines a matcher for an HTTP header.
+ At least one of name and value must be set.
+ properties:
+ name:
+ description: Name defines the name of a
+ header.
+ properties:
+ matcher:
+ description: Matcher defines the way
+ to match a string. In comparison to
+ a normal StringMatcher, a value is
+ always matched ignoring the case and
+ can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of
+ a header.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be
+ case-insensitive. In case of a
+ regex match, the regex gets wrapped
+ with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ minItems: 1
+ type: array
+ name:
+ description: Name describing the configured operation.
+ Must be unique.
+ minLength: 1
+ type: string
+ requestConditions:
+ description: RequestConditions defines additional
+ request properties which must be matched in
+ order for this operation to be applied.
+ properties:
+ header:
+ description: Header defines the matching headers
+ of a request.
+ properties:
+ name:
+ description: Name defines the name of
+ a header.
+ properties:
+ matcher:
+ description: Matcher defines the way
+ to match a string. In comparison
+ to a normal StringMatcher, a value
+ is always matched ignoring the case
+ and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of
+ a header.
+ properties:
+ matcher:
+ description: StringMatcher defines
+ the way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should
+ be case-insensitive. In case
+ of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the
+ request condition should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching
+ media type from the content-type header
+ of a request.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods
+ of a request.
+ items:
+ description: Method defines common HTTP
+ methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path
+ of a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines the matching remote IPs of a request.
+ Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4
+ or IPv6 CIDR ranges, e.g. ``196.148.3.128/26``
+ or ``2001:db8::/28``.
+ items:
+ description: "CIDRRange defines an IPv4\
+ \ or IPv6 CIDR range, e.g. \u201C\
+ 196.148.3.128/26\u201C or \u201C2001:db8::/28\u201C\
+ ."
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether
+ the match should be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ required:
+ - headers
+ - name
+ type: object
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type: object
+ remove:
+ description: Remove defines which response headers will be removed
+ before forwarding to the downstream.
+ properties:
+ builtIn:
+ description: BuiltIn allows configuring a set of predefined
+ upstream response headers.
+ properties:
+ auth:
+ description: Auth defines the categories of headers
+ concerning authentication.
+ properties:
+ basic:
+ default: false
+ description: Basic removes upstream response headers
+ that advise clients to authenticate with Basic
+ Authentication.
+ type: boolean
+ negotiate:
+ default: true
+ description: Negotiate removes upstream response
+ headers that advise clients to authenticate with
+ Negotiate.
+ type: boolean
+ ntlm:
+ default: true
+ description: |-
+ NTLM removes upstream response headers that advise clients to authenticate with NTLM.
+ By default, these headers are removed, because NTLM pass-through is not supported.
+ type: boolean
+ type: object
+ informationLeakage:
+ description: InformationLeakage defines the categories
+ of headers concerning information leakage.
+ properties:
+ application:
+ default: true
+ description: Application removes upstream response
+ headers that leak information about the deployed
+ software.
+ type: boolean
+ server:
+ default: true
+ description: Server removes upstream response headers
+ that leak information about the server.
+ type: boolean
+ type: object
+ permissiveCors:
+ default: true
+ description: PermissiveCORS removes upstream response
+ headers for CORS (Cross-Origin Resource Sharing) which
+ have no restrictions and therefore reduce client-side
+ security.
+ type: boolean
+ type: object
+ custom:
+ description: Custom allows configuring additional upstream
+ response headers.
+ items:
+ properties:
+ headers:
+ description: Headers to remove.
+ items:
+ description: |-
+ HeaderMatcher defines a matcher for an HTTP header.
+ At least one of name and value must be set.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to
+ match a string. In comparison to a normal
+ StringMatcher, a value is always matched
+ ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a header.
+ properties:
+ matcher:
+ description: StringMatcher defines the way
+ to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ minItems: 1
+ type: array
+ name:
+ description: Name describing the configured remove
+ operation. Must be unique.
+ minLength: 1
+ type: string
+ requestConditions:
+ description: RequestConditions defines additional
+ request properties which must be matched in order
+ for this operation to be applied.
+ properties:
+ header:
+ description: Header defines the matching headers
+ of a request.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to
+ match a string. In comparison to a normal
+ StringMatcher, a value is always matched
+ ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a
+ header.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the request
+ condition should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching media
+ type from the content-type header of a request.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods
+ of a request.
+ items:
+ description: Method defines common HTTP methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path of
+ a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the way
+ to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines the matching remote IPs of a request.
+ Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4 or
+ IPv6 CIDR ranges, e.g. ``196.148.3.128/26``
+ or ``2001:db8::/28``.
+ items:
+ description: "CIDRRange defines an IPv4\
+ \ or IPv6 CIDR range, e.g. \u201C196.148.3.128/26\u201C\
+ \ or \u201C2001:db8::/28\u201C."
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether the
+ match should be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ required:
+ - headers
+ - name
+ type: object
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type: object
+ settings:
+ description: Settings configures the HeaderRewrites filter.
+ properties:
+ operationalMode:
+ default: Production
+ description: OperationalMode defines the behavior of the filter.
+ In integration mode more information is logged about the requests
+ and responses.
+ enum:
+ - Production
+ - Integration
+ type: string
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/identitypropagations.microgateway.airlock.com.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/identitypropagations.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..1728ab2
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/identitypropagations.microgateway.airlock.com.yaml
@@ -0,0 +1,169 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: identitypropagations.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: IdentityPropagation
+ listKind: IdentityPropagationList
+ plural: identitypropagations
+ singular: identitypropagation
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: IdentityPropagation specifies the desired identity propagation.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired identity propagation.
+ properties:
+ bearerToken:
+ description: BearerToken configures identity propagation via an
+ authorization header containing a bearer token.
+ properties:
+ source:
+ description: Source from which to extract the token.
+ properties:
+ metadata:
+ description: Metadata specifies to extract a value from
+ an Envoy dynamic filter metadata key.
+ properties:
+ key:
+ description: Key specifies the metadata key from which
+ to load the value, e.g. `some_payload.aud`.
+ minLength: 1
+ type: string
+ namespace:
+ description: Namespace specifies the metadata namespace
+ within which the lookup should be performed, e.g.
+ `envoy.filters.http.jwt_authn`.
+ minLength: 1
+ type: string
+ required:
+ - key
+ - namespace
+ type: object
+ oidc:
+ description: OIDC specifies to extract a value from the
+ result of an OpenID Connect flow.
+ properties:
+ accessToken:
+ description: AccessToken specifies to extract the value
+ from the OpenID Connect Access Token.
+ type: object
+ idToken:
+ description: IDToken specifies to extract the value
+ from the OpenID Connect ID Token.
+ properties:
+ claim:
+ description: Claim selects the JWT claim from which
+ to extract the value.
+ minLength: 1
+ type: string
+ required:
+ - claim
+ type: object
+ type: object
+ type: object
+ required:
+ - source
+ type: object
+ header:
+ description: Header configures identity propagation via a request
+ header.
+ properties:
+ name:
+ description: Name of the header to set.
+ minLength: 1
+ type: string
+ value:
+ description: Value to propagate to the application.
+ properties:
+ source:
+ description: Source from which to extract the value.
+ properties:
+ metadata:
+ description: Metadata specifies to extract a value from
+ an Envoy dynamic filter metadata key.
+ properties:
+ key:
+ description: Key specifies the metadata key from
+ which to load the value, e.g. `some_payload.aud`.
+ minLength: 1
+ type: string
+ namespace:
+ description: Namespace specifies the metadata namespace
+ within which the lookup should be performed, e.g.
+ `envoy.filters.http.jwt_authn`.
+ minLength: 1
+ type: string
+ required:
+ - key
+ - namespace
+ type: object
+ oidc:
+ description: OIDC specifies to extract a value from
+ the result of an OpenID Connect flow.
+ properties:
+ accessToken:
+ description: AccessToken specifies to extract the
+ value from the OpenID Connect Access Token.
+ type: object
+ idToken:
+ description: IDToken specifies to extract the value
+ from the OpenID Connect ID Token.
+ properties:
+ claim:
+ description: Claim selects the JWT claim from
+ which to extract the value.
+ minLength: 1
+ type: string
+ required:
+ - claim
+ type: object
+ type: object
+ type: object
+ required:
+ - source
+ type: object
+ required:
+ - name
+ - value
+ type: object
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources: {}
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/jwks.microgateway.airlock.com.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/jwks.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..a42859f
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/jwks.microgateway.airlock.com.yaml
@@ -0,0 +1,331 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: jwks.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: JWKS
+ listKind: JWKSList
+ plural: jwks
+ singular: jwks
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: JWKS provides a JSON Web Key Set.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the JWKS.
+ properties:
+ provider:
+ description: Provider configures the source from which to retrieve
+ the JWKS.
+ properties:
+ local:
+ description: Local specifies to retrieve the JWKS from a local
+ secret.
+ properties:
+ secretRef:
+ description: SecretRef selects the secret containing the
+ JWKS under the key 'jwks.json'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ remote:
+ description: Remote specifies to retrieve the JWKS from a remote
+ endpoint.
+ properties:
+ timeouts:
+ description: Timeouts specifies the timeouts when interacting
+ with the Token endpoint.
+ properties:
+ connect:
+ default: 5s
+ description: Connect specifies the timeout for establishing
+ a connection.
+ type: string
+ maxDuration:
+ default: 15s
+ description: MaxDuration specifies the response timeout.
+ type: string
+ type: object
+ tls:
+ description: TLS defines TLS settings.
+ properties:
+ certificateVerification:
+ description: CertificateVerification specifies how the
+ certificate presented by the server is verified.
+ properties:
+ custom:
+ description: |-
+ Custom explicitly specifies how the server certificate should be verified.
+ Typical use cases include specifying a custom CA and SAN match when working with self-signed certificates or pinning a specific public key.
+ properties:
+ allowedSANs:
+ description: "AllowedSANs is a list of matchers\
+ \ to verify the Subject Alternative name.\
+ \ If specified, it will verify that the\n\
+ Subject Alternative Name of the presented\
+ \ certificate matches one of the specified\
+ \ matchers. The matching uses \u201Cany\u201D\
+ \ semantics,\nthat is to say, the SAN is verified\
+ \ if at least one matcher is matched.\nAllowedSANs\
+ \ requires trustedCA to be set."
+ items:
+ description: |-
+ TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
+ Subject Alternative Name of the presented certificate matches one of the specified matchers.
+ properties:
+ matcher:
+ description: Matcher defines the string
+ matcher for the SAN value.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ sanType:
+ description: SanType defines the type
+ of SAN matcher.
+ enum:
+ - DNS
+ - Email
+ - URI
+ - IPAddress
+ type: string
+ required:
+ - matcher
+ - sanType
+ type: object
+ minItems: 1
+ type: array
+ certificatePinning:
+ description: |-
+ CertificatePinning defines constraints the presented certificate must fulfill.
+ If more than one constraint is configured only one must be satisfied.
+ At least one of allowedSPKIs and allowedHashes must be set.
+ properties:
+ allowedHashes:
+ description: |-
+ AllowedHashes is a list of hex-encoded SHA-256 hashes.
+ If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ allowedSPKIs:
+ description: |-
+ AllowedSPKIs is a list of base64-encoded SHA-256 hashes.
+ If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ type: object
+ crl:
+ description: CRL defines the Certificate Revocation
+ List (CRL) settings.
+ properties:
+ lists:
+ description: Lists defines the list of secretRefs
+ containing Certificate Revocation Lists.
+ items:
+ properties:
+ secretRef:
+ description: SecretRef defines the
+ reference to a secret containing
+ one or more CRL's (in PEM format)
+ under the key 'ca.crl'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ minItems: 1
+ type: array
+ validationMode:
+ default: VerifyChain
+ description: ValidationMode defines whether
+ only the leaf certificate or also the
+ CA certs should be checked.
+ enum:
+ - VerifyLeafCertOnly
+ - VerifyChain
+ type: string
+ type: object
+ trustedCA:
+ description: TrustedCA defines which CA certificates
+ are trusted.
+ properties:
+ certificates:
+ description: Certificates defines the list
+ of secretRefs containing trusted CA certificates.
+ items:
+ properties:
+ secretRef:
+ description: SecretRef defines the
+ reference to a secret containing
+ one or more CA certificates under
+ the key 'ca.crt'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ minItems: 1
+ type: array
+ verificationDepth:
+ default: 1
+ description: |-
+ VerificationDepth specifies the hops in the certificate chain at which validation is performed.
+ 1 means that either the leaf or the signing CA must be in the set of trusted certificates.
+ format: int32
+ type: integer
+ required:
+ - certificates
+ type: object
+ type: object
+ disabled:
+ description: |-
+ Disabled specifies to trust any certificate without verification.
+ THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING.
+ type: object
+ publicCAs:
+ description: PublicCAs specifies to only accept
+ certificates with a SAN matching "uri" and which
+ are signed by a CA which is either directly or
+ indirectly trusted by any of the root CA certificates
+ shipped with the Airlock Microgateway Engine's
+ base image.
+ type: object
+ type: object
+ ciphers:
+ description: Ciphers defines a list of the supported
+ TLS cipher suites. For details on cipher list refer
+ to the envoy documentation on cipher_suites in common
+ tls configuration.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ protocol:
+ description: Protocol defines the supported TLS protocol
+ versions.
+ properties:
+ maximum:
+ description: Maximum supported TLS version.
+ enum:
+ - TLSv1_0
+ - TLSv1_1
+ - TLSv1_2
+ - TLSv1_3
+ type: string
+ minimum:
+ description: Minimum supported TLS version.
+ enum:
+ - TLSv1_0
+ - TLSv1_1
+ - TLSv1_2
+ - TLSv1_3
+ type: string
+ type: object
+ type: object
+ uri:
+ description: URI specifies the endpoint address.
+ format: uri
+ minLength: 1
+ pattern: ^(http|https)://.*$
+ type: string
+ required:
+ - uri
+ type: object
+ type: object
+ required:
+ - provider
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/limits.microgateway.airlock.com.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/limits.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..f82a8ab
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/limits.microgateway.airlock.com.yaml
@@ -0,0 +1,726 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: limits.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: Limits
+ listKind: LimitsList
+ plural: limits
+ singular: limits
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: Limits contains the configuration for limits.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired limits behavior.
+ properties:
+ request:
+ description: Request defines the limits for requests.
+ properties:
+ limited:
+ description: Limited enables limits on request scope.
+ properties:
+ exceptions:
+ description: Exceptions defines limit exceptions.
+ items:
+ description: LimitsException defines an exception for
+ limits.
+ properties:
+ length:
+ description: Length defines an exception for length
+ limits based on the data element exceeding the limit.
+ properties:
+ graphQL:
+ description: GraphQL defines a field, argument
+ or value length limit exception for a GraphQL
+ query.
+ properties:
+ argument:
+ description: |-
+ Argument restricts the exception to GraphQL queries with a matching argument of a field.
+ At least one of field, argument and value must be set.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ field:
+ description: |-
+ Field restricts the exception to GraphQL queries with a matching field.
+ At least one of field, argument and value must be set.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: |-
+ Value restricts the exception to GraphQL queries with a matching argument value.
+ At least one of field, argument and value must be set.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ json:
+ description: JSON defines a key and value length
+ limit exception for a JSON property.
+ properties:
+ jsonPath:
+ description: |-
+ JSONPath restricts the exception to JSON properties with a matching JSONPath.
+ Expressions in JSONPath i.e. `?(expr)` are not supported.
+ minLength: 1
+ type: string
+ required:
+ - jsonPath
+ type: object
+ parameter:
+ description: Parameter defines a name and value
+ length limit exception for a parameter.
+ properties:
+ name:
+ description: Name restricts the exception
+ to parameters with a matching name.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ source:
+ default: Any
+ description: Source restricts the exception
+ to parameters of this kind.
+ enum:
+ - Query
+ - Post
+ - Any
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ requestConditions:
+ description: RequestConditions defines additional
+ request properties which must be matched in order
+ for this exception to apply.
+ properties:
+ header:
+ description: Header defines the matching headers
+ of a request.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to
+ match a string. In comparison to a normal
+ StringMatcher, a value is always matched
+ ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a
+ header.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the request
+ condition should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching media
+ type from the content-type header of a request.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods
+ of a request.
+ items:
+ description: Method defines common HTTP methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path of
+ a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the way
+ to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines the matching remote IPs of a request.
+ Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4 or
+ IPv6 CIDR ranges, e.g. ``196.148.3.128/26``
+ or ``2001:db8::/28``.
+ items:
+ description: "CIDRRange defines an IPv4\
+ \ or IPv6 CIDR range, e.g. \u201C196.148.3.128/26\u201C\
+ \ or \u201C2001:db8::/28\u201C."
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether the
+ match should be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ type: object
+ type: array
+ general:
+ description: General defines general request limits.
+ properties:
+ bodySize:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 100Mi
+ description: BodySize limits the total size of the request
+ body. It specifies the number of bytes (0 = unlimited).
+ This limit is effective for any request not processed
+ by one of the content parsers (e.g. json) as configured
+ in the Parser CRD. **Note** This limit does not apply
+ to WebSocket or gRPC traffic.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ pathLength:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 1Ki
+ description: PathLength defines the maximum path length
+ for all requests (parsed and unparsed).
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ graphQL:
+ description: GraphQL defines the limits for GraphQL requests.
+ properties:
+ nestingDepth:
+ default: 10
+ description: NestingDepth defines the maximum depth
+ of nesting for GraphQL objects.
+ format: int64
+ type: integer
+ querySize:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 1Ki
+ description: QuerySize defines the maximum size for
+ GraphQL queries.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ valueLength:
+ anyOf:
+ - type: integer
+ - type: string
+ default: '256'
+ description: ValueLength defines the maximum length
+ for GraphQL values.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ json:
+ description: JSON defines the limits for JSON requests.
+ properties:
+ bodySize:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 100Ki
+ description: BodySize limits the total size of the JSON
+ request body. It specifies the number of bytes (0
+ = unlimited).
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ elementCount:
+ default: 10000
+ description: ElementCount defines the maximum number
+ of keys and array items in the whole JSON document
+ (recursive).
+ format: int64
+ type: integer
+ keyCount:
+ default: 250
+ description: KeyCount defines the maximum number of
+ keys of a single JSON object (non-recursive).
+ format: int64
+ type: integer
+ keyLength:
+ anyOf:
+ - type: integer
+ - type: string
+ default: '128'
+ description: KeyLength defines the maximum length for
+ JSON keys.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ nestingDepth:
+ default: 100
+ description: NestingDepth defines the maximum depth
+ of nesting for JSON objects and JSON arrays.
+ format: int64
+ type: integer
+ valueLength:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Ki
+ description: ValueLength defines the maximum length
+ for JSON values.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ multipart:
+ description: Multipart defines the limits for Multipart
+ requests.
+ properties:
+ bodySize:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 100Mi
+ description: BodySize limits the total size of the Multipart
+ request body. It specifies the number of bytes (0
+ = unlimited).
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ parameter:
+ description: Parameter defines the limits for request parameters.
+ properties:
+ bodySize:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 100Ki
+ description: BodySize limits the total size of the form
+ data body. It specifies the number of bytes (0 = unlimited).
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ count:
+ default: 128
+ description: Count defines the maximum number of request
+ parameters.
+ format: int64
+ type: integer
+ nameLength:
+ anyOf:
+ - type: integer
+ - type: string
+ default: '128'
+ description: NameLength defines the maximum length for
+ parameter names.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ valueLength:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 8Ki
+ description: ValueLength defines the maximum length
+ for parameter values.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ unlimited:
+ description: Unlimited disables all limits on request scope.
+ type: object
+ type: object
+ settings:
+ description: Settings configures the limits filter.
+ properties:
+ threatHandlingMode:
+ default: Block
+ description: ThreatHandlingMode specifies how threats should
+ be handled when a limit hits.
+ enum:
+ - Block
+ - LogOnly
+ type: string
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/oidcproviders.microgateway.airlock.com.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/oidcproviders.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..5693388
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/oidcproviders.microgateway.airlock.com.yaml
@@ -0,0 +1,651 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: oidcproviders.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: OIDCProvider
+ listKind: OIDCProviderList
+ plural: oidcproviders
+ singular: oidcprovider
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ OIDCProvider specifies an OpenID Provider (OP).
+
+ {{% notice info %}} The OIDC feature requires SessionHandling to be configured in the SidecarGateway. {{% /notice %}}
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of an OpenID Provider.
+ properties:
+ static:
+ description: Static configures an OpenID Provider by explicitly
+ specifying all endpoints.
+ properties:
+ endpoints:
+ description: Endpoints specifies the OpenID Provider endpoints.
+ properties:
+ authorization:
+ description: Authorization specifies the endpoint to which
+ the authorization request is sent.
+ properties:
+ uri:
+ description: URI specifies the endpoint address.
+ format: uri
+ minLength: 1
+ pattern: ^(http|https)://.*$
+ type: string
+ required:
+ - uri
+ type: object
+ introspection:
+ description: Introspection configures the endpoint to which
+ the introspection request to validate access tokens is
+ sent.
+ properties:
+ timeouts:
+ description: Timeouts specifies the timeouts when interacting
+ with the Token endpoint.
+ properties:
+ connect:
+ default: 5s
+ description: Connect specifies the timeout for establishing
+ a connection.
+ type: string
+ maxDuration:
+ default: 15s
+ description: MaxDuration specifies the response
+ timeout.
+ type: string
+ type: object
+ tls:
+ description: TLS defines TLS settings.
+ properties:
+ certificateVerification:
+ description: CertificateVerification specifies how
+ the certificate presented by the server is verified.
+ properties:
+ custom:
+ description: |-
+ Custom explicitly specifies how the server certificate should be verified.
+ Typical use cases include specifying a custom CA and SAN match when working with self-signed certificates or pinning a specific public key.
+ properties:
+ allowedSANs:
+ description: "AllowedSANs is a list of matchers\
+ \ to verify the Subject Alternative name.\
+ \ If specified, it will verify that the\n\
+ Subject Alternative Name of the presented\
+ \ certificate matches one of the specified\
+ \ matchers. The matching uses \u201Cany\u201D\
+ \ semantics,\nthat is to say, the SAN\
+ \ is verified if at least one matcher\
+ \ is matched.\nAllowedSANs requires trustedCA\
+ \ to be set."
+ items:
+ description: |-
+ TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
+ Subject Alternative Name of the presented certificate matches one of the specified matchers.
+ properties:
+ matcher:
+ description: Matcher defines the string
+ matcher for the SAN value.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should
+ be case-insensitive. In case
+ of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ sanType:
+ description: SanType defines the type
+ of SAN matcher.
+ enum:
+ - DNS
+ - Email
+ - URI
+ - IPAddress
+ type: string
+ required:
+ - matcher
+ - sanType
+ type: object
+ minItems: 1
+ type: array
+ certificatePinning:
+ description: |-
+ CertificatePinning defines constraints the presented certificate must fulfill.
+ If more than one constraint is configured only one must be satisfied.
+ At least one of allowedSPKIs and allowedHashes must be set.
+ properties:
+ allowedHashes:
+ description: |-
+ AllowedHashes is a list of hex-encoded SHA-256 hashes.
+ If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ allowedSPKIs:
+ description: |-
+ AllowedSPKIs is a list of base64-encoded SHA-256 hashes.
+ If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ type: object
+ crl:
+ description: CRL defines the Certificate
+ Revocation List (CRL) settings.
+ properties:
+ lists:
+ description: Lists defines the list
+ of secretRefs containing Certificate
+ Revocation Lists.
+ items:
+ properties:
+ secretRef:
+ description: SecretRef defines
+ the reference to a secret containing
+ one or more CRL's (in PEM format)
+ under the key 'ca.crl'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ minItems: 1
+ type: array
+ validationMode:
+ default: VerifyChain
+ description: ValidationMode defines
+ whether only the leaf certificate
+ or also the CA certs should be checked.
+ enum:
+ - VerifyLeafCertOnly
+ - VerifyChain
+ type: string
+ type: object
+ trustedCA:
+ description: TrustedCA defines which CA
+ certificates are trusted.
+ properties:
+ certificates:
+ description: Certificates defines the
+ list of secretRefs containing trusted
+ CA certificates.
+ items:
+ properties:
+ secretRef:
+ description: SecretRef defines
+ the reference to a secret containing
+ one or more CA certificates
+ under the key 'ca.crt'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ minItems: 1
+ type: array
+ verificationDepth:
+ default: 1
+ description: |-
+ VerificationDepth specifies the hops in the certificate chain at which validation is performed.
+ 1 means that either the leaf or the signing CA must be in the set of trusted certificates.
+ format: int32
+ type: integer
+ required:
+ - certificates
+ type: object
+ type: object
+ disabled:
+ description: |-
+ Disabled specifies to trust any certificate without verification.
+ THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING.
+ type: object
+ publicCAs:
+ description: PublicCAs specifies to only accept
+ certificates with a SAN matching "uri" and
+ which are signed by a CA which is either directly
+ or indirectly trusted by any of the root CA
+ certificates shipped with the Airlock Microgateway
+ Engine's base image.
+ type: object
+ type: object
+ ciphers:
+ description: Ciphers defines a list of the supported
+ TLS cipher suites. For details on cipher list
+ refer to the envoy documentation on cipher_suites
+ in common tls configuration.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ protocol:
+ description: Protocol defines the supported TLS
+ protocol versions.
+ properties:
+ maximum:
+ description: Maximum supported TLS version.
+ enum:
+ - TLSv1_0
+ - TLSv1_1
+ - TLSv1_2
+ - TLSv1_3
+ type: string
+ minimum:
+ description: Minimum supported TLS version.
+ enum:
+ - TLSv1_0
+ - TLSv1_1
+ - TLSv1_2
+ - TLSv1_3
+ type: string
+ type: object
+ type: object
+ uri:
+ description: URI specifies the endpoint address.
+ format: uri
+ minLength: 1
+ pattern: ^(http|https)://.*$
+ type: string
+ required:
+ - uri
+ type: object
+ token:
+ description: Token configures the endpoint from which the
+ access, ID and refresh tokens are obtained.
+ properties:
+ timeouts:
+ description: Timeouts specifies the timeouts when interacting
+ with the Token endpoint.
+ properties:
+ connect:
+ default: 5s
+ description: Connect specifies the timeout for establishing
+ a connection.
+ type: string
+ maxDuration:
+ default: 15s
+ description: MaxDuration specifies the response
+ timeout.
+ type: string
+ type: object
+ tls:
+ description: TLS defines TLS settings.
+ properties:
+ certificateVerification:
+ description: CertificateVerification specifies how
+ the certificate presented by the server is verified.
+ properties:
+ custom:
+ description: |-
+ Custom explicitly specifies how the server certificate should be verified.
+ Typical use cases include specifying a custom CA and SAN match when working with self-signed certificates or pinning a specific public key.
+ properties:
+ allowedSANs:
+ description: "AllowedSANs is a list of matchers\
+ \ to verify the Subject Alternative name.\
+ \ If specified, it will verify that the\n\
+ Subject Alternative Name of the presented\
+ \ certificate matches one of the specified\
+ \ matchers. The matching uses \u201Cany\u201D\
+ \ semantics,\nthat is to say, the SAN\
+ \ is verified if at least one matcher\
+ \ is matched.\nAllowedSANs requires trustedCA\
+ \ to be set."
+ items:
+ description: |-
+ TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
+ Subject Alternative Name of the presented certificate matches one of the specified matchers.
+ properties:
+ matcher:
+ description: Matcher defines the string
+ matcher for the SAN value.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should
+ be case-insensitive. In case
+ of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ sanType:
+ description: SanType defines the type
+ of SAN matcher.
+ enum:
+ - DNS
+ - Email
+ - URI
+ - IPAddress
+ type: string
+ required:
+ - matcher
+ - sanType
+ type: object
+ minItems: 1
+ type: array
+ certificatePinning:
+ description: |-
+ CertificatePinning defines constraints the presented certificate must fulfill.
+ If more than one constraint is configured only one must be satisfied.
+ At least one of allowedSPKIs and allowedHashes must be set.
+ properties:
+ allowedHashes:
+ description: |-
+ AllowedHashes is a list of hex-encoded SHA-256 hashes.
+ If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ allowedSPKIs:
+ description: |-
+ AllowedSPKIs is a list of base64-encoded SHA-256 hashes.
+ If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ type: object
+ crl:
+ description: CRL defines the Certificate
+ Revocation List (CRL) settings.
+ properties:
+ lists:
+ description: Lists defines the list
+ of secretRefs containing Certificate
+ Revocation Lists.
+ items:
+ properties:
+ secretRef:
+ description: SecretRef defines
+ the reference to a secret containing
+ one or more CRL's (in PEM format)
+ under the key 'ca.crl'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ minItems: 1
+ type: array
+ validationMode:
+ default: VerifyChain
+ description: ValidationMode defines
+ whether only the leaf certificate
+ or also the CA certs should be checked.
+ enum:
+ - VerifyLeafCertOnly
+ - VerifyChain
+ type: string
+ type: object
+ trustedCA:
+ description: TrustedCA defines which CA
+ certificates are trusted.
+ properties:
+ certificates:
+ description: Certificates defines the
+ list of secretRefs containing trusted
+ CA certificates.
+ items:
+ properties:
+ secretRef:
+ description: SecretRef defines
+ the reference to a secret containing
+ one or more CA certificates
+ under the key 'ca.crt'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ minItems: 1
+ type: array
+ verificationDepth:
+ default: 1
+ description: |-
+ VerificationDepth specifies the hops in the certificate chain at which validation is performed.
+ 1 means that either the leaf or the signing CA must be in the set of trusted certificates.
+ format: int32
+ type: integer
+ required:
+ - certificates
+ type: object
+ type: object
+ disabled:
+ description: |-
+ Disabled specifies to trust any certificate without verification.
+ THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING.
+ type: object
+ publicCAs:
+ description: PublicCAs specifies to only accept
+ certificates with a SAN matching "uri" and
+ which are signed by a CA which is either directly
+ or indirectly trusted by any of the root CA
+ certificates shipped with the Airlock Microgateway
+ Engine's base image.
+ type: object
+ type: object
+ ciphers:
+ description: Ciphers defines a list of the supported
+ TLS cipher suites. For details on cipher list
+ refer to the envoy documentation on cipher_suites
+ in common tls configuration.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ protocol:
+ description: Protocol defines the supported TLS
+ protocol versions.
+ properties:
+ maximum:
+ description: Maximum supported TLS version.
+ enum:
+ - TLSv1_0
+ - TLSv1_1
+ - TLSv1_2
+ - TLSv1_3
+ type: string
+ minimum:
+ description: Minimum supported TLS version.
+ enum:
+ - TLSv1_0
+ - TLSv1_1
+ - TLSv1_2
+ - TLSv1_3
+ type: string
+ type: object
+ type: object
+ uri:
+ description: URI specifies the endpoint address.
+ format: uri
+ minLength: 1
+ pattern: ^(http|https)://.*$
+ type: string
+ required:
+ - uri
+ type: object
+ required:
+ - authorization
+ - token
+ type: object
+ issuer:
+ description: Issuer specifies the unique identifier of the OIDC
+ Provider, which is used e.g. for signature verification.
+ format: uri
+ minLength: 1
+ pattern: ^(http|https)://.*$
+ type: string
+ tokenValidation:
+ description: TokenValidation configures token validation.
+ properties:
+ idToken:
+ description: IDToken configures validation for the OIDC
+ ID Token.
+ properties:
+ signatureVerification:
+ description: SignatureVerification specifies how to
+ verify the ID Token signature.
+ properties:
+ disabled:
+ description: Disabled specifies to skip verification
+ of the JWT signature. Not recommended for production
+ environments.
+ type: object
+ jwksRef:
+ description: JwksRef specifies the JWKS to use for
+ verifying the JWT signature (usually provided
+ by the OpenID Provider).
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ required:
+ - signatureVerification
+ type: object
+ required:
+ - idToken
+ type: object
+ required:
+ - endpoints
+ - issuer
+ - tokenValidation
+ type: object
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources: {}
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/oidcrelyingparties.microgateway.airlock.com.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/oidcrelyingparties.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..7bb90e6
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/oidcrelyingparties.microgateway.airlock.com.yaml
@@ -0,0 +1,245 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: oidcrelyingparties.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: OIDCRelyingParty
+ listKind: OIDCRelyingPartyList
+ plural: oidcrelyingparties
+ singular: oidcrelyingparty
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ OIDCRelyingParty specifies how the Airlock Microgateway Engine interacts with an OpenID Provider (OP).
+
+ {{% notice info %}} The OIDC feature requires SessionHandling to be configured in the SidecarGateway. {{% /notice %}}
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the OIDC Relying Party configuration.
+ properties:
+ clientID:
+ description: ClientID specifies the OIDCRelyingParty "client_id".
+ minLength: 1
+ type: string
+ credentials:
+ description: Credentials used for client authentication on the back-channel
+ with the authorization server.
+ properties:
+ clientSecret:
+ description: ClientSecret authenticates with the client password
+ issued by the OpenID Provider (OP).
+ properties:
+ method:
+ default: BasicAuth
+ description: Method specifies in which format the client
+ secret is sent with the authorization request.
+ enum:
+ - BasicAuth
+ - FormURLEncoded
+ type: string
+ secretRef:
+ description: SecretRef specifies the kubernetes secret containing
+ the client password with key "client.secret".
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ required:
+ - clientSecret
+ type: object
+ flowTimeout:
+ default: 5m
+ description: FlowTimeout specifies the time window within which
+ an initiated OIDC flow can be completed by the client.
+ type: string
+ oidcProviderRef:
+ description: OIDCProviderRef selects the OpenID Provider (OP) used
+ to authenticate users.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ pathMapping:
+ description: PathMapping configures the action matching.
+ properties:
+ logoutPath:
+ description: |-
+ LogoutPath specifies which request paths should initiate a logout.
+
+ WARNING: If the AccessControl policy referencing this OIDCRelyingParty has a request condition, you must currently ensure that it also matches these logout requests.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the matching
+ should be case-insensitive. In case of a regex match,
+ the regex gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ redirectPath:
+ description: |-
+ RedirectPath specifies which request paths should be interpreted as a callback redirect from the authorization endpoint.
+
+ WARNING: If the AccessControl policy referencing this OIDCRelyingParty has a request condition, you must currently ensure that it also matches these callback redirect requests.
+ properties:
+ matcher:
+ description: StringMatcher defines the way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether the matching
+ should be case-insensitive. In case of a regex match,
+ the regex gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ required:
+ - logoutPath
+ - redirectPath
+ type: object
+ redirectURI:
+ description: |-
+ RedirectURI configures the "redirect_uri" parameter included in the authorization request.
+ May contain envoy command operators, e.g.: `%REQ(:x-forwarded-proto)%://%REQ(:authority)%/callback`
+
+ WARNING: If the AccessControl policy referencing this OIDCRelyingParty has a request condition, you must currently
+ ensure that it also matches requests to this URI.
+ minLength: 1
+ type: string
+ scopes:
+ description: |-
+ Scopes specifies the scopes to request during the OIDC flow.
+ The mandatory `openid` scope is implicitly added to the list if not already present.
+ Default: `['openid', 'profile']`
+
+ Note: Different OIDCRelyingParties which use the same OIDC Provider and Client ID must request the same scopes for now.
+ items:
+ minLength: 1
+ type: string
+ type: array
+ required:
+ - clientID
+ - credentials
+ - oidcProviderRef
+ - pathMapping
+ - redirectURI
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources: {}
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/openapis.microgateway.airlock.com.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/openapis.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..d4028cc
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/openapis.microgateway.airlock.com.yaml
@@ -0,0 +1,188 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: openapis.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: OpenAPI
+ listKind: OpenAPIList
+ plural: openapis
+ singular: openapi
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: OpenAPI contains the configuration for the OpenAPI specification.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired OpenAPI specification.
+ properties:
+ response:
+ description: Response defines the validation behaviour for responses.
+ properties:
+ secured:
+ description: Secured enables response checking.
+ properties:
+ validation:
+ default: Lax
+ description: Validation defines the validation mode for
+ responses.
+ enum:
+ - Lax
+ - Strict
+ type: string
+ type: object
+ unsecured:
+ description: Unsecured disables response checking.
+ type: object
+ type: object
+ settings:
+ description: Settings defines the settings to configure OpenAPI
+ specification enforcement.
+ properties:
+ logging:
+ description: Logging specifies the access log behavior.
+ properties:
+ maxFailedSubvalidations:
+ default: 10
+ description: MaxFailedSubvalidations defines the maximum
+ number of failed subvalidations being logged.
+ format: int64
+ type: integer
+ type: object
+ schema:
+ description: Schema configures the OpenAPI specification.
+ properties:
+ source:
+ description: Source specifies the OpenAPI specification
+ to be enforced.
+ properties:
+ configMapRef:
+ description: ConfigMapRef references the configmap by
+ its name containing the well-known key `openapi.json`.
+ Use the `data` field for plaintext or the `binaryData`
+ for compressed data. Supported compression formats
+ are zstd, gzip or zip.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ required:
+ - source
+ type: object
+ threatHandlingMode:
+ default: Block
+ description: ThreatHandlingMode specifies how threats should
+ be handled.
+ enum:
+ - Block
+ - LogOnly
+ type: string
+ validation:
+ description: Validation specifies the patterns for the validation
+ behavior.
+ properties:
+ authentication:
+ description: Authentication defines the settings for the
+ authentication scheme.
+ properties:
+ oAuth2:
+ description: OAuth2 specifies the OAuth2 parameters.
+ properties:
+ allowedParameters:
+ description: AllowedParameters specifies the allowed
+ parameters for the authentication scheme.
+ properties:
+ builtIn:
+ description: BuiltIn allows configuring a set
+ of predefined allowed parameters.
+ properties:
+ standardParameters:
+ default: true
+ description: StandardParameters defines
+ whether the allowed parameters should
+ be expanded by the set of common parameters.
+ type: boolean
+ type: object
+ custom:
+ description: Custom allows configuring additional
+ allowed parameters.
+ items:
+ minLength: 1
+ type: string
+ minItems: 1
+ type: array
+ type: object
+ type: object
+ oidc:
+ description: Oidc specifies the OIDC parameters.
+ properties:
+ allowedParameters:
+ description: AllowedParameters specifies the allowed
+ parameters for the authentication scheme.
+ properties:
+ builtIn:
+ description: BuiltIn allows configuring a set
+ of predefined allowed parameters.
+ properties:
+ standardParameters:
+ default: true
+ description: StandardParameters defines
+ whether the allowed parameters should
+ be expanded by the set of common parameters.
+ type: boolean
+ type: object
+ custom:
+ description: Custom allows configuring additional
+ allowed parameters.
+ items:
+ minLength: 1
+ type: string
+ minItems: 1
+ type: array
+ type: object
+ type: object
+ type: object
+ type: object
+ required:
+ - schema
+ type: object
+ required:
+ - settings
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/parsers.microgateway.airlock.com.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/parsers.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..c24f00c
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/parsers.microgateway.airlock.com.yaml
@@ -0,0 +1,402 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: parsers.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: Parser
+ listKind: ParserList
+ plural: parsers
+ singular: parser
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: Parser contains the configuration for content parsers (default
+ and custom).
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired parser behavior.
+ properties:
+ request:
+ description: Request defines the parsing for downstream requests.
+ properties:
+ custom:
+ description: Custom allows configuring additional rules for
+ parser selection.
+ properties:
+ rules:
+ description: |-
+ Rules defines a custom set prepended before built-in rules of enabled request parsers.
+ Disable all built-in parsers to overrule them completely.
+ items:
+ properties:
+ action:
+ description: |-
+ Action specifies what should happen when a request condition matches.
+ Only one of parse or skip can be set.
+ properties:
+ parse:
+ description: Parse activates the configured parser.
+ properties:
+ form:
+ description: Form activates the Form parser.
+ type: object
+ json:
+ description: JSON activates the JSON parser.
+ type: object
+ multipart:
+ description: Multipart activates the multipart
+ parser.
+ type: object
+ type: object
+ skip:
+ description: Skip disables any content parsing
+ type: object
+ type: object
+ requestConditions:
+ description: RequestConditions defines additional
+ request properties which must be matched in order
+ for this rule to apply.
+ properties:
+ header:
+ description: Header defines the matching headers
+ of a request.
+ properties:
+ name:
+ description: Name defines the name of a header.
+ properties:
+ matcher:
+ description: Matcher defines the way to
+ match a string. In comparison to a normal
+ StringMatcher, a value is always matched
+ ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ value:
+ description: Value defines the value of a
+ header.
+ properties:
+ matcher:
+ description: StringMatcher defines the
+ way to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ type: object
+ invert:
+ default: false
+ description: Invert indicates whether the request
+ condition should be inverted.
+ type: boolean
+ mediaType:
+ description: MediaType defines the matching media
+ type from the content-type header of a request.
+ properties:
+ matcher:
+ description: |-
+ NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
+ In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ method:
+ description: Method defines the matching methods
+ of a request.
+ items:
+ description: Method defines common HTTP methods.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - PATCH
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ type: string
+ type: array
+ path:
+ description: Path defines the matching path of
+ a request.
+ properties:
+ matcher:
+ description: StringMatcher defines the way
+ to match a string.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates whether
+ the matching should be case-insensitive.
+ In case of a regex match, the regex
+ gets wrapped with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - matcher
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines the matching remote IPs of a request.
+ Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.
+ properties:
+ cidrRanges:
+ description: CIDRRanges defines the IPv4 or
+ IPv6 CIDR ranges, e.g. ``196.148.3.128/26``
+ or ``2001:db8::/28``.
+ items:
+ description: "CIDRRange defines an IPv4\
+ \ or IPv6 CIDR range, e.g. \u201C196.148.3.128/26\u201C\
+ \ or \u201C2001:db8::/28\u201C."
+ format: cidr
+ type: string
+ minItems: 1
+ type: array
+ invert:
+ default: false
+ description: Invert indicates whether the
+ match should be inverted.
+ type: boolean
+ required:
+ - cidrRanges
+ type: object
+ type: object
+ required:
+ - action
+ - requestConditions
+ type: object
+ type: array
+ type: object
+ defaultContentType:
+ default: application/x-www-form-urlencoded
+ description: DefaultContentType specifies the content-type header
+ which should be injected into the request before parser selection
+ if it is not already present and the request has a body.
+ minLength: 1
+ type: string
+ parsers:
+ description: Parsers defines the configuration for the available
+ content parsers.
+ properties:
+ form:
+ description: Form defines the configuration for the form
+ parser.
+ properties:
+ enable:
+ default: true
+ description: Enable defines whether form payloads are
+ inspected.
+ type: boolean
+ mediaTypePattern:
+ default: .*urlencoded.*
+ description: MediaTypePattern is a regex specifying
+ the media types for which the request body should
+ be treated as form arguments.
+ minLength: 1
+ type: string
+ type: object
+ json:
+ description: JSON defines the configuration for the JSON
+ parser.
+ properties:
+ enable:
+ default: true
+ description: Enable defines whether json payloads are
+ inspected.
+ type: boolean
+ mediaTypePattern:
+ default: .*json.*
+ description: MediaTypePattern is a regex specifying
+ the media types for which the request body should
+ be treated as JSON.
+ minLength: 1
+ type: string
+ type: object
+ multipart:
+ description: Multipart defines the configuration for the
+ multipart parser.
+ properties:
+ enable:
+ default: true
+ description: Enable defines whether multipart payloads
+ are inspected.
+ type: boolean
+ mediaTypePattern:
+ default: .*multipart.*
+ description: MediaTypePattern is a regex specifying
+ the media types for which the request body should
+ be treated as a multipart payload.
+ minLength: 1
+ type: string
+ type: object
+ type: object
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/redisproviders.microgateway.airlock.com.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/redisproviders.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..c493cfe
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/redisproviders.microgateway.airlock.com.yaml
@@ -0,0 +1,258 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: redisproviders.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: RedisProvider
+ listKind: RedisProviderList
+ plural: redisproviders
+ singular: redisprovider
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: RedisProvider contains a client configuration for connecting
+ to a Redis database.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of a Redis database client configuration.
+ properties:
+ auth:
+ description: Auth specifies the Redis credentials.
+ properties:
+ password:
+ description: Password specifies the Redis password.
+ properties:
+ secretRef:
+ description: SecretRef selects the secret containing the
+ Redis password under the key 'redis.password'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ username:
+ default: default
+ description: Username specifies the Redis username to authenticate
+ with.
+ minLength: 1
+ pattern: ^[^\s]+$
+ type: string
+ required:
+ - password
+ type: object
+ mode:
+ description: Mode configures the redis deployment mode.
+ properties:
+ cluster:
+ description: Cluster specifies the Redis Cluster to connect
+ to.
+ properties:
+ nodes:
+ description: Nodes specifies the Cluster nodes.
+ items:
+ properties:
+ host:
+ description: Host specifies the IP or hostname.
+ minLength: 1
+ pattern: ^(\d{1,3}(\.\d{1,3}){3}|([0-9a-fA-F]{1,4}|:)+(:\d{1,3}(\.\d{1,3}){3})?|[a-z0-9\-]+(\.[a-z0-9\-]+)*)$
+ type: string
+ port:
+ default: 6379
+ description: Port specifies the port.
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - host
+ type: object
+ minItems: 1
+ type: array
+ required:
+ - nodes
+ type: object
+ sentinel:
+ description: Sentinel specifies the Redis Sentinels to connect
+ to.
+ properties:
+ masterName:
+ description: MasterName specifies the master name.
+ minLength: 1
+ type: string
+ nodes:
+ description: Nodes specifies the Sentinel nodes.
+ items:
+ properties:
+ host:
+ description: Host specifies the IP or hostname.
+ minLength: 1
+ pattern: ^(\d{1,3}(\.\d{1,3}){3}|([0-9a-fA-F]{1,4}|:)+(:\d{1,3}(\.\d{1,3}){3})?|[a-z0-9\-]+(\.[a-z0-9\-]+)*)$
+ type: string
+ port:
+ default: 6379
+ description: Port specifies the port.
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - host
+ type: object
+ minItems: 1
+ type: array
+ required:
+ - masterName
+ - nodes
+ type: object
+ standalone:
+ description: Standalone specifies the standalone Redis instance
+ to connect to.
+ properties:
+ host:
+ description: Host specifies the IP or hostname.
+ minLength: 1
+ pattern: ^(\d{1,3}(\.\d{1,3}){3}|([0-9a-fA-F]{1,4}|:)+(:\d{1,3}(\.\d{1,3}){3})?|[a-z0-9\-]+(\.[a-z0-9\-]+)*)$
+ type: string
+ port:
+ default: 6379
+ description: Port specifies the port.
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - host
+ type: object
+ type: object
+ timeouts:
+ description: Timeouts specifies the timeouts when interacting with
+ the Redis endpoint.
+ properties:
+ connect:
+ default: 5s
+ description: Connect specifies the timeout for establishing
+ a connection.
+ type: string
+ maxDuration:
+ default: 2s
+ description: MaxDuration specifies the response timeout.
+ type: string
+ type: object
+ tls:
+ description: TLS defines TLS settings. If not specified, TLS is
+ disabled i.e. unencrypted TCP is used when connecting to the Redis
+ instance.
+ properties:
+ certificateVerification:
+ description: CertificateVerification specifies how the certificate
+ presented by the server is verified.
+ properties:
+ custom:
+ description: Custom explicitly specifies how the server
+ certificate should be verified.
+ properties:
+ trustedCA:
+ description: TrustedCA defines which CA certificates
+ are trusted.
+ properties:
+ certificates:
+ description: Certificates defines the list of secretRefs
+ containing trusted CA certificates.
+ items:
+ properties:
+ secretRef:
+ description: SecretRef defines the reference
+ to a secret containing one or more CA certificates
+ under the key 'ca.crt'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ minItems: 1
+ type: array
+ required:
+ - certificates
+ type: object
+ required:
+ - trustedCA
+ type: object
+ disabled:
+ description: 'Disabled specifies to trust any certificate
+ without verification. THIS IS INSECURE AND SHOULD ONLY
+ BE USED FOR TESTING. Note: This setting currently also
+ disables TLS SNI.'
+ type: object
+ publicCAs:
+ description: "PublicCAs specifies to only accept certificates\
+ \ with a SAN matching the host and which are signed by\
+ \ a CA which is either directly or indirectly trusted\
+ \ by any of the root CA certificates shipped with the\
+ \ Airlock Microgateway Session Agent\u2019s base image."
+ type: object
+ type: object
+ clientCertificate:
+ description: ClientCertificate configures client certificate
+ authentication. If not specified, TLS-based client authentication
+ is disabled.
+ properties:
+ secretRef:
+ description: SecretRef specifies the client certificate
+ to use (secret of type kubernetes.io/tls).
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ type: object
+ required:
+ - mode
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/sessionhandlings.microgateway.airlock.com.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/sessionhandlings.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..ec06d87
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/sessionhandlings.microgateway.airlock.com.yaml
@@ -0,0 +1,92 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: sessionhandlings.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: SessionHandling
+ listKind: SessionHandlingList
+ plural: sessionhandlings
+ singular: sessionhandling
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: SessionHandling contains the configuration for session handling.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired session handling behavior.
+ properties:
+ defaultTimeouts:
+ description: DefaultTimeouts specifies the session timeouts to apply
+ when not provided by the authentication method.
+ properties:
+ lifetime:
+ default: 12h
+ description: Lifetime specifies the maximum duration a session
+ can exist.
+ type: string
+ type: object
+ persistence:
+ description: Persistence configures where to store the session state.
+ properties:
+ redisProviderRef:
+ description: RedisProviderRef specifies to cache session information
+ in the provided Redis instance.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - redisProviderRef
+ type: object
+ prefix:
+ description: |-
+ Prefix specifies the prefix under which the sessions should be stored in the persistence layer.
+ If not specified, an automatic prefix derived from the namespaced SessionHandling CR name is used, which ensures that sessions will always be isolated on Microgateways configured with different SessionHandling CRs, even if they share the same persistence backend.
+
+ To allow session sharing between different Microgateway deployments, ensure that the prefix and persistence backend is the same across all corresponding SessionHandling CRs.
+
+ Note: Session cookies are currently never shared across different fully qualified domain names (FQDNs) and authentication via different OIDC Relying Parties generates different session cookies. Clients will therefore only able to transparently reuse session cookies for connecting to different Microgateway deployments if those are a) exposed under the same FQDN and b) handle authentication via the same OIDC Relying Party.
+ maxLength: 64
+ minLength: 1
+ pattern: ^[a-zA-Z][a-zA-Z0-9_]*$
+ type: string
+ required:
+ - persistence
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/sidecargateways.microgateway.airlock.com.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/sidecargateways.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..96dc91e
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/sidecargateways.microgateway.airlock.com.yaml
@@ -0,0 +1,868 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: sidecargateways.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: SidecarGateway
+ listKind: SidecarGatewayList
+ plural: sidecargateways
+ singular: sidecargateway
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .status.status
+ name: Status
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: SidecarGateway contains the configuration how to configure
+ the Airlock Microgateway Engine when used as Sidecar Container within
+ the Pod of an application.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired sidecar gateway behavior.
+ properties:
+ applications:
+ description: Applications defines applications which run on different
+ ports.
+ items:
+ properties:
+ containerPort:
+ default: 8080
+ description: |-
+ ContainerPort refers to the container port.
+ This must be a valid port number, 0 < x < 65536.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ downstream:
+ description: Downstream defines the downstream configuration
+ for this application
+ properties:
+ protocol:
+ description: |-
+ Protocol defines the exposed HTTP protocol version. At most one of http1, http2 and auto can be set.
+ Default: auto: {}
+ properties:
+ auto:
+ description: Auto specifies that the protocol should
+ be inferred.
+ properties:
+ http2:
+ description: HTTP2 specifies the settings for
+ when HTTP/2 is inferred.
+ properties:
+ allowConnect:
+ default: false
+ description: Allows proxying Websocket and
+ other upgrades over H2 connect.
+ type: boolean
+ type: object
+ type: object
+ http1:
+ description: HTTP1 specifies that the client is assumed
+ to speak HTTP/1.1.
+ type: object
+ http2:
+ description: HTTP2 specifies that the client is assumed
+ to speak HTTP/2.
+ properties:
+ allowConnect:
+ default: false
+ description: Allows proxying Websocket and other
+ upgrades over H2 connect.
+ type: boolean
+ type: object
+ type: object
+ remoteIP:
+ description: |-
+ RemoteIP defines how the remote IP of a client is propagated.
+ Default: xff: {...}
+ properties:
+ connectionIP:
+ description: ConnectionIP configures to use the source
+ IP address of the direct downstream connection.
+ type: object
+ customHeader:
+ description: CustomHeader specifies to use a custom
+ header for remote IP extraction.
+ properties:
+ headerName:
+ description: HeaderName specifies the name of
+ the custom header containing the remote IP.
+ minLength: 1
+ type: string
+ required:
+ default: true
+ description: Required specifies if the custom
+ header is required. If true and not available
+ the request will be rejected with 403.
+ type: boolean
+ required:
+ - headerName
+ type: object
+ xff:
+ description: XFF configures to use the standard 'X-Forwarded-For'
+ header for IP extraction.
+ properties:
+ numTrustedHops:
+ default: 1
+ description: NumTrustedHops specifies to extract
+ the client's originating IP from the nth rightmost
+ entry in the X-Forwarded-For header. With the
+ default value of 1, the IP is extracted from
+ the rightmost entry.
+ format: int32
+ minimum: 1
+ type: integer
+ type: object
+ type: object
+ requestNormalizations:
+ description: RequestNormalizations defines a set of normalization
+ actions which are applied to the request before route
+ matching.
+ properties:
+ mergeSlashes:
+ default: true
+ description: MergeSlashes ensures that adjacent slashes
+ in the path are merged into one.
+ type: boolean
+ normalizePath:
+ default: true
+ description: NormalizePath ensures normalization according
+ to RFC 3986 without case normalization.
+ type: boolean
+ type: object
+ restrictions:
+ description: Restrictions defines restrictions for downstream.
+ properties:
+ http:
+ description: HTTP defines limits for the HTTP protocol.
+ properties:
+ headersLength:
+ anyOf:
+ - type: integer
+ - type: string
+ default: 60Ki
+ description: HeadersLength defines maximum size
+ of all request headers combined. Requests that
+ exceed this limit will receive a 431 response.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ timeouts:
+ description: Timeouts defines timeouts for downstream
+ properties:
+ http:
+ description: HTTP defines the settings for HTTP timeouts.
+ properties:
+ idle:
+ default: 5m
+ description: |-
+ Idle defines the settings for the idle timeout when no data is sent or received.
+ A value of 0 will completely disable the timeout.
+ Default: 5m
+ type: string
+ maxDuration:
+ default: 5m
+ description: |-
+ MaxDuration defines the total duration for a HTTP request/response stream.
+ A value of 0 will completely disable the timeout.
+ Default: 5m
+ type: string
+ requestHeaders:
+ default: 10s
+ description: |-
+ RequestHeaders defines the duration before all request headers must be received.
+ A value of 0 will completely disable the timeout.
+ Default: 10s
+ type: string
+ type: object
+ type: object
+ tls:
+ description: TLS defines the TLS settings.
+ properties:
+ ciphers:
+ description: Ciphers defines a list of the supported
+ TLS cipher suites. For details on cipher list refer
+ to the envoy documentation on cipher_suites in common
+ tls configuration.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ clientCertificate:
+ description: |-
+ ClientCertificate defines the TLS settings for verification of client certificates.
+ At most one of ignored, optional and required can be set.
+ Default: ignored: {}
+ properties:
+ ignored:
+ description: Ignored disables verification of
+ the client certificate.
+ type: object
+ optional:
+ description: |-
+ Optional enables verification of the client certificate if one is presented.
+ In this mode only trustedCA and crl settings can be configured since certificatePinning and allowedSANs require a client certificate.
+ properties:
+ crl:
+ description: CRL defines the Certificate Revocation
+ List (CRL) settings.
+ properties:
+ lists:
+ description: Lists defines the list of
+ secretRefs containing Certificate Revocation
+ Lists.
+ items:
+ properties:
+ secretRef:
+ description: SecretRef defines the
+ reference to a secret containing
+ one or more CRL's (in PEM format)
+ under the key 'ca.crl'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ minItems: 1
+ type: array
+ validationMode:
+ default: VerifyChain
+ description: ValidationMode defines whether
+ only the leaf certificate or also the
+ CA certs should be checked.
+ enum:
+ - VerifyLeafCertOnly
+ - VerifyChain
+ type: string
+ type: object
+ trustedCA:
+ description: TrustedCA defines which CA certificates
+ are trusted.
+ properties:
+ certificates:
+ description: Certificates defines the
+ list of secretRefs containing trusted
+ CA certificates.
+ items:
+ properties:
+ secretRef:
+ description: SecretRef defines the
+ reference to a secret containing
+ one or more CA certificates under
+ the key 'ca.crt'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ minItems: 1
+ type: array
+ verificationDepth:
+ default: 1
+ description: |-
+ VerificationDepth specifies the hops in the certificate chain at which validation is performed.
+ 1 means that either the leaf or the signing CA must be in the set of trusted certificates.
+ format: int32
+ type: integer
+ required:
+ - certificates
+ type: object
+ required:
+ - trustedCA
+ type: object
+ required:
+ description: |-
+ Required contains settings for client certificate verification. A client must present a valid certificate.
+ At least one of trustedCA and certificatePinning must be set.
+ properties:
+ allowedSANs:
+ description: "AllowedSANs is a list of matchers\
+ \ to verify the Subject Alternative name.\
+ \ If specified, it will verify that the\n\
+ Subject Alternative Name of the presented\
+ \ certificate matches one of the specified\
+ \ matchers. The matching uses \u201Cany\u201D\
+ \ semantics,\nthat is to say, the SAN is\
+ \ verified if at least one matcher is matched.\n\
+ AllowedSANs requires trustedCA to be set."
+ items:
+ description: |-
+ TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
+ Subject Alternative Name of the presented certificate matches one of the specified matchers.
+ properties:
+ matcher:
+ description: Matcher defines the string
+ matcher for the SAN value.
+ properties:
+ contains:
+ description: |-
+ Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ exact:
+ description: |-
+ Exact defines an explicit match on the string specified here.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ ignoreCase:
+ default: false
+ description: IgnoreCase indicates
+ whether the matching should be
+ case-insensitive. In case of a
+ regex match, the regex gets wrapped
+ with a group `(?i:...)`.
+ type: boolean
+ prefix:
+ description: |-
+ Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ regex:
+ description: |-
+ Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
+ The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ suffix:
+ description: |-
+ Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
+ Only one of exact, prefix, suffix, regex or contains can be set.
+ minLength: 1
+ type: string
+ type: object
+ sanType:
+ description: SanType defines the type
+ of SAN matcher.
+ enum:
+ - DNS
+ - Email
+ - URI
+ - IPAddress
+ type: string
+ required:
+ - matcher
+ - sanType
+ type: object
+ minItems: 1
+ type: array
+ certificatePinning:
+ description: |-
+ CertificatePinning defines the constraints a client certificate must fulfill.
+ If more than one constraint is configured only one must be satisfied.
+ At least one of allowedSPKIs and allowedHashes must be set.
+ properties:
+ allowedHashes:
+ description: |-
+ AllowedHashes is a list of hex-encoded SHA-256 hashes.
+ If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ allowedSPKIs:
+ description: |-
+ AllowedSPKIs is a list of base64-encoded SHA-256 hashes.
+ If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ type: object
+ crl:
+ description: CRL defines the Certificate Revocation
+ List (CRL) settings.
+ properties:
+ lists:
+ description: Lists defines the list of
+ secretRefs containing Certificate Revocation
+ Lists.
+ items:
+ properties:
+ secretRef:
+ description: SecretRef defines the
+ reference to a secret containing
+ one or more CRL's (in PEM format)
+ under the key 'ca.crl'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ minItems: 1
+ type: array
+ validationMode:
+ default: VerifyChain
+ description: ValidationMode defines whether
+ only the leaf certificate or also the
+ CA certs should be checked.
+ enum:
+ - VerifyLeafCertOnly
+ - VerifyChain
+ type: string
+ type: object
+ trustedCA:
+ description: TrustedCA defines which CA certificates
+ are trusted.
+ properties:
+ certificates:
+ description: Certificates defines the
+ list of secretRefs containing trusted
+ CA certificates.
+ items:
+ properties:
+ secretRef:
+ description: SecretRef defines the
+ reference to a secret containing
+ one or more CA certificates under
+ the key 'ca.crt'.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - secretRef
+ type: object
+ minItems: 1
+ type: array
+ verificationDepth:
+ default: 1
+ description: |-
+ VerificationDepth specifies the hops in the certificate chain at which validation is performed.
+ 1 means that either the leaf or the signing CA must be in the set of trusted certificates.
+ format: int32
+ type: integer
+ required:
+ - certificates
+ type: object
+ type: object
+ type: object
+ enable:
+ default: false
+ description: Enable defines if the downstream connection
+ is encrypted.
+ type: boolean
+ protocol:
+ description: Protocol defines the supported TLS protocol
+ versions.
+ properties:
+ maximum:
+ description: Maximum supported TLS version.
+ enum:
+ - TLSv1_0
+ - TLSv1_1
+ - TLSv1_2
+ - TLSv1_3
+ type: string
+ minimum:
+ description: Minimum supported TLS version.
+ enum:
+ - TLSv1_0
+ - TLSv1_1
+ - TLSv1_2
+ - TLSv1_3
+ type: string
+ type: object
+ secretRef:
+ description: SecretRef defines the reference to the
+ TLS server certificate (secret of type kubernetes.io/tls).
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ xfcc:
+ description: "XFCC defines the handling of X-Forwarded-Client-Cert\
+ \ header. Meaning of the possible values:\n_Sanitize_:\
+ \ Do not send the XFCC header to the next hop. This\
+ \ is the default value.\n_ForwardOnly_: When the\
+ \ client connection is mTLS (Mutual TLS), forward\
+ \ the XFCC header in the request.\n_AppendAndForward_:\
+ \ When the client connection is mTLS, append the\
+ \ client certificate information to the request\u2019\
+ s XFCC header and forward it.\n_SanitizeAndSet_:\
+ \ When the client connection is mTLS, reset the\
+ \ XFCC header with the client certificate information\
+ \ and send it to the next hop.\n_AlwaysForwardOnly_:\
+ \ Always forward the XFCC header in the request,\
+ \ regardless of whether the client connection is\
+ \ mTLS.\nNote: When forwarding the XFCC header in\
+ \ the request you might have to adjust the header\
+ \ length restrictions (See sidecargateway.spec.applications.downstream.restrictions.http)"
+ enum:
+ - Sanitize
+ - ForwardOnly
+ - AppendAndForward
+ - SanitizeAndSet
+ - AlwaysForwardOnly
+ type: string
+ type: object
+ type: object
+ envoyHTTPFilterRefs:
+ description: EnvoyHTTPFilterRefs selects the relevant EnvoyHTTPFilters.
+ properties:
+ prepend:
+ description: Prepend selects the relevant EnvoyHTTPFilters
+ which are added before those configured by the Airlock
+ Microgateway.
+ items:
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ type: object
+ routes:
+ description: Routes defines the security configurations for
+ different paths. The first matching route (from top to bottom)
+ applies.
+ items:
+ description: |-
+ SidecarGatewayApplicationRoute defines the security configurations for different paths.
+ At most one of secured and unsecured can be set.
+ Default: secured: {...}
+ properties:
+ pathPrefix:
+ default: /
+ description: PathPrefix defines the path prefix used
+ during route selection.
+ minLength: 1
+ type: string
+ secured:
+ description: Secured enables WAF processing for this
+ route.
+ properties:
+ accessControlRef:
+ description: |-
+ AccessControlRef selects the relevant AccessControl configuration resource.
+ If undefined, Airlock Microgateway does not perform any access control.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ contentSecurityRef:
+ description: |-
+ ContentSecurityRef selects the relevant ContentSecurity configuration resource.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ unsecured:
+ description: |-
+ Unsecured disables all WAF functionality and therefore protection for this route.
+ WARNING: Using this setting when the application is exposed to untrusted downstream traffic is highly discouraged.
+ type: object
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - pathPrefix
+ x-kubernetes-list-type: map
+ telemetryRef:
+ description: |-
+ TelemetryRef selects the relevant Telemetry configuration resource.
+ If undefined, default settings are applied, designed to work with most upstream web application services.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ upstream:
+ description: Upstream defines the upstream configuration for
+ this application
+ properties:
+ protocol:
+ description: |-
+ Protocol defines HTTP protocol version used to communicate with the upstream. At most one of http1, http2 and auto can be set.
+ Default: auto: {}
+ properties:
+ auto:
+ description: Auto specifies to negotiate the protocol
+ with TLS ALPN (if TLS is enabled) or, as a fallback,
+ use the same protocol that is used by the downstream
+ connection.
+ properties:
+ http2:
+ description: HTTP2 specifies the settings for
+ when HTTP/2 is inferred.
+ properties:
+ allowConnect:
+ default: false
+ description: Allows proxying Websocket and
+ other upgrades over H2 connect.
+ type: boolean
+ type: object
+ type: object
+ http1:
+ description: HTTP1 specifies to use HTTP/1.1.
+ type: object
+ http2:
+ description: HTTP2 specifies to use HTTP/2.
+ properties:
+ allowConnect:
+ default: false
+ description: Allows proxying Websocket and other
+ upgrades over H2 connect.
+ type: boolean
+ type: object
+ type: object
+ timeouts:
+ description: Timeouts defines the timeout settings.
+ properties:
+ http:
+ description: HTTP defines the settings for HTTP timeouts.
+ properties:
+ idle:
+ description: |-
+ Timeout defines the settings for http timeouts. If this setting is not specified, the value of applications[].downstream.timeouts.http.idle is inherited.
+ A value of 0 will completely disable the timeout.
+ type: string
+ maxDuration:
+ default: 15s
+ description: |-
+ MaxDuration defines the total duration for a HTTP request/response stream.
+ Default: 15s
+ type: string
+ type: object
+ type: object
+ tls:
+ description: TLS defines the TLS settings.
+ properties:
+ ciphers:
+ description: Ciphers defines a list of the supported
+ TLS cipher suites. For details on cipher list refer
+ to the envoy documentation on cipher_suites in common
+ tls configuration.
+ items:
+ type: string
+ minItems: 1
+ type: array
+ enable:
+ default: false
+ description: Enable defines if the upstream connection
+ is encrypted.
+ type: boolean
+ protocol:
+ description: Protocol defines the supported TLS protocol
+ versions.
+ properties:
+ maximum:
+ description: Maximum supported TLS version.
+ enum:
+ - TLSv1_0
+ - TLSv1_1
+ - TLSv1_2
+ - TLSv1_3
+ type: string
+ minimum:
+ description: Minimum supported TLS version.
+ enum:
+ - TLSv1_0
+ - TLSv1_1
+ - TLSv1_2
+ - TLSv1_3
+ type: string
+ type: object
+ type: object
+ type: object
+ type: object
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - containerPort
+ x-kubernetes-list-type: map
+ envoyClusterRefs:
+ description: EnvoyClusterRefs selects the relevant EnvoyClusters.
+ items:
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ podSelector:
+ description: PodSelector defines to which Pods the configuration
+ will be applied to.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: MatchLabels is a map of {key,value} pairs. A single
+ {key,value} in the matchLabels.
+ type: object
+ type: object
+ sessionHandlingRef:
+ description: SessionHandlingRef selects the SessionHandling configuration
+ to apply.
+ properties:
+ name:
+ description: Name of the resource
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - applications
+ type: object
+ status:
+ description: Most recently observed status of the SidecarGateway which
+ is populated by the system. This data is read-only and may not be
+ up to date.
+ properties:
+ conditions:
+ items:
+ properties:
+ lastTransitionTime:
+ description: Last time the condition transitioned from one
+ status to another.
+ format: date-time
+ type: string
+ message:
+ description: A human-readable message indicating details about
+ the transition.
+ type: string
+ reason:
+ description: The reason for the condition's last transition.
+ type: string
+ status:
+ description: Status of the condition, one of True, False,
+ Unknown.
+ type: string
+ type:
+ description: Type of SidecarGateway condition.
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ pods:
+ items:
+ properties:
+ envoyConfig:
+ description: EnvoyConfig indicates the name of the EnvoyConfig
+ CR for the Pod.
+ type: string
+ name:
+ description: Name indicates the name of a Pod selected by
+ the SidecarGateway.
+ type: string
+ sessionAgentSecret:
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ status:
+ type: string
+ unmanagedPods:
+ items:
+ properties:
+ managedBy:
+ description: ManagedBy indicates the Airlock Microgateway
+ Operator instance which manages this Pod.
+ type: string
+ name:
+ description: Name indicates the name of a Pod selected by
+ the SidecarGateway.
+ type: string
+ sessionAgentSecret:
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ required:
+ - status
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/telemetries.microgateway.airlock.com.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/telemetries.microgateway.airlock.com.yaml
new file mode 100644
index 0000000..7fafb35
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/crds/telemetries.microgateway.airlock.com.yaml
@@ -0,0 +1,108 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.1
+ labels:
+ app.kubernetes.io/name: airlock-microgateway-operator
+ app.kubernetes.io/version: 4.5.2
+ name: telemetries.microgateway.airlock.com
+spec:
+ group: microgateway.airlock.com
+ names:
+ categories:
+ - airlock-microgateway
+ kind: Telemetry
+ listKind: TelemetryList
+ plural: telemetries
+ singular: telemetry
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: Telemetry contains the configuration for telemetry (logging,
+ metrics & tracing).
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired telemetry behavior.
+ properties:
+ correlation:
+ description: Correlation defines the correlation aspects of Telemetry.
+ properties:
+ idSource:
+ description: IDSource specifies how an external correlation
+ ID should be obtained for a request. If not specified, no
+ correlation ID will be logged.
+ properties:
+ header:
+ description: Header specifies to extract the correlation
+ ID from a request header. If the header is absent from
+ a request, no correlation ID will be logged.
+ properties:
+ name:
+ default: X-Correlation-Id
+ description: Name of the header (case-insensitive) from
+ which to extract the correlation ID.
+ minLength: 1
+ type: string
+ type: object
+ required:
+ - header
+ type: object
+ request:
+ description: Request defines the request related correlation
+ settings of Telemetry.
+ properties:
+ allowDownstreamRequestID:
+ default: true
+ description: AllowDownstreamRequestID defines whether trace
+ sampling will consider a provided x-request-id.
+ type: boolean
+ alterRequestID:
+ default: true
+ description: AlterRequestID defines whether to alter the
+ UUID to reflect the trace sampling decision. If disabled
+ no modification to the UUID will be performed, this may
+ break tracing in the upstream.
+ type: boolean
+ type: object
+ type: object
+ logging:
+ description: Logging defines the logging aspects of Telemetry.
+ properties:
+ accessLog:
+ description: AccessLog defines the access log settings of Telemetry.
+ properties:
+ format:
+ description: Format defines the Access Log format of the
+ sidecar.
+ properties:
+ json:
+ description: JSON defines the Access Log format as JSON.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: object
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/configmap.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/configmap.yaml
new file mode 100644
index 0000000..e97ed8e
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/configmap.yaml
@@ -0,0 +1,410 @@
+apiVersion: v1
+data:
+ engine_bootstrap_config_template.yaml: |
+ # Base configuration, admin interface on port 19000
+ admin:
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ dynamic_resources:
+ cds_config:
+ initial_fetch_timeout: 10s
+ resource_api_version: V3
+ api_config_source:
+ api_type: GRPC
+ transport_api_version: V3
+ grpc_services:
+ - envoy_grpc:
+ cluster_name: xds_cluster
+ set_node_on_first_message_only: true
+ # Prevent Envoy Node from overloading the xDS server due to rejected configuration when using xDS SotW gRPC
+ rate_limit_settings:
+ max_tokens: 5
+ fill_rate: 0.2
+ lds_config:
+ resource_api_version: V3
+ initial_fetch_timeout: 10s
+ api_config_source:
+ api_type: GRPC
+ transport_api_version: V3
+ grpc_services:
+ - envoy_grpc:
+ cluster_name: xds_cluster
+ set_node_on_first_message_only: true
+ # Prevent Envoy Node from overloading the xDS server due to rejected configuration when using xDS SotW gRPC
+ rate_limit_settings:
+ max_tokens: 5
+ fill_rate: 0.2
+ static_resources:
+ listeners:
+ - name: probe
+ address:
+ socket_address:
+ address: 0.0.0.0
+ port_value: 19001
+ filter_chains:
+ - filters:
+ - name: http_connection_manager
+ typed_config:
+ '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ stat_prefix: probe
+ codec_type: AUTO
+ http2_protocol_options:
+ initial_connection_window_size: 1048576
+ initial_stream_window_size: 65536
+ max_concurrent_streams: 100
+ route_config:
+ name: probe
+ virtual_hosts:
+ - name: probe
+ domains:
+ - '*'
+ routes:
+ - name: ready
+ match:
+ path: /ready
+ headers:
+ - name: ':method'
+ string_match:
+ exact: 'GET'
+ route:
+ cluster: airlock_microgateway_engine_admin
+ http_filters:
+ - name: envoy.filters.http.router
+ typed_config:
+ '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ - name: metrics
+ address:
+ socket_address:
+ address: 0.0.0.0
+ port_value: 19002
+ filter_chains:
+ - filters:
+ - name: http_connection_manager
+ typed_config:
+ '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ stat_prefix: metrics
+ codec_type: AUTO
+ http2_protocol_options:
+ initial_connection_window_size: 1048576
+ initial_stream_window_size: 65536
+ max_concurrent_streams: 100
+ route_config:
+ name: metrics
+ virtual_hosts:
+ - name: metrics
+ domains:
+ - '*'
+ routes:
+ - name: metrics
+ match:
+ path: /metrics
+ headers:
+ - name: ':method'
+ string_match:
+ exact: 'GET'
+ route:
+ prefix_rewrite: '/stats/prometheus'
+ cluster: airlock_microgateway_engine_admin
+ http_filters:
+ - name: envoy.filters.http.router
+ typed_config:
+ '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ clusters:
+ - name: xds_cluster
+ connect_timeout: 1s
+ type: STRICT_DNS
+ respect_dns_ttl: true
+ load_assignment:
+ cluster_name: xds_cluster
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: airlock-microgateway-operator-xds.$(OPERATOR_NAMESPACE).svc.cluster.local
+ port_value: 13377
+ typed_extension_protocol_options:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+ explicit_http_config:
+ http2_protocol_options:
+ connection_keepalive:
+ interval: 360s
+ timeout: 5s
+ transport_socket:
+ name: envoy.transport_sockets.tls
+ typed_config:
+ '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+ common_tls_context:
+ tls_params:
+ tls_minimum_protocol_version: TLSv1_3
+ tls_maximum_protocol_version: TLSv1_3
+ validation_context_sds_secret_config:
+ name: validation_context_sds
+ sds_config:
+ resource_api_version: V3
+ path_config_source:
+ path: /app/config/validation_context_sds_secret.yaml
+ watched_directory:
+ path: /app/config/
+ tls_certificate_sds_secret_configs:
+ - name: tls_certificate_sds
+ sds_config:
+ resource_api_version: V3
+ path_config_source:
+ path: /app/config/tls_certificate_sds_secret.yaml
+ watched_directory:
+ path: /app/config/
+ - name: airlock_microgateway_engine_admin
+ connect_timeout: 1s
+ type: STATIC
+ load_assignment:
+ cluster_name: airlock_microgateway_engine_admin
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: 127.0.0.1
+ port_value: 19000
+ typed_extension_protocol_options:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+ explicit_http_config:
+ http2_protocol_options:
+ connection_keepalive:
+ interval: 360s
+ timeout: 5s
+ stats_config:
+ stats_tags:
+ - tag_name: "block_type"
+ regex: "\\.(block_type\\.([^.]+))"
+ - tag_name: "block_subtype"
+ regex: "\\.(block_subtype\\.([^.]+))"
+ - tag_name: "envoy_cluster_name"
+ regex: "\\.(cluster\\.([^.]+))"
+ - tag_name: "upstream"
+ regex: "\\.(cluster\\.upstream_(\\d+))"
+ - tag_name: "upstream"
+ regex: "^cluster\\.(upstream_(\\d+))"
+ - tag_name: "upstream"
+ regex: "\\.(cluster\\.httproute/([^.]+)/rule/[^.]+)"
+ - tag_name: "upstream"
+ regex: "^cluster\\.(httproute/([^.]+)/rule/[^.]+)"
+ use_all_default_tags: true
+ overload_manager:
+ resource_monitors:
+ - name: "envoy.resource_monitors.global_downstream_max_connections"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+ max_active_downstream_connections: 50000
+ bootstrap_extensions:
+ - name: airlock.bootstrap.engine_stats
+ typed_config:
+ '@type': type.googleapis.com/airlock.extensions.bootstrap.stats.v1alpha.Stats
+ health_probe_approx_req_per_hour: $(HEALTH_PROBE_REQUESTS_PER_HOUR)
+ application_log_config:
+ log_format:
+ text_format: '{"@timestamp":"%Y-%m-%dT%T.%e%z","log":{"logger":"%n","level":"%l","origin":{"file":{"name":"%g","line":%#},"function":"%!"}},"event":{"module":"envoy","dataset":"envoy.application"},"process":{"pid":%P,"thread":{"id":%t}},"ecs":{"version":"8.5"},"message":"%j"}'
+ engine_container_template.yaml: |
+ name: "$(ENGINE_NAME)"
+ image: "$(ENGINE_IMAGE)"
+ imagePullPolicy: IfNotPresent
+ args:
+ - "--config-path"
+ - "/app/config/bootstrap_config.yaml"
+ - "--base-id"
+ - "$(BASE_ID)"
+ - "--file-flush-interval-msec"
+ - '1000'
+ - "--drain-time-s"
+ - '60'
+ - "--service-node"
+ - "$(POD_NAME).$(POD_NAMESPACE)"
+ - "--service-cluster"
+ - "$(APP_NAME).$(POD_NAMESPACE)"
+ - "--log-path"
+ - "/dev/stdout"
+ - "--log-level"
+ - "$(LOG_LEVEL)"
+ volumeMounts:
+ - name: airlock-microgateway-bootstrap-secret-volume
+ mountPath: /app/config/
+ readOnly: true
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ ports:
+ - containerPort: 13378
+ protocol: TCP
+ - containerPort: 19001
+ protocol: TCP
+ - containerPort: 19002
+ protocol: TCP
+ livenessProbe:
+ httpGet:
+ path: /ready
+ port: 19001
+ scheme: HTTP
+ initialDelaySeconds: 0
+ periodSeconds: 10
+ failureThreshold: 3
+ successThreshold: 1
+ timeoutSeconds: 2
+ readinessProbe:
+ httpGet:
+ path: /ready
+ port: 19001
+ scheme: HTTP
+ initialDelaySeconds: 0
+ periodSeconds: 5
+ failureThreshold: 3
+ successThreshold: 1
+ timeoutSeconds: 1
+ startupProbe:
+ httpGet:
+ path: /ready
+ port: 19001
+ scheme: HTTP
+ initialDelaySeconds: 0
+ periodSeconds: 1
+ failureThreshold: 30
+ successThreshold: 1
+ timeoutSeconds: 1
+ securityContext:
+ allowPrivilegeEscalation: false
+ privileged: false
+ runAsNonRoot: true
+ capabilities:
+ drop: ["ALL"]
+ readOnlyRootFilesystem: true
+ seccompProfile:
+ type: RuntimeDefault
+ runAsUser: $(SECURITYCONTEXT_UID)
+ network_validator_container_template.yaml: |
+ name: "$(NETWORK_VALIDATOR_NAME)"
+ image: "$(ENGINE_IMAGE)"
+ imagePullPolicy: IfNotPresent
+ command: ["/app/microgateway-network-validator"]
+ securityContext:
+ allowPrivilegeEscalation: false
+ privileged: false
+ runAsNonRoot: true
+ capabilities:
+ drop: ["ALL"]
+ readOnlyRootFilesystem: true
+ seccompProfile:
+ type: RuntimeDefault
+ runAsUser: $(SECURITYCONTEXT_UID)
+ resources:
+ limits:
+ cpu: 25m
+ memory: 12Mi
+ requests:
+ cpu: 5m
+ memory: 1Mi
+ operator_config.yaml: |
+ apiVersion: config.airlock.com/v1alpha1
+ kind: OperatorConfig
+ health:
+ healthProbeBindAddress: :8081
+ metrics:
+ bindAddress: 0.0.0.0:8080
+ webhook:
+ port: 9443
+ deployment:
+ sidecar:
+ engineContainerTemplate: "/app/config/sidecar/engine_container_template.yaml"
+ networkValidatorContainerTemplate: "/app/config/sidecar/network_validator_container_template.yaml"
+ sessionAgentContainerTemplate: "/app/config/sidecar/session_agent_container_template.yaml"
+ engine:
+ bootstrapConfigTemplate: "/app/config/engine_bootstrap_config_template.yaml"
+ podMonitor:
+ create: false
+ session_agent_container_template.yaml: |
+ name: "$(SESSION_AGENT_NAME)"
+ image: "$(SESSION_AGENT_IMAGE)"
+ imagePullPolicy: IfNotPresent
+ args:
+ - "--port"
+ - "19004"
+ - "--config-path"
+ - "/app/config/config.json"
+ volumeMounts:
+ - name: airlock-microgateway-session-agent-volume
+ mountPath: /app/config/
+ readOnly: true
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ ports:
+ - containerPort: 19004
+ livenessProbe:
+ grpc:
+ port: 19004
+ initialDelaySeconds: 0
+ periodSeconds: 10
+ failureThreshold: 3
+ successThreshold: 1
+ timeoutSeconds: 2
+ readinessProbe:
+ grpc:
+ port: 19004
+ initialDelaySeconds: 0
+ periodSeconds: 5
+ failureThreshold: 3
+ successThreshold: 1
+ timeoutSeconds: 1
+ startupProbe:
+ grpc:
+ port: 19004
+ initialDelaySeconds: 0
+ periodSeconds: 1
+ failureThreshold: 30
+ successThreshold: 1
+ timeoutSeconds: 1
+ securityContext:
+ allowPrivilegeEscalation: false
+ privileged: false
+ runAsNonRoot: true
+ capabilities:
+ drop: ["ALL"]
+ readOnlyRootFilesystem: true
+ seccompProfile:
+ type: RuntimeDefault
+ runAsUser: $(SECURITYCONTEXT_UID)
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator-config
+ namespace: syn-airlock-microgateway
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/dashboard-configmap.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/dashboard-configmap.yaml
new file mode 100644
index 0000000..cbd35f6
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/dashboard-configmap.yaml
@@ -0,0 +1,6280 @@
+apiVersion: v1
+data:
+ accessCtrlLogs.json: |-
+ {
+ "__inputs": [
+ {
+ "name": "DS_LOKI",
+ "label": "Loki",
+ "description": "",
+ "type": "datasource",
+ "pluginId": "loki",
+ "pluginName": "Loki"
+ }
+ ],
+ "__elements": {},
+ "__requires": [
+ {
+ "type": "grafana",
+ "id": "grafana",
+ "name": "Grafana",
+ "version": "11.4.0"
+ },
+ {
+ "type": "datasource",
+ "id": "loki",
+ "name": "Loki",
+ "version": "1.0.0"
+ },
+ {
+ "type": "datasource",
+ "id": "prometheus",
+ "name": "Prometheus",
+ "version": "1.0.0"
+ },
+ {
+ "type": "panel",
+ "id": "table",
+ "name": "Table",
+ "version": ""
+ }
+ ],
+ "annotations": {
+ "list": [
+ {
+ "builtIn": 1,
+ "datasource": {
+ "type": "grafana",
+ "uid": "-- Grafana --"
+ },
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "name": "Annotations & Alerts",
+ "type": "dashboard"
+ }
+ ]
+ },
+ "editable": true,
+ "fiscalYearStartMonth": 0,
+ "graphTooltip": 0,
+ "id": null,
+ "links": [
+ {
+ "asDropdown": true,
+ "icon": "external link",
+ "includeVars": true,
+ "keepTime": true,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "targetBlank": true,
+ "title": "Airlock Microgateway",
+ "tooltip": "",
+ "type": "dashboards",
+ "url": ""
+ }
+ ],
+ "panels": [
+ {
+ "datasource": {
+ "default": false,
+ "type": "loki",
+ "uid": "${DS_LOKI}"
+ },
+ "description": "Access Control logs by Airlock Microgateway, retrieved from corresponding access logs.\n\nThe dashboard can be filtered by namespace. Column filters on the table allow for an even more granular filtering of the logs.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "text",
+ "mode": "fixed"
+ },
+ "custom": {
+ "align": "auto",
+ "cellOptions": {
+ "type": "auto"
+ },
+ "filterable": true,
+ "inspect": true
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ }
+ },
+ "overrides": [
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Namespace"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 221
+ },
+ {
+ "id": "custom.filterable"
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Timestamp"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 214
+ },
+ {
+ "id": "unit",
+ "value": "time: YYYY-MM-DD HH:mm:ss.SSS"
+ },
+ {
+ "id": "custom.filterable"
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "HTTP Method"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 140
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Client IP"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 138
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Request ID"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 328
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Request Size"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 126
+ },
+ {
+ "id": "unit",
+ "value": "bytes"
+ },
+ {
+ "id": "custom.align",
+ "value": "right"
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Status"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 96
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Authenticated"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 135
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Authorized"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 125
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "URL Path"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 373
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Access Control Policy"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 188
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "HTTP Status"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 124
+ }
+ ]
+ }
+ ]
+ },
+ "gridPos": {
+ "h": 27,
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "id": 2,
+ "options": {
+ "cellHeight": "sm",
+ "footer": {
+ "countRows": false,
+ "enablePagination": true,
+ "fields": "",
+ "reducer": [
+ "sum"
+ ],
+ "show": false
+ },
+ "showHeader": true,
+ "sortBy": []
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "loki",
+ "uid": "${DS_LOKI}"
+ },
+ "editorMode": "code",
+ "expr": "{container=\"airlock-microgateway-engine\"} |= \"access_control\" |= \"envoy.access\" | json http_method=\"http.request.method\", url=\"url.path\", domain=\"url.domain\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", user_id=\"airlock.access_control.user_id\", details=\"airlock.access_control.details\", policy=\"airlock.access_control.policy\", status=\"airlock.access_control.status\", authenticated=\"airlock.access_control.authenticated\", response_code=\"http.response.status_code\", authorized=\"airlock.access_control.authorized\", log_type=\"event.dataset\" | log_type = `envoy.access`",
+ "hide": false,
+ "queryType": "range",
+ "refId": "Access Control Logs"
+ }
+ ],
+ "title": "Access Control Logs",
+ "transformations": [
+ {
+ "id": "extractFields",
+ "options": {
+ "format": "json",
+ "source": "labels"
+ }
+ },
+ {
+ "id": "filterFieldsByName",
+ "options": {
+ "byVariable": false,
+ "include": {
+ "names": [
+ "Time",
+ "authenticated",
+ "authorized",
+ "client_ip",
+ "details",
+ "domain",
+ "http_method",
+ "namespace",
+ "policy",
+ "request_id",
+ "request_size",
+ "status",
+ "url",
+ "user_id",
+ "response_code"
+ ]
+ }
+ }
+ },
+ {
+ "id": "organize",
+ "options": {
+ "excludeByName": {
+ "Line": true,
+ "id": true,
+ "labelTypes": true,
+ "labels": true,
+ "tsNs": false
+ },
+ "includeByName": {},
+ "indexByName": {
+ "Time": 0,
+ "authenticated": 9,
+ "authorized": 10,
+ "client_ip": 13,
+ "details": 12,
+ "domain": 2,
+ "http_method": 3,
+ "namespace": 1,
+ "policy": 7,
+ "request_id": 14,
+ "request_size": 5,
+ "response_code": 6,
+ "status": 11,
+ "url": 4,
+ "user_id": 8
+ },
+ "renameByName": {
+ "Time": "Timestamp",
+ "authenticated": "Authenticated",
+ "authorized": "Authorized",
+ "client_ip": "Client IP",
+ "details": "Details",
+ "domain": "URL Domain",
+ "http_method": "HTTP Method",
+ "namespace": "Namespace",
+ "policy": "Access Control Policy",
+ "request_id": "Request ID",
+ "request_size": "Request Size",
+ "response_code": "HTTP Status",
+ "status": "Status",
+ "url": "URL Path",
+ "user_id": "User ID"
+ }
+ }
+ }
+ ],
+ "type": "table"
+ }
+ ],
+ "schemaVersion": 40,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "templating": {
+ "list": [
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "DS_LOKI",
+ "name": "DS_LOKI",
+ "options": [],
+ "query": "loki",
+ "refresh": 1,
+ "regex": "",
+ "type": "datasource"
+ },
+ {
+ "allValue": ".*",
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_license_http_rq_total,namespace)",
+ "includeAll": true,
+ "label": "Gateway Namespace",
+ "multi": true,
+ "name": "namespace",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_license_http_rq_total,namespace)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": "",
+ "sort": 5,
+ "type": "query"
+ },
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "DS_PROMETHEUS",
+ "name": "DS_PROMETHEUS",
+ "options": [],
+ "query": "prometheus",
+ "refresh": 1,
+ "regex": "",
+ "type": "datasource"
+ }
+ ]
+ },
+ "time": {
+ "from": "now-1h",
+ "to": "now"
+ },
+ "timepicker": {},
+ "timezone": "Europe/Zurich",
+ "title": "Airlock Microgateway Access Control - Logs",
+ "uid": "ce99ks6s11nuob",
+ "version": 1,
+ "weekStart": ""
+ }
+kind: ConfigMap
+metadata:
+ annotations:
+ grafana_folder: Airlock Microgateway
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ grafana_dashboard: '1'
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-dashboard-accessctrllogs
+ namespace: syn-airlock-microgateway
+---
+apiVersion: v1
+data:
+ blockLogs.json: |-
+ {
+ "__inputs": [
+ {
+ "name": "DS_LOKI",
+ "label": "Loki",
+ "description": "",
+ "type": "datasource",
+ "pluginId": "loki",
+ "pluginName": "Loki"
+ },
+ {
+ "name": "DS_PROMETHEUS",
+ "label": "Prometheus",
+ "description": "",
+ "type": "datasource",
+ "pluginId": "prometheus",
+ "pluginName": "Prometheus"
+ }
+ ],
+ "__elements": {},
+ "__requires": [
+ {
+ "type": "grafana",
+ "id": "grafana",
+ "name": "Grafana",
+ "version": "10.2.0"
+ },
+ {
+ "type": "datasource",
+ "id": "loki",
+ "name": "Loki",
+ "version": "1.0.0"
+ },
+ {
+ "type": "datasource",
+ "id": "prometheus",
+ "name": "Prometheus",
+ "version": "1.0.0"
+ },
+ {
+ "type": "panel",
+ "id": "table",
+ "name": "Table",
+ "version": ""
+ }
+ ],
+ "annotations": {
+ "list": [
+ {
+ "builtIn": 1,
+ "datasource": {
+ "type": "grafana",
+ "uid": "-- Grafana --"
+ },
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "name": "Annotations & Alerts",
+ "type": "dashboard"
+ }
+ ]
+ },
+ "description": "Log entries of threats blocked by Airlock Microgateway.\n\nThe dashboard can be filtered by namespace and block type. Column filters on the table allow for an even more granular filtering of the logs.",
+ "editable": true,
+ "fiscalYearStartMonth": 0,
+ "graphTooltip": 0,
+ "id": null,
+ "links": [
+ {
+ "asDropdown": true,
+ "icon": "external link",
+ "includeVars": true,
+ "keepTime": true,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "targetBlank": true,
+ "title": "Airlock Microgateway",
+ "tooltip": "",
+ "type": "dashboards",
+ "url": ""
+ }
+ ],
+ "panels": [
+ {
+ "datasource": {
+ "type": "loki",
+ "uid": "${DS_LOKI}"
+ },
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "text",
+ "mode": "fixed"
+ },
+ "custom": {
+ "align": "auto",
+ "cellOptions": {
+ "type": "auto"
+ },
+ "filterable": true,
+ "inspect": true
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ }
+ },
+ "overrides": [
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Namespace"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 221
+ },
+ {
+ "id": "custom.filterable"
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Timestamp"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 214
+ },
+ {
+ "id": "unit",
+ "value": "time: YYYY-MM-DD HH:mm:ss.SSS"
+ },
+ {
+ "id": "custom.filterable"
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "HTTP Method"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 140
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Client IP"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 138
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Request ID"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 328
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Block Type"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 116
+ },
+ {
+ "id": "custom.filterable",
+ "value": false
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Request Size"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 126
+ },
+ {
+ "id": "unit",
+ "value": "bytes"
+ },
+ {
+ "id": "custom.align",
+ "value": "right"
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Block Subtype"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 217
+ }
+ ]
+ }
+ ]
+ },
+ "gridPos": {
+ "h": 27,
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "id": 2,
+ "options": {
+ "cellHeight": "sm",
+ "footer": {
+ "countRows": false,
+ "enablePagination": true,
+ "fields": "",
+ "reducer": [
+ "sum"
+ ],
+ "show": false
+ },
+ "showHeader": true,
+ "sortBy": []
+ },
+ "pluginVersion": "10.2.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "loki",
+ "uid": "${DS_LOKI}"
+ },
+ "editorMode": "code",
+ "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", domain=\"url.domain\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", details=\"airlock.actions.block.details\", block_type=\"airlock.actions.block.block_type\", block_subtype=\"airlock.actions.block.block_subtype\"\n| block_type=~\"${blockType:regex}\"",
+ "hide": false,
+ "queryType": "range",
+ "refId": "Blocks"
+ }
+ ],
+ "title": "Blocked Request logs",
+ "transformations": [
+ {
+ "id": "extractFields",
+ "options": {
+ "format": "json",
+ "source": "labels"
+ }
+ },
+ {
+ "id": "filterFieldsByName",
+ "options": {
+ "byVariable": false,
+ "include": {
+ "names": [
+ "Time",
+ "block_subtype",
+ "block_type",
+ "client_ip",
+ "details",
+ "domain",
+ "http_method",
+ "namespace",
+ "request_id",
+ "request_size",
+ "url"
+ ]
+ }
+ }
+ },
+ {
+ "id": "organize",
+ "options": {
+ "excludeByName": {
+ "Line": true,
+ "id": true,
+ "labelTypes": true,
+ "labels": true,
+ "tsNs": false
+ },
+ "includeByName": {},
+ "indexByName": {
+ "Time": 0,
+ "block_subtype": 7,
+ "block_type": 6,
+ "client_ip": 9,
+ "details": 8,
+ "domain": 2,
+ "http_method": 3,
+ "namespace": 1,
+ "request_id": 10,
+ "request_size": 5,
+ "url": 4
+ },
+ "renameByName": {
+ "Time": "Timestamp",
+ "block_subtype": "Block Subtype",
+ "block_type": "Block Type",
+ "client_ip": "Client IP",
+ "details": "Details",
+ "domain": "URL Domain",
+ "http_method": "HTTP Method",
+ "namespace": "Namespace",
+ "request_id": "Request ID",
+ "request_size": "Request Size",
+ "url": "URL Path"
+ }
+ }
+ }
+ ],
+ "type": "table"
+ }
+ ],
+ "schemaVersion": 39,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "templating": {
+ "list": [
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "DS_LOKI",
+ "multi": false,
+ "name": "DS_LOKI",
+ "options": [],
+ "query": "loki",
+ "refresh": 1,
+ "regex": "",
+ "skipUrlSync": false,
+ "type": "datasource"
+ },
+ {
+ "allValue": ".*",
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_license_http_rq_total,namespace)",
+ "hide": 0,
+ "includeAll": true,
+ "label": "Gateway Namespace",
+ "multi": true,
+ "name": "namespace",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_license_http_rq_total,namespace)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": "",
+ "skipUrlSync": false,
+ "sort": 5,
+ "type": "query"
+ },
+ {
+ "allValue": ".*",
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)",
+ "hide": 0,
+ "includeAll": true,
+ "label": "Block Type",
+ "multi": true,
+ "name": "blockType",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": "",
+ "skipUrlSync": false,
+ "sort": 5,
+ "type": "query"
+ },
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "DS_PROMETHEUS",
+ "multi": false,
+ "name": "DS_PROMETHEUS",
+ "options": [],
+ "query": "prometheus",
+ "refresh": 1,
+ "regex": "",
+ "skipUrlSync": false,
+ "type": "datasource"
+ }
+ ]
+ },
+ "time": {
+ "from": "now-15m",
+ "to": "now"
+ },
+ "timeRangeUpdatedDuringEditOrView": false,
+ "timepicker": {},
+ "timezone": "browser",
+ "title": "Airlock Microgateway Threats Block - Logs",
+ "uid": "adnyzcvwnyadcc",
+ "version": 3,
+ "weekStart": ""
+ }
+kind: ConfigMap
+metadata:
+ annotations:
+ grafana_folder: Airlock Microgateway
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ grafana_dashboard: '1'
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-dashboard-blocklogs
+ namespace: syn-airlock-microgateway
+---
+apiVersion: v1
+data:
+ blockMetrics.json: |-
+ {
+ "__inputs": [
+ {
+ "name": "DS_PROMETHEUS",
+ "label": "Prometheus",
+ "description": "",
+ "type": "datasource",
+ "pluginId": "prometheus",
+ "pluginName": "Prometheus"
+ }
+ ],
+ "__elements": {},
+ "__requires": [
+ {
+ "type": "panel",
+ "id": "barchart",
+ "name": "Bar chart",
+ "version": ""
+ },
+ {
+ "type": "grafana",
+ "id": "grafana",
+ "name": "Grafana",
+ "version": "11.4.0"
+ },
+ {
+ "type": "datasource",
+ "id": "prometheus",
+ "name": "Prometheus",
+ "version": "1.0.0"
+ },
+ {
+ "type": "panel",
+ "id": "stat",
+ "name": "Stat",
+ "version": ""
+ },
+ {
+ "type": "panel",
+ "id": "timeseries",
+ "name": "Time series",
+ "version": ""
+ }
+ ],
+ "annotations": {
+ "list": [
+ {
+ "builtIn": 1,
+ "datasource": {
+ "type": "grafana",
+ "uid": "-- Grafana --"
+ },
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "name": "Annotations & Alerts",
+ "type": "dashboard"
+ }
+ ]
+ },
+ "description": "Metrics on threats blocked by Airlock Microgateway.\n\nDashboard can be filtered by namespaces as well as block types.",
+ "editable": true,
+ "fiscalYearStartMonth": 0,
+ "graphTooltip": 0,
+ "id": null,
+ "links": [
+ {
+ "asDropdown": true,
+ "icon": "external link",
+ "includeVars": true,
+ "keepTime": true,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "targetBlank": true,
+ "title": "Airlock Microgateway",
+ "tooltip": "",
+ "type": "dashboards",
+ "url": ""
+ }
+ ],
+ "panels": [
+ {
+ "collapsed": false,
+ "gridPos": {
+ "h": 1,
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "id": 6,
+ "panels": [],
+ "title": "Airlock Microgateway Threats Block - Metrics",
+ "type": "row"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Total number of requests processed by Airlock Microgateway.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "text",
+ "mode": "fixed"
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "short"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 4,
+ "x": 0,
+ "y": 1
+ },
+ "id": 1,
+ "options": {
+ "colorMode": "value",
+ "graphMode": "none",
+ "justifyMode": "auto",
+ "orientation": "auto",
+ "percentChangeColorMode": "standard",
+ "reduceOptions": {
+ "calcs": [
+ "last"
+ ],
+ "fields": "",
+ "values": false
+ },
+ "showPercentChange": false,
+ "textMode": "auto",
+ "wideLayout": true
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "disableTextWrap": false,
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "round(sum(increase(envoy_cluster_upstream_rq{managed_by=~\"${operator:regex}\",namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range]))+\nsum(increase(microgateway_http_downstream_rq_threats_blocked_total{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range]) or on() vector(0)))",
+ "format": "time_series",
+ "fullMetaSearch": false,
+ "hide": false,
+ "includeNullMetadata": true,
+ "instant": true,
+ "legendFormat": "Processed Requests",
+ "range": false,
+ "refId": "A",
+ "useBackend": false
+ }
+ ],
+ "title": "Requests",
+ "type": "stat"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Ratio of blocked requests vs. processed requests by Airlock Microgateway.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "text",
+ "mode": "fixed"
+ },
+ "mappings": [
+ {
+ "options": {
+ "match": "nan",
+ "result": {
+ "index": 0,
+ "text": "n/a"
+ }
+ },
+ "type": "special"
+ }
+ ],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "percentunit"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 4,
+ "x": 4,
+ "y": 1
+ },
+ "id": 2,
+ "options": {
+ "colorMode": "value",
+ "graphMode": "area",
+ "justifyMode": "auto",
+ "orientation": "auto",
+ "percentChangeColorMode": "standard",
+ "reduceOptions": {
+ "calcs": [
+ "last"
+ ],
+ "fields": "",
+ "values": false
+ },
+ "showPercentChange": false,
+ "textMode": "auto",
+ "wideLayout": true
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "disableTextWrap": false,
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "sum(increase(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range]) or on() vector(0))\n/ \n(\nsum(increase(envoy_cluster_upstream_rq{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range]))\n+\nsum(increase(microgateway_http_downstream_rq_threats_blocked_total{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range]) or on() vector(0))\n)",
+ "fullMetaSearch": false,
+ "includeNullMetadata": true,
+ "instant": true,
+ "legendFormat": "Blocked Requests (%)",
+ "range": false,
+ "refId": "A",
+ "useBackend": false
+ }
+ ],
+ "title": "% Blocked Requests",
+ "type": "stat"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Requests per second processed by Airlock Microgateway along with the corresponding block rate.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "blue",
+ "mode": "fixed"
+ },
+ "custom": {
+ "axisBorderShow": false,
+ "axisCenteredZero": false,
+ "axisColorMode": "text",
+ "axisLabel": "",
+ "axisPlacement": "left",
+ "barAlignment": 0,
+ "barWidthFactor": 0.6,
+ "drawStyle": "line",
+ "fillOpacity": 0,
+ "gradientMode": "none",
+ "hideFrom": {
+ "legend": false,
+ "tooltip": false,
+ "viz": false
+ },
+ "insertNulls": false,
+ "lineInterpolation": "linear",
+ "lineWidth": 1,
+ "pointSize": 5,
+ "scaleDistribution": {
+ "type": "linear"
+ },
+ "showPoints": "auto",
+ "spanNulls": false,
+ "stacking": {
+ "group": "A",
+ "mode": "none"
+ },
+ "thresholdsStyle": {
+ "mode": "off"
+ }
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "blue",
+ "value": null
+ }
+ ]
+ }
+ },
+ "overrides": [
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "% Blocks"
+ },
+ "properties": [
+ {
+ "id": "custom.axisPlacement",
+ "value": "right"
+ },
+ {
+ "id": "unit",
+ "value": "percentunit"
+ },
+ {
+ "id": "color",
+ "value": {
+ "fixedColor": "orange",
+ "mode": "fixed"
+ }
+ },
+ {
+ "id": "max",
+ "value": 1
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Requests per second"
+ },
+ "properties": [
+ {
+ "id": "unit",
+ "value": "short"
+ },
+ {
+ "id": "custom.fillOpacity",
+ "value": 25
+ }
+ ]
+ }
+ ]
+ },
+ "gridPos": {
+ "h": 10,
+ "w": 20,
+ "x": 0,
+ "y": 5
+ },
+ "id": 3,
+ "options": {
+ "legend": {
+ "calcs": [],
+ "displayMode": "list",
+ "placement": "bottom",
+ "showLegend": true
+ },
+ "timezone": [
+ ""
+ ],
+ "tooltip": {
+ "maxHeight": 600,
+ "mode": "single",
+ "sort": "none"
+ }
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "sum(rate(envoy_cluster_upstream_rq{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m]))\n+\nsum(rate(microgateway_http_downstream_rq_threats_blocked_total{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m]) or on() vector(0))",
+ "instant": false,
+ "legendFormat": "Requests per second",
+ "range": true,
+ "refId": "Requests per Second"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "expr": "sum(rate(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m]) or on() vector(0))\n/\n(\nsum(rate(envoy_cluster_upstream_rq{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m]))\n+\nsum(rate(microgateway_http_downstream_rq_threats_blocked_total{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m]) or on() vector(0))\n)",
+ "hide": false,
+ "instant": false,
+ "legendFormat": "% Blocks",
+ "range": true,
+ "refId": "Blocks"
+ }
+ ],
+ "title": "Requests vs. % Blocks",
+ "type": "timeseries"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Blocked threats by block type.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "super-light-orange",
+ "mode": "fixed"
+ },
+ "custom": {
+ "axisBorderShow": false,
+ "axisCenteredZero": false,
+ "axisColorMode": "text",
+ "axisGridShow": true,
+ "axisLabel": "",
+ "axisPlacement": "auto",
+ "fillOpacity": 80,
+ "gradientMode": "none",
+ "hideFrom": {
+ "legend": false,
+ "tooltip": false,
+ "viz": false
+ },
+ "lineWidth": 0,
+ "scaleDistribution": {
+ "type": "linear"
+ },
+ "thresholdsStyle": {
+ "mode": "off"
+ }
+ },
+ "fieldMinMax": false,
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "short"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 11,
+ "w": 10,
+ "x": 0,
+ "y": 15
+ },
+ "id": 4,
+ "options": {
+ "barRadius": 0,
+ "barWidth": 0.8,
+ "fullHighlight": false,
+ "groupWidth": 0.7,
+ "legend": {
+ "calcs": [],
+ "displayMode": "list",
+ "placement": "bottom",
+ "showLegend": false
+ },
+ "orientation": "horizontal",
+ "showValue": "never",
+ "stacking": "none",
+ "tooltip": {
+ "maxHeight": 600,
+ "mode": "single",
+ "sort": "asc"
+ },
+ "xField": "block_type",
+ "xTickLabelRotation": 0,
+ "xTickLabelSpacing": 0
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "round(sum by (block_type) (increase(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range])))",
+ "format": "time_series",
+ "instant": true,
+ "legendFormat": "__auto",
+ "range": false,
+ "refId": "A"
+ }
+ ],
+ "title": "Block Type",
+ "transformations": [
+ {
+ "id": "reduce",
+ "options": {
+ "includeTimeField": false,
+ "labelsToFields": true,
+ "mode": "seriesToRows",
+ "reducers": [
+ "sum"
+ ]
+ }
+ }
+ ],
+ "type": "barchart"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Blocked threats by block subtype, which are subsets of the various block types.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "light-orange",
+ "mode": "fixed"
+ },
+ "custom": {
+ "axisBorderShow": false,
+ "axisCenteredZero": false,
+ "axisColorMode": "text",
+ "axisLabel": "",
+ "axisPlacement": "auto",
+ "fillOpacity": 80,
+ "gradientMode": "none",
+ "hideFrom": {
+ "legend": false,
+ "tooltip": false,
+ "viz": false
+ },
+ "lineWidth": 1,
+ "scaleDistribution": {
+ "type": "linear"
+ },
+ "thresholdsStyle": {
+ "mode": "off"
+ }
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "short"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 11,
+ "w": 10,
+ "x": 10,
+ "y": 15
+ },
+ "id": 5,
+ "options": {
+ "barRadius": 0,
+ "barWidth": 0.8,
+ "fullHighlight": false,
+ "groupWidth": 0.7,
+ "legend": {
+ "calcs": [],
+ "displayMode": "list",
+ "placement": "bottom",
+ "showLegend": false
+ },
+ "orientation": "horizontal",
+ "showValue": "never",
+ "stacking": "none",
+ "tooltip": {
+ "maxHeight": 600,
+ "mode": "single",
+ "sort": "none"
+ },
+ "xField": "block_subtype",
+ "xTickLabelRotation": 0,
+ "xTickLabelSpacing": 0
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "round(sum by (block_subtype) (increase(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range])))",
+ "instant": true,
+ "legendFormat": "__auto",
+ "range": false,
+ "refId": "A"
+ }
+ ],
+ "title": "Block Subtype",
+ "transformations": [
+ {
+ "id": "reduce",
+ "options": {
+ "labelsToFields": true,
+ "reducers": [
+ "sum"
+ ]
+ }
+ }
+ ],
+ "type": "barchart"
+ }
+ ],
+ "refresh": "",
+ "schemaVersion": 40,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "templating": {
+ "list": [
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "Datasource Prometheus",
+ "name": "DS_PROMETHEUS",
+ "options": [],
+ "query": "prometheus",
+ "refresh": 1,
+ "regex": "",
+ "type": "datasource"
+ },
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "DS_LOKI",
+ "name": "DS_LOKI",
+ "options": [],
+ "query": "loki",
+ "refresh": 1,
+ "regex": "",
+ "type": "datasource"
+ },
+ {
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description" : "Allows filtering on the gateway kind.",
+ "definition": "label_values(microgateway_build_info,gateway_kind)",
+ "includeAll": true,
+ "label": "Gateway Kind",
+ "name": "gateway_kind",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_build_info,gateway_kind)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 1,
+ "regex": "",
+ "type": "query"
+ },
+ {
+ "allValue": ".+",
+ "current": {},
+ "description" : "Allows filtering on the managing operator instance.",
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_build_info,managed_by)",
+ "includeAll": true,
+ "label": "Operator",
+ "multi": true,
+ "name": "operator",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_build_info,managed_by)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": ".*",
+ "type": "query"
+ },
+ {
+ "current": {},
+ "description" : "Allows filtering on the namespaces in which gateways are deployed.",
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_build_info{managed_by=~\"$operator\"},namespace)",
+ "includeAll": true,
+ "label": "Gateway Namespace",
+ "multi": true,
+ "name": "namespace",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_build_info{managed_by=~\"$operator\"},namespace)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": "",
+ "sort": 5,
+ "type": "query"
+ },
+ {
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description" : "Allows filtering on specific gateway instance names within the selected namespaces.",
+ "definition": "label_values(microgateway_build_info{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=~\"$gateway_kind\"},gateway)",
+ "includeAll": true,
+ "label": "Gateway Name",
+ "multi": true,
+ "name": "gateway_name",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_build_info{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=~\"$gateway_kind\"},gateway)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 1,
+ "regex": "",
+ "type": "query"
+ },
+ {
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description" : "Allows filtering request metrics of the selected SidecarGateway instances on application container port. This filter is ignored for other gateway kinds.",
+ "definition": "label_values(envoy_cluster_bind_errors{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=~\"SidecarGateway\", gateway=~\"$gateway_name\"},upstream)",
+ "includeAll": true,
+ "label": "Sidecar Application Port",
+ "multi": true,
+ "name": "sidecar_application_port",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(envoy_cluster_bind_errors{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=~\"SidecarGateway\", gateway=~\"$gateway_name\"},upstream)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 1,
+ "regex": "",
+ "type": "query"
+ },
+ {
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description" : "Allows filtering request metrics of the selected Gateway instances on the name of their matching HTTPRoute. This filter is ignored for other gateway kinds.",
+ "definition": "label_values(envoy_cluster_bind_errors{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=\"Gateway\", gateway=~\"$gateway_name\"},upstream)",
+ "includeAll": true,
+ "label": "Gateway HTTPRoute",
+ "multi": true,
+ "name": "gateway_httproute",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(envoy_cluster_bind_errors{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=\"Gateway\", gateway=~\"$gateway_name\"},upstream)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 1,
+ "regex": "",
+ "type": "query"
+ },
+ {
+ "allValue": ".*",
+ "description" : "Allows filtering on the block type of blocked threats.",
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)",
+ "includeAll": true,
+ "label": "Block Type",
+ "multi": true,
+ "name": "blockType",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": "",
+ "sort": 5,
+ "type": "query"
+ }
+ ]
+ },
+ "time": {
+ "from": "now-24h",
+ "to": "now"
+ },
+ "timepicker": {},
+ "timezone": "browser",
+ "title": "Airlock Microgateway Threats Block - Metrics",
+ "uid": "ddnqoczu7qvb4cdd3dd",
+ "version": 3,
+ "weekStart": ""
+ }
+kind: ConfigMap
+metadata:
+ annotations:
+ grafana_folder: Airlock Microgateway
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ grafana_dashboard: '1'
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-dashboard-blockmetrics
+ namespace: syn-airlock-microgateway
+---
+apiVersion: v1
+data:
+ headerLogs.json: |-
+ {
+ "__inputs": [
+ {
+ "name": "DS_LOKI",
+ "label": "Loki",
+ "description": "",
+ "type": "datasource",
+ "pluginId": "loki",
+ "pluginName": "Loki"
+ }
+ ],
+ "__elements": {},
+ "__requires": [
+ {
+ "type": "grafana",
+ "id": "grafana",
+ "name": "Grafana",
+ "version": "11.4.0"
+ },
+ {
+ "type": "datasource",
+ "id": "loki",
+ "name": "Loki",
+ "version": "1.0.0"
+ },
+ {
+ "type": "datasource",
+ "id": "prometheus",
+ "name": "Prometheus",
+ "version": "1.0.0"
+ },
+ {
+ "type": "panel",
+ "id": "table",
+ "name": "Table",
+ "version": ""
+ }
+ ],
+ "annotations": {
+ "list": [
+ {
+ "builtIn": 1,
+ "datasource": {
+ "type": "grafana",
+ "uid": "-- Grafana --"
+ },
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "name": "Annotations & Alerts",
+ "type": "dashboard"
+ }
+ ]
+ },
+ "description": "Logs for header rewrites by Airlock Microgateway, retrieved from corresponding access logs.\n\nThe dashboard can be filtered by namespace. Column filters on the table allow for an even more granular filtering of the logs.",
+ "editable": true,
+ "fiscalYearStartMonth": 0,
+ "graphTooltip": 0,
+ "id": null,
+ "links": [
+ {
+ "asDropdown": true,
+ "icon": "external link",
+ "includeVars": true,
+ "keepTime": true,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "targetBlank": true,
+ "title": "Airlock Microgateway",
+ "tooltip": "",
+ "type": "dashboards",
+ "url": ""
+ }
+ ],
+ "panels": [
+ {
+ "datasource": {
+ "default": false,
+ "type": "loki",
+ "uid": "${DS_LOKI}"
+ },
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "text",
+ "mode": "fixed"
+ },
+ "custom": {
+ "align": "auto",
+ "cellOptions": {
+ "type": "auto"
+ },
+ "filterable": true,
+ "inspect": true
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ }
+ },
+ "overrides": [
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Namespace"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 221
+ },
+ {
+ "id": "custom.filterable"
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Timestamp"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 214
+ },
+ {
+ "id": "unit",
+ "value": "time: YYYY-MM-DD HH:mm:ss.SSS"
+ },
+ {
+ "id": "custom.filterable"
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "HTTP Method"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 140
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Client IP"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 138
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Request ID"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 328
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "HTTP Status"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 126
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Request Size"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 126
+ },
+ {
+ "id": "unit",
+ "value": "bytes"
+ },
+ {
+ "id": "custom.align",
+ "value": "right"
+ }
+ ]
+ }
+ ]
+ },
+ "gridPos": {
+ "h": 27,
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "id": 2,
+ "options": {
+ "cellHeight": "sm",
+ "footer": {
+ "countRows": false,
+ "enablePagination": true,
+ "fields": "",
+ "reducer": [
+ "sum"
+ ],
+ "show": false
+ },
+ "showHeader": true,
+ "sortBy": []
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "loki",
+ "uid": "${DS_LOKI}"
+ },
+ "editorMode": "code",
+ "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"header_rewrites\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", domain=\"url.domain\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", header_request_details=\"airlock.actions.header_rewrites.request\", response_status_code=\"http.response.status_code\", header_response_details=\"airlock.actions.header_rewrites.response\", log_type=\"event.dataset\" | log_type = `envoy.access`",
+ "hide": false,
+ "queryType": "range",
+ "refId": "Header Rewrites"
+ }
+ ],
+ "title": "Header Rewrite Logs",
+ "transformations": [
+ {
+ "id": "extractFields",
+ "options": {
+ "format": "json",
+ "source": "labels"
+ }
+ },
+ {
+ "id": "filterFieldsByName",
+ "options": {
+ "byVariable": false,
+ "include": {
+ "names": [
+ "Time",
+ "client_ip",
+ "domain",
+ "header_request_details",
+ "header_response_details",
+ "http_method",
+ "namespace",
+ "request_id",
+ "request_size",
+ "url",
+ "response_status_code"
+ ]
+ }
+ }
+ },
+ {
+ "id": "organize",
+ "options": {
+ "excludeByName": {
+ "Line": true,
+ "id": true,
+ "labelTypes": true,
+ "labels": true,
+ "tsNs": false
+ },
+ "includeByName": {},
+ "indexByName": {
+ "Time": 0,
+ "client_ip": 9,
+ "domain": 2,
+ "header_request_details": 7,
+ "header_response_details": 8,
+ "http_method": 3,
+ "namespace": 1,
+ "request_id": 10,
+ "request_size": 5,
+ "response_status_code": 6,
+ "url": 4
+ },
+ "renameByName": {
+ "Time": "Timestamp",
+ "client_ip": "Client IP",
+ "details": "Details",
+ "domain": "URL Domain",
+ "header_request_details": "Request Header Actions",
+ "header_response_details": "Response Header Actions",
+ "http_method": "HTTP Method",
+ "namespace": "Namespace",
+ "request_id": "Request ID",
+ "request_size": "Request Size",
+ "response_status_code": "HTTP Status",
+ "url": "URL Path"
+ }
+ }
+ }
+ ],
+ "type": "table"
+ }
+ ],
+ "schemaVersion": 40,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "templating": {
+ "list": [
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "DS_LOKI",
+ "name": "DS_LOKI",
+ "options": [],
+ "query": "loki",
+ "refresh": 1,
+ "regex": "",
+ "type": "datasource"
+ },
+ {
+ "allValue": ".*",
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_license_http_rq_total,namespace)",
+ "includeAll": true,
+ "label": "Gateway Namespace",
+ "multi": true,
+ "name": "namespace",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_license_http_rq_total,namespace)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": "",
+ "sort": 5,
+ "type": "query"
+ },
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "DS_PROMETHEUS",
+ "name": "DS_PROMETHEUS",
+ "options": [],
+ "query": "prometheus",
+ "refresh": 1,
+ "regex": "",
+ "type": "datasource"
+ }
+ ]
+ },
+ "time": {
+ "from": "now-15m",
+ "to": "now"
+ },
+ "timepicker": {},
+ "timezone": "browser",
+ "title": "Airlock Microgateway Header Rewrites - Logs",
+ "uid": "adnydadenyadcc",
+ "version": 1,
+ "weekStart": ""
+ }
+kind: ConfigMap
+metadata:
+ annotations:
+ grafana_folder: Airlock Microgateway
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ grafana_dashboard: '1'
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-dashboard-headerlogs
+ namespace: syn-airlock-microgateway
+---
+apiVersion: v1
+data:
+ license.json: |-
+ {
+ "__inputs": [
+ {
+ "name": "DS_PROMETHEUS",
+ "label": "Prometheus",
+ "description": "",
+ "type": "datasource",
+ "pluginId": "prometheus",
+ "pluginName": "Prometheus"
+ }
+ ],
+ "__elements": {},
+ "__requires": [
+ {
+ "type": "grafana",
+ "id": "grafana",
+ "name": "Grafana",
+ "version": "11.4.0"
+ },
+ {
+ "type": "datasource",
+ "id": "prometheus",
+ "name": "Prometheus",
+ "version": "1.0.0"
+ },
+ {
+ "type": "panel",
+ "id": "stat",
+ "name": "Stat",
+ "version": ""
+ },
+ {
+ "type": "panel",
+ "id": "table",
+ "name": "Table",
+ "version": ""
+ },
+ {
+ "type": "panel",
+ "id": "timeseries",
+ "name": "Time series",
+ "version": ""
+ }
+ ],
+ "annotations": {
+ "list": [
+ {
+ "builtIn": 1,
+ "datasource": {
+ "type": "grafana",
+ "uid": "-- Grafana --"
+ },
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "name": "Annotations & Alerts",
+ "type": "dashboard"
+ }
+ ]
+ },
+ "description": "Overview on Airlock Microgateway License attributes and usage.",
+ "editable": true,
+ "fiscalYearStartMonth": 0,
+ "graphTooltip": 0,
+ "id": null,
+ "links": [
+ {
+ "asDropdown": true,
+ "icon": "external link",
+ "includeVars": true,
+ "keepTime": true,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "targetBlank": true,
+ "title": "Airlock Microgateway",
+ "tooltip": "",
+ "type": "dashboards",
+ "url": ""
+ }
+ ],
+ "panels": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Aggregated status of the Airlock Microgateway licenses selected in the dashboard filter.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "mode": "thresholds"
+ },
+ "mappings": [
+ {
+ "options": {
+ "0": {
+ "color": "red",
+ "index": 1,
+ "text": "Invalid"
+ },
+ "1": {
+ "color": "green",
+ "index": 0,
+ "text": "Valid"
+ }
+ },
+ "type": "value"
+ }
+ ],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ }
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 3,
+ "x": 0,
+ "y": 0
+ },
+ "id": 1,
+ "options": {
+ "colorMode": "value",
+ "graphMode": "area",
+ "justifyMode": "auto",
+ "orientation": "auto",
+ "percentChangeColorMode": "standard",
+ "reduceOptions": {
+ "calcs": [
+ "lastNotNull"
+ ],
+ "fields": "",
+ "values": false
+ },
+ "showPercentChange": false,
+ "textMode": "auto",
+ "wideLayout": true
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "min(microgateway_license_valid * on (service,instance) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"})",
+ "instant": true,
+ "legendFormat": "License Status",
+ "range": false,
+ "refId": "Licenses"
+ }
+ ],
+ "title": "License Status",
+ "type": "stat"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Next upcoming expiry date over all Airlock Microgateway licenses selected in the dashboard filter.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "text",
+ "mode": "fixed"
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "time: L"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 4,
+ "x": 3,
+ "y": 0
+ },
+ "id": 4,
+ "options": {
+ "colorMode": "value",
+ "graphMode": "none",
+ "justifyMode": "auto",
+ "orientation": "auto",
+ "percentChangeColorMode": "standard",
+ "reduceOptions": {
+ "calcs": [
+ "lastNotNull"
+ ],
+ "fields": "",
+ "values": false
+ },
+ "showPercentChange": false,
+ "textMode": "auto",
+ "wideLayout": true
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "min(microgateway_license_expiry_timestamp_seconds * on (service, namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"})*1000",
+ "instant": true,
+ "legendFormat": "Expiry Date (MM/DD/YYYY)",
+ "range": false,
+ "refId": "A"
+ }
+ ],
+ "title": "License Expiry Date",
+ "type": "stat"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Sum of the number licensed requests over all Airlock Microgateway licenses selected in the dashboard filter.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "text",
+ "mode": "fixed"
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "short"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 4,
+ "x": 7,
+ "y": 0
+ },
+ "id": 6,
+ "options": {
+ "colorMode": "value",
+ "graphMode": "none",
+ "justifyMode": "auto",
+ "orientation": "auto",
+ "percentChangeColorMode": "standard",
+ "reduceOptions": {
+ "calcs": [
+ "lastNotNull"
+ ],
+ "fields": "",
+ "values": false
+ },
+ "showPercentChange": false,
+ "textMode": "auto",
+ "wideLayout": true
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "sum(topk(1, (microgateway_license_max_rq_count_per_month > 0) * on (service, namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"}) by (id))",
+ "instant": true,
+ "legendFormat": "Licensed Requests",
+ "range": false,
+ "refId": "A"
+ }
+ ],
+ "title": "Licensed Requests",
+ "type": "stat"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Estimated number of requests over 30 days, based on the request count over the last 7 days across all Microgateway instances using any of the licenses selected in the dashboard filter.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "text",
+ "mode": "fixed"
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "short"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 5,
+ "x": 11,
+ "y": 0
+ },
+ "id": 2,
+ "options": {
+ "colorMode": "value",
+ "graphMode": "none",
+ "justifyMode": "auto",
+ "orientation": "auto",
+ "percentChangeColorMode": "standard",
+ "reduceOptions": {
+ "calcs": [
+ "lastNotNull"
+ ],
+ "fields": "",
+ "values": false
+ },
+ "showPercentChange": false,
+ "textMode": "auto",
+ "wideLayout": true
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "(sum((label_replace(increase(microgateway_license_http_rq_total[7d]), \"namespace\", \"$1\", \"managed_by\", \"(.+)\")) * on(namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"}))/7*30",
+ "instant": true,
+ "legendFormat": "Estimated Requests",
+ "range": false,
+ "refId": "A"
+ }
+ ],
+ "title": "Requests over 30 days (estimated)",
+ "type": "stat"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Estimated number of application health probe requests over 30 days, based on the expected probe count over the last 7 days across all pods with an Airlock Microgateway sidecar using any of the licenses selected in the dashboard filter.\n\nNote: This value is an approximation, not a precise measurement of the actual probe requests. If possible, we recommend serving health endpoints of applications protected by a Microgateway sidecar on a separate port, as the probe traffic can then be excluded via the 'sidecar.microgateway.airlock.com/excludeInboundPorts' annotation (see docs.airlock.com for more information), which prevents it from polluting Microgateway logs and metrics.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "text",
+ "mode": "thresholds"
+ },
+ "mappings": [
+ {
+ "options": {
+ "match": "null",
+ "result": {
+ "index": 0,
+ "text": "0"
+ }
+ },
+ "type": "special"
+ }
+ ],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ },
+ {
+ "color": "#EAB839",
+ "value": 1
+ }
+ ]
+ },
+ "unit": "short"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 5,
+ "x": 16,
+ "y": 0
+ },
+ "id": 9,
+ "options": {
+ "colorMode": "value",
+ "graphMode": "none",
+ "justifyMode": "auto",
+ "orientation": "auto",
+ "percentChangeColorMode": "standard",
+ "reduceOptions": {
+ "calcs": [
+ "lastNotNull"
+ ],
+ "fields": "",
+ "values": false
+ },
+ "showPercentChange": false,
+ "textMode": "auto",
+ "wideLayout": true
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "(sum((label_replace(sum_over_time(microgateway_license_health_probe_approx_rq_per_hour[7d:1m])/60, \"namespace\", \"$1\", \"managed_by\", \"(.+)\")) * on(namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"}))/7*30",
+ "instant": true,
+ "legendFormat": "Estimated Probes",
+ "range": false,
+ "refId": "A"
+ }
+ ],
+ "title": "Probes over 30 days (estimated)",
+ "type": "stat"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Number of requests per week processed by Airlock Microgateway.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "blue",
+ "mode": "fixed"
+ },
+ "custom": {
+ "axisBorderShow": false,
+ "axisCenteredZero": false,
+ "axisColorMode": "text",
+ "axisLabel": "",
+ "axisPlacement": "auto",
+ "barAlignment": 0,
+ "barWidthFactor": 0.6,
+ "drawStyle": "line",
+ "fillOpacity": 0,
+ "gradientMode": "none",
+ "hideFrom": {
+ "legend": false,
+ "tooltip": false,
+ "viz": false
+ },
+ "insertNulls": false,
+ "lineInterpolation": "linear",
+ "lineWidth": 1,
+ "pointSize": 5,
+ "scaleDistribution": {
+ "type": "linear"
+ },
+ "showPoints": "auto",
+ "spanNulls": false,
+ "stacking": {
+ "group": "A",
+ "mode": "none"
+ },
+ "thresholdsStyle": {
+ "mode": "off"
+ }
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "short"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 13,
+ "w": 24,
+ "x": 0,
+ "y": 4
+ },
+ "id": 5,
+ "options": {
+ "legend": {
+ "calcs": [],
+ "displayMode": "list",
+ "placement": "bottom",
+ "showLegend": true
+ },
+ "tooltip": {
+ "maxHeight": 600,
+ "mode": "single",
+ "sort": "none"
+ }
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "expr": "sum((label_replace(avg_over_time(increase(microgateway_license_http_rq_total[7d])[2m:15s]), \"namespace\", \"$1\", \"managed_by\", \"(.+)\")) * on(namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"})",
+ "hide": false,
+ "instant": false,
+ "legendFormat": "# Requests per week",
+ "range": true,
+ "refId": "C"
+ }
+ ],
+ "title": "Processed Requests per week",
+ "type": "timeseries"
+ },
+ {
+ "datasource": {
+ "default": false,
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Estimated number of requests over 30 days based on the last 7 days per operator namespace for the Airlock Microgateway licenses selected in the dashboard filter.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "mode": "thresholds"
+ },
+ "custom": {
+ "align": "auto",
+ "cellOptions": {
+ "type": "auto"
+ },
+ "inspect": false
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ },
+ {
+ "color": "red",
+ "value": 80
+ }
+ ]
+ }
+ },
+ "overrides": [
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "License ID"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 330
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Requests"
+ },
+ "properties": [
+ {
+ "id": "unit",
+ "value": "short"
+ },
+ {
+ "id": "mappings",
+ "value": [
+ {
+ "options": {
+ "match": "null+nan",
+ "result": {
+ "index": 0,
+ "text": "0"
+ }
+ },
+ "type": "special"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Operator Namespace"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 307
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Probes"
+ },
+ "properties": [
+ {
+ "id": "unit",
+ "value": "short"
+ },
+ {
+ "id": "mappings",
+ "value": [
+ {
+ "options": {
+ "result": {
+ "index": 0,
+ "text": "0"
+ }
+ },
+ "type": "special"
+ }
+ ]
+ }
+ ]
+ }
+ ]
+ },
+ "gridPos": {
+ "h": 8,
+ "w": 11,
+ "x": 0,
+ "y": 17
+ },
+ "id": 7,
+ "options": {
+ "cellHeight": "sm",
+ "footer": {
+ "countRows": false,
+ "fields": "",
+ "reducer": [
+ "sum"
+ ],
+ "show": false
+ },
+ "frameIndex": 1,
+ "showHeader": true,
+ "sortBy": []
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "(sum by (namespace, id) ((label_replace(increase(microgateway_license_http_rq_total[7d]), \"namespace\", \"$1\", \"managed_by\", \"(.+)\")) * on(namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"}))/7*30",
+ "format": "table",
+ "hide": false,
+ "instant": true,
+ "legendFormat": "__auto",
+ "range": false,
+ "refId": "Est. Usage over 30 days"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "(min by(namespace) (microgateway_build_info{container=\"manager\"})) * on (namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"}",
+ "format": "table",
+ "hide": false,
+ "instant": true,
+ "legendFormat": "__auto",
+ "range": false,
+ "refId": "Engine License"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "(sum by (namespace, id) ((label_replace((sum_over_time(microgateway_license_health_probe_approx_rq_per_hour[7d:1m])/60), \"namespace\", \"$1\", \"managed_by\", \"(.+)\")) * on(namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"}))/7*30",
+ "format": "table",
+ "hide": false,
+ "instant": true,
+ "legendFormat": "__auto",
+ "range": false,
+ "refId": "Est. Probes over 30 days"
+ }
+ ],
+ "title": "Estimated usage over 30 days by Operator Namespace",
+ "transformations": [
+ {
+ "id": "merge",
+ "options": {}
+ },
+ {
+ "id": "organize",
+ "options": {
+ "excludeByName": {
+ "Time": true,
+ "Value #Engine License": true,
+ "Value #Licensed Req": false,
+ "container": true,
+ "endpoint": true,
+ "instance": true,
+ "job": true,
+ "namespace": false,
+ "pod": true,
+ "service": true,
+ "version": true
+ },
+ "includeByName": {},
+ "indexByName": {
+ "Time": 0,
+ "Value": 3,
+ "id": 2,
+ "namespace": 1
+ },
+ "renameByName": {
+ "Value #Est. Probes over 30 days": "Probes",
+ "Value #Est. Usage over 30 days": "Requests",
+ "Value #License Expiry Date": "Expiry Date",
+ "Value #License Type": "License Type",
+ "Value #Licensed Req": "Licensed Requests",
+ "Value #Validity": "Valid",
+ "id": "License ID",
+ "namespace": "Operator Namespace"
+ }
+ }
+ }
+ ],
+ "type": "table"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Metadata for the Airlock Microgateway licenses selected in the dashboard filter.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "mode": "thresholds"
+ },
+ "custom": {
+ "align": "auto",
+ "cellOptions": {
+ "type": "auto"
+ },
+ "inspect": false
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ },
+ {
+ "color": "red",
+ "value": 80
+ }
+ ]
+ }
+ },
+ "overrides": [
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "License ID"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 321
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Valid"
+ },
+ "properties": [
+ {
+ "id": "mappings",
+ "value": [
+ {
+ "options": {
+ "0": {
+ "color": "red",
+ "index": 1,
+ "text": "Invalid"
+ },
+ "1": {
+ "color": "green",
+ "index": 0,
+ "text": "Valid"
+ }
+ },
+ "type": "value"
+ },
+ {
+ "options": {
+ "match": "null+nan",
+ "result": {
+ "color": "red",
+ "index": 2,
+ "text": "Invalid"
+ }
+ },
+ "type": "special"
+ }
+ ]
+ },
+ {
+ "id": "custom.width",
+ "value": 65
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "License Type"
+ },
+ "properties": [
+ {
+ "id": "mappings",
+ "value": [
+ {
+ "options": {
+ "0": {
+ "index": 1,
+ "text": "Community"
+ },
+ "1": {
+ "index": 0,
+ "text": "Premium"
+ }
+ },
+ "type": "value"
+ },
+ {
+ "options": {
+ "match": "null+nan",
+ "result": {
+ "index": 2,
+ "text": "n/a"
+ }
+ },
+ "type": "special"
+ }
+ ]
+ },
+ {
+ "id": "custom.width",
+ "value": 109
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Expiry Date"
+ },
+ "properties": [
+ {
+ "id": "unit",
+ "value": "time:L"
+ },
+ {
+ "id": "custom.width",
+ "value": 130
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Requests over 30 days (estimated)"
+ },
+ "properties": [
+ {
+ "id": "unit",
+ "value": "short"
+ },
+ {
+ "id": "mappings",
+ "value": [
+ {
+ "options": {
+ "match": "null+nan",
+ "result": {
+ "index": 0,
+ "text": "0"
+ }
+ },
+ "type": "special"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Licensed Requests"
+ },
+ "properties": [
+ {
+ "id": "unit",
+ "value": "short"
+ },
+ {
+ "id": "custom.width",
+ "value": 120
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Probes over 30 days (estimated)"
+ },
+ "properties": [
+ {
+ "id": "unit",
+ "value": "short"
+ }
+ ]
+ }
+ ]
+ },
+ "gridPos": {
+ "h": 8,
+ "w": 13,
+ "x": 11,
+ "y": 17
+ },
+ "id": 8,
+ "options": {
+ "cellHeight": "sm",
+ "footer": {
+ "countRows": false,
+ "fields": "",
+ "reducer": [
+ "sum"
+ ],
+ "show": false
+ },
+ "frameIndex": 1,
+ "showHeader": true,
+ "sortBy": [
+ {
+ "desc": false,
+ "displayName": "Expiry Date"
+ }
+ ]
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "min by (id) (microgateway_license_valid * on (service, namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"})",
+ "format": "table",
+ "instant": true,
+ "legendFormat": "__auto",
+ "range": false,
+ "refId": "Validity"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "topk(1,microgateway_license_max_rq_count_per_month * on (service, namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"})by (id)",
+ "format": "table",
+ "hide": false,
+ "instant": true,
+ "legendFormat": "__auto",
+ "range": false,
+ "refId": "Licensed Req"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "min by (id) (microgateway_license_is_premium * on (service, namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"})",
+ "format": "table",
+ "hide": false,
+ "instant": true,
+ "legendFormat": "__auto",
+ "range": false,
+ "refId": "License Type"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "min by (id) (microgateway_license_expiry_timestamp_seconds * on (service, namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"})*1000",
+ "format": "table",
+ "hide": false,
+ "instant": true,
+ "legendFormat": "__auto",
+ "range": false,
+ "refId": "License Expiry Date"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "(sum by (id) ((label_replace(increase(microgateway_license_http_rq_total[7d]), \"namespace\", \"$1\", \"managed_by\", \"(.+)\")) * on(namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"}))/7*30",
+ "format": "table",
+ "hide": false,
+ "instant": true,
+ "legendFormat": "__auto",
+ "range": false,
+ "refId": "Est. Usage over 30 days"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "(sum by (id) ((label_replace(sum_over_time(microgateway_license_health_probe_approx_rq_per_hour[7d:1m])/60, \"namespace\", \"$1\", \"managed_by\", \"(.+)\")) * on(namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"}))/7*30",
+ "format": "table",
+ "hide": false,
+ "instant": true,
+ "legendFormat": "__auto",
+ "range": false,
+ "refId": "Est. Probes over 30 days"
+ }
+ ],
+ "title": "License Overview",
+ "transformations": [
+ {
+ "id": "merge",
+ "options": {}
+ },
+ {
+ "id": "organize",
+ "options": {
+ "excludeByName": {
+ "Time": true,
+ "Value #Licensed Req": false,
+ "container": true,
+ "endpoint": true,
+ "instance": true,
+ "job": true,
+ "namespace": true,
+ "pod": true,
+ "service": true
+ },
+ "includeByName": {},
+ "indexByName": {},
+ "renameByName": {
+ "Value #Est. Probes over 30 days": "Probes over 30 days (estimated)",
+ "Value #Est. Usage over 30 days": "Requests over 30 days (estimated)",
+ "Value #License Expiry Date": "Expiry Date",
+ "Value #License Type": "License Type",
+ "Value #Licensed Req": "Licensed Requests",
+ "Value #Validity": "Valid",
+ "id": "License ID",
+ "namespace": "Operator Namespace"
+ }
+ }
+ },
+ {
+ "id": "filterByValue",
+ "options": {
+ "filters": [
+ {
+ "config": {
+ "id": "equal",
+ "options": {
+ "value": ""
+ }
+ },
+ "fieldName": "License ID"
+ }
+ ],
+ "match": "any",
+ "type": "exclude"
+ }
+ }
+ ],
+ "type": "table"
+ }
+ ],
+ "refresh": "",
+ "schemaVersion": 40,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "templating": {
+ "list": [
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "DS_PROMETHEUS",
+ "name": "DS_PROMETHEUS",
+ "options": [],
+ "query": "prometheus",
+ "refresh": 1,
+ "regex": "",
+ "type": "datasource"
+ },
+ {
+ "allValue": ".*",
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_license_info,id)",
+ "description": "",
+ "includeAll": true,
+ "label": "License ID",
+ "multi": true,
+ "name": "license_id",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_license_info,id)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": "",
+ "type": "query"
+ }
+ ]
+ },
+ "time": {
+ "from": "now-7d",
+ "to": "now"
+ },
+ "timepicker": {},
+ "timezone": "browser",
+ "title": "Airlock Microgateway License",
+ "uid": "cdpq79bzrr01se",
+ "version": 2,
+ "weekStart": ""
+ }
+kind: ConfigMap
+metadata:
+ annotations:
+ grafana_folder: Airlock Microgateway
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ grafana_dashboard: '1'
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-dashboard-license
+ namespace: syn-airlock-microgateway
+---
+apiVersion: v1
+data:
+ logOnlyLogs.json: |-
+ {
+ "__inputs": [
+ {
+ "name": "DS_LOKI",
+ "label": "Loki",
+ "description": "",
+ "type": "datasource",
+ "pluginId": "loki",
+ "pluginName": "Loki"
+ },
+ {
+ "name": "DS_PROMETHEUS",
+ "label": "Prometheus",
+ "description": "",
+ "type": "datasource",
+ "pluginId": "prometheus",
+ "pluginName": "Prometheus"
+ }
+ ],
+ "__elements": {},
+ "__requires": [
+ {
+ "type": "grafana",
+ "id": "grafana",
+ "name": "Grafana",
+ "version": "10.2.0"
+ },
+ {
+ "type": "datasource",
+ "id": "loki",
+ "name": "Loki",
+ "version": "1.0.0"
+ },
+ {
+ "type": "datasource",
+ "id": "prometheus",
+ "name": "Prometheus",
+ "version": "1.0.0"
+ },
+ {
+ "type": "panel",
+ "id": "table",
+ "name": "Table",
+ "version": ""
+ }
+ ],
+ "annotations": {
+ "list": [
+ {
+ "builtIn": 1,
+ "datasource": {
+ "type": "grafana",
+ "uid": "-- Grafana --"
+ },
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "name": "Annotations & Alerts",
+ "type": "dashboard"
+ }
+ ]
+ },
+ "description": "Log entries of threats logged in log-only mode by Airlock Microgateway.\n\nThe dashboard can be filtered by namespace. Column filters on the table allow for an even more granular filtering of the logs.",
+ "editable": true,
+ "fiscalYearStartMonth": 0,
+ "graphTooltip": 0,
+ "id": null,
+ "links": [
+ {
+ "asDropdown": true,
+ "icon": "external link",
+ "includeVars": true,
+ "keepTime": true,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "targetBlank": true,
+ "title": "Airlock Microgateway",
+ "tooltip": "",
+ "type": "dashboards",
+ "url": ""
+ }
+ ],
+ "panels": [
+ {
+ "datasource": {
+ "default": false,
+ "type": "loki",
+ "uid": "${DS_LOKI}"
+ },
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "text",
+ "mode": "fixed"
+ },
+ "custom": {
+ "align": "auto",
+ "cellOptions": {
+ "type": "auto"
+ },
+ "filterable": true,
+ "inspect": true
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ }
+ },
+ "overrides": [
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Namespace"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 328
+ },
+ {
+ "id": "custom.filterable"
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Timestamp"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 176
+ },
+ {
+ "id": "unit",
+ "value": "time: YYYY-MM-DD HH:mm:ss.SSS"
+ },
+ {
+ "id": "custom.filterable"
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "HTTP Method"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 132
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Client IP"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 137
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Request ID"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 328
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Request Size"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 126
+ },
+ {
+ "id": "unit",
+ "value": "bytes"
+ },
+ {
+ "id": "custom.align",
+ "value": "right"
+ }
+ ]
+ }
+ ]
+ },
+ "gridPos": {
+ "h": 27,
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "id": 2,
+ "options": {
+ "cellHeight": "sm",
+ "footer": {
+ "countRows": false,
+ "enablePagination": true,
+ "fields": "",
+ "reducer": [
+ "sum"
+ ],
+ "show": false
+ },
+ "showHeader": true,
+ "sortBy": []
+ },
+ "pluginVersion": "10.2.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "loki",
+ "uid": "${DS_LOKI}"
+ },
+ "editorMode": "code",
+ "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= `log_only` |= `envoy.access` | json http_method=\"http.request.method\", url=\"url.path\", domain=\"url.domain\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", details=\"airlock.actions.log_only\", log_type=\"event.dataset\" | label_format log_count=`{{ len (fromJson .details) }}` | log_type = `envoy.access` | log_count > 0",
+ "hide": false,
+ "queryType": "range",
+ "refId": "Log Only Logs"
+ }
+ ],
+ "title": "Threats Logs Log-Only",
+ "transformations": [
+ {
+ "id": "extractFields",
+ "options": {
+ "format": "json",
+ "source": "labels"
+ }
+ },
+ {
+ "id": "filterFieldsByName",
+ "options": {
+ "byVariable": false,
+ "include": {
+ "names": [
+ "Time",
+ "client_ip",
+ "details",
+ "domain",
+ "http_method",
+ "namespace",
+ "request_id",
+ "request_size",
+ "url"
+ ]
+ }
+ }
+ },
+ {
+ "id": "organize",
+ "options": {
+ "excludeByName": {
+ "Line": true,
+ "id": true,
+ "labelTypes": true,
+ "labels": true,
+ "tsNs": false
+ },
+ "includeByName": {},
+ "indexByName": {
+ "Time": 0,
+ "client_ip": 8,
+ "details": 7,
+ "domain": 2,
+ "http_method": 4,
+ "namespace": 1,
+ "request_id": 9,
+ "request_size": 6,
+ "url": 5
+ },
+ "renameByName": {
+ "Time": "Timestamp",
+ "client_ip": "Client IP",
+ "details": "Details",
+ "domain": "URL Domain",
+ "http_method": "HTTP Method",
+ "namespace": "Namespace",
+ "request_id": "Request ID",
+ "request_size": "Request Size",
+ "url": "URL Path"
+ }
+ }
+ }
+ ],
+ "type": "table"
+ }
+ ],
+ "schemaVersion": 39,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "templating": {
+ "list": [
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "DS_LOKI",
+ "multi": false,
+ "name": "DS_LOKI",
+ "options": [],
+ "query": "loki",
+ "refresh": 1,
+ "regex": "",
+ "skipUrlSync": false,
+ "type": "datasource"
+ },
+ {
+ "allValue": ".*",
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_license_http_rq_total,namespace)",
+ "hide": 0,
+ "includeAll": true,
+ "label": "Gateway Namespace",
+ "multi": true,
+ "name": "namespace",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_license_http_rq_total,namespace)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": "",
+ "skipUrlSync": false,
+ "sort": 5,
+ "type": "query"
+ },
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "DS_PROMETHEUS",
+ "multi": false,
+ "name": "DS_PROMETHEUS",
+ "options": [],
+ "query": "prometheus",
+ "refresh": 1,
+ "regex": "",
+ "skipUrlSync": false,
+ "type": "datasource"
+ }
+ ]
+ },
+ "time": {
+ "from": "now-15m",
+ "to": "now"
+ },
+ "timepicker": {},
+ "timezone": "browser",
+ "title": "Airlock Microgateway Threats LogOnly - Logs",
+ "uid": "adnasdfdwnyadcc",
+ "version": 7,
+ "weekStart": ""
+ }
+kind: ConfigMap
+metadata:
+ annotations:
+ grafana_folder: Airlock Microgateway
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ grafana_dashboard: '1'
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-dashboard-logonlylogs
+ namespace: syn-airlock-microgateway
+---
+apiVersion: v1
+data:
+ logOnlyMetrics.json: |-
+ {
+ "__inputs": [
+ {
+ "name": "DS_PROMETHEUS",
+ "label": "Prometheus",
+ "description": "",
+ "type": "datasource",
+ "pluginId": "prometheus",
+ "pluginName": "Prometheus"
+ }
+ ],
+ "__elements": {},
+ "__requires": [
+ {
+ "type": "panel",
+ "id": "barchart",
+ "name": "Bar chart",
+ "version": ""
+ },
+ {
+ "type": "grafana",
+ "id": "grafana",
+ "name": "Grafana",
+ "version": "11.4.0"
+ },
+ {
+ "type": "datasource",
+ "id": "prometheus",
+ "name": "Prometheus",
+ "version": "1.0.0"
+ },
+ {
+ "type": "panel",
+ "id": "stat",
+ "name": "Stat",
+ "version": ""
+ },
+ {
+ "type": "panel",
+ "id": "timeseries",
+ "name": "Time series",
+ "version": ""
+ }
+ ],
+ "annotations": {
+ "list": [
+ {
+ "builtIn": 1,
+ "datasource": {
+ "type": "grafana",
+ "uid": "-- Grafana --"
+ },
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "name": "Annotations & Alerts",
+ "type": "dashboard"
+ }
+ ]
+ },
+ "description": "Metrics on threats logged by Airlock Microgateway in threat handling mode LogOnly.\n\nDashboard can be filtered by namespaces as well as block types.",
+ "editable": true,
+ "fiscalYearStartMonth": 0,
+ "graphTooltip": 0,
+ "id": null,
+ "links": [
+ {
+ "asDropdown": true,
+ "icon": "external link",
+ "includeVars": true,
+ "keepTime": true,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "targetBlank": true,
+ "title": "Airlock Microgateway",
+ "tooltip": "",
+ "type": "dashboards",
+ "url": ""
+ }
+ ],
+ "panels": [
+ {
+ "collapsed": false,
+ "gridPos": {
+ "h": 1,
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "id": 6,
+ "panels": [],
+ "title": "Airlock Microgateway Threats LogOnly - Metrics",
+ "type": "row"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Number of threats logged by Airlock Microgateway in threat handling mode LogOnly.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "text",
+ "mode": "fixed"
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "short"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 4,
+ "x": 0,
+ "y": 1
+ },
+ "id": 2,
+ "options": {
+ "colorMode": "value",
+ "graphMode": "area",
+ "justifyMode": "auto",
+ "orientation": "auto",
+ "percentChangeColorMode": "standard",
+ "reduceOptions": {
+ "calcs": [
+ "last"
+ ],
+ "fields": "",
+ "values": false
+ },
+ "showPercentChange": false,
+ "textMode": "auto",
+ "wideLayout": true
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "disableTextWrap": false,
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "round(sum(increase(microgateway_http_downstream_rq_threats_logged_total{block_type=~\"${blockType:regex}\", managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range])))",
+ "fullMetaSearch": false,
+ "includeNullMetadata": true,
+ "instant": true,
+ "legendFormat": "Logged threats in LogOnly mode",
+ "range": false,
+ "refId": "A",
+ "useBackend": false
+ }
+ ],
+ "title": "Threats - LogOnly",
+ "type": "stat"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Number of threats per second handled in LogOnly mode.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "orange",
+ "mode": "fixed"
+ },
+ "custom": {
+ "axisBorderShow": false,
+ "axisCenteredZero": false,
+ "axisColorMode": "text",
+ "axisLabel": "",
+ "axisPlacement": "left",
+ "barAlignment": 0,
+ "barWidthFactor": 0.6,
+ "drawStyle": "line",
+ "fillOpacity": 25,
+ "gradientMode": "none",
+ "hideFrom": {
+ "legend": false,
+ "tooltip": false,
+ "viz": false
+ },
+ "insertNulls": false,
+ "lineInterpolation": "linear",
+ "lineWidth": 1,
+ "pointSize": 5,
+ "scaleDistribution": {
+ "type": "linear"
+ },
+ "showPoints": "auto",
+ "spanNulls": false,
+ "stacking": {
+ "group": "A",
+ "mode": "none"
+ },
+ "thresholdsStyle": {
+ "mode": "off"
+ }
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "blue",
+ "value": null
+ }
+ ]
+ },
+ "unit": "short"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 10,
+ "w": 20,
+ "x": 0,
+ "y": 5
+ },
+ "id": 3,
+ "options": {
+ "legend": {
+ "calcs": [],
+ "displayMode": "list",
+ "placement": "bottom",
+ "showLegend": true
+ },
+ "timezone": [
+ ""
+ ],
+ "tooltip": {
+ "maxHeight": 600,
+ "mode": "single",
+ "sort": "none"
+ }
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "sum(rate(microgateway_http_downstream_rq_threats_logged_total{block_type=~\"${blockType:regex}\", managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\",gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m]))",
+ "instant": false,
+ "legendFormat": "Number of threats per second",
+ "range": true,
+ "refId": "LogOnly Events"
+ }
+ ],
+ "title": "Threats - LogOnly",
+ "type": "timeseries"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Number of threats in LogOnly mode by block type.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "super-light-orange",
+ "mode": "fixed"
+ },
+ "custom": {
+ "axisBorderShow": false,
+ "axisCenteredZero": false,
+ "axisColorMode": "text",
+ "axisGridShow": true,
+ "axisLabel": "",
+ "axisPlacement": "auto",
+ "fillOpacity": 80,
+ "gradientMode": "none",
+ "hideFrom": {
+ "legend": false,
+ "tooltip": false,
+ "viz": false
+ },
+ "lineWidth": 0,
+ "scaleDistribution": {
+ "type": "linear"
+ },
+ "thresholdsStyle": {
+ "mode": "off"
+ }
+ },
+ "fieldMinMax": false,
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "short"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 11,
+ "w": 10,
+ "x": 0,
+ "y": 15
+ },
+ "id": 4,
+ "options": {
+ "barRadius": 0,
+ "barWidth": 0.8,
+ "fullHighlight": false,
+ "groupWidth": 0.7,
+ "legend": {
+ "calcs": [],
+ "displayMode": "list",
+ "placement": "bottom",
+ "showLegend": false
+ },
+ "orientation": "horizontal",
+ "showValue": "never",
+ "stacking": "none",
+ "tooltip": {
+ "maxHeight": 600,
+ "mode": "single",
+ "sort": "asc"
+ },
+ "xField": "block_type",
+ "xTickLabelRotation": 0,
+ "xTickLabelSpacing": 0
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "round(sum by (block_type) (increase(microgateway_http_downstream_rq_threats_logged_total{block_type=~\"${blockType:regex}\",managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\",gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range])))",
+ "format": "time_series",
+ "instant": true,
+ "legendFormat": "__auto",
+ "range": false,
+ "refId": "A"
+ }
+ ],
+ "title": "Block Type",
+ "transformations": [
+ {
+ "id": "reduce",
+ "options": {
+ "includeTimeField": false,
+ "labelsToFields": true,
+ "mode": "seriesToRows",
+ "reducers": [
+ "sum"
+ ]
+ }
+ }
+ ],
+ "type": "barchart"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Number of threats in LogOnly mode by block subtype, which are subsets of the various block types.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "light-orange",
+ "mode": "fixed"
+ },
+ "custom": {
+ "axisBorderShow": false,
+ "axisCenteredZero": false,
+ "axisColorMode": "text",
+ "axisLabel": "",
+ "axisPlacement": "auto",
+ "fillOpacity": 80,
+ "gradientMode": "none",
+ "hideFrom": {
+ "legend": false,
+ "tooltip": false,
+ "viz": false
+ },
+ "lineWidth": 1,
+ "scaleDistribution": {
+ "type": "linear"
+ },
+ "thresholdsStyle": {
+ "mode": "off"
+ }
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "short"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 11,
+ "w": 10,
+ "x": 10,
+ "y": 15
+ },
+ "id": 5,
+ "options": {
+ "barRadius": 0,
+ "barWidth": 0.8,
+ "fullHighlight": false,
+ "groupWidth": 0.7,
+ "legend": {
+ "calcs": [],
+ "displayMode": "list",
+ "placement": "bottom",
+ "showLegend": false
+ },
+ "orientation": "horizontal",
+ "showValue": "never",
+ "stacking": "none",
+ "tooltip": {
+ "maxHeight": 600,
+ "mode": "single",
+ "sort": "none"
+ },
+ "xField": "block_subtype",
+ "xTickLabelRotation": 0,
+ "xTickLabelSpacing": 0
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "round(sum by (block_subtype) (increase(microgateway_http_downstream_rq_threats_logged_total{block_type=~\"${blockType:regex}\", managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\",gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range])))",
+ "instant": true,
+ "legendFormat": "__auto",
+ "range": false,
+ "refId": "A"
+ }
+ ],
+ "title": "Block Subtype",
+ "transformations": [
+ {
+ "id": "reduce",
+ "options": {
+ "labelsToFields": true,
+ "reducers": [
+ "sum"
+ ]
+ }
+ }
+ ],
+ "type": "barchart"
+ }
+ ],
+ "refresh": "",
+ "schemaVersion": 40,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "templating": {
+ "list": [
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "Datasource Prometheus",
+ "name": "DS_PROMETHEUS",
+ "options": [],
+ "query": "prometheus",
+ "refresh": 1,
+ "regex": "",
+ "type": "datasource"
+ },
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "DS_LOKI",
+ "name": "DS_LOKI",
+ "options": [],
+ "query": "loki",
+ "refresh": 1,
+ "regex": "",
+ "type": "datasource"
+ },
+ {
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description" : "Allows filtering on the gateway kind.",
+ "definition": "label_values(microgateway_build_info,gateway_kind)",
+ "includeAll": true,
+ "label": "Gateway Kind",
+ "name": "gateway_kind",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_build_info,gateway_kind)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 1,
+ "regex": "",
+ "type": "query"
+ },
+ {
+ "allValue": ".+",
+ "current": {},
+ "description" : "Allows filtering on the managing operator instance.",
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_build_info,managed_by)",
+ "includeAll": true,
+ "label": "Operator",
+ "multi": true,
+ "name": "operator",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_build_info,managed_by)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": ".*",
+ "type": "query"
+ },
+ {
+ "current": {},
+ "description" : "Allows filtering on the namespaces in which gateways are deployed.",
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_build_info{managed_by=~\"$operator\"},namespace)",
+ "includeAll": true,
+ "label": "Gateway Namespace",
+ "multi": true,
+ "name": "namespace",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_build_info{managed_by=~\"$operator\"},namespace)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": "",
+ "sort": 5,
+ "type": "query"
+ },
+ {
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description" : "Allows filtering on specific gateway instance names within the selected namespaces.",
+ "definition": "label_values(microgateway_build_info{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=~\"$gateway_kind\"},gateway)",
+ "includeAll": true,
+ "label": "Gateway Name",
+ "multi": true,
+ "name": "gateway_name",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_build_info{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=~\"$gateway_kind\"},gateway)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 1,
+ "regex": "",
+ "type": "query"
+ },
+ {
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description" : "Allows filtering request metrics of the selected SidecarGateway instances on application container port. This filter is ignored for other gateway kinds.",
+ "definition": "label_values(envoy_cluster_bind_errors{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=~\"SidecarGateway\", gateway=~\"$gateway_name\"},upstream)",
+ "includeAll": true,
+ "label": "Sidecar Application Port",
+ "multi": true,
+ "name": "sidecar_application_port",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(envoy_cluster_bind_errors{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=~\"SidecarGateway\", gateway=~\"$gateway_name\"},upstream)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 1,
+ "regex": "",
+ "type": "query"
+ },
+ {
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description" : "Allows filtering request metrics of the selected Gateway instances on the name of their matching HTTPRoute. This filter is ignored for other gateway kinds.",
+ "definition": "label_values(envoy_cluster_bind_errors{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=\"Gateway\", gateway=~\"$gateway_name\"},upstream)",
+ "includeAll": true,
+ "label": "Gateway HTTPRoute",
+ "multi": true,
+ "name": "gateway_httproute",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(envoy_cluster_bind_errors{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=\"Gateway\", gateway=~\"$gateway_name\"},upstream)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 1,
+ "regex": "",
+ "type": "query"
+ },
+ {
+ "allValue": ".*",
+ "description" : "Allows filtering on the block type of logged threats.",
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_http_downstream_rq_threats_logged_total,block_type)",
+ "includeAll": true,
+ "label": "Block Type",
+ "multi": true,
+ "name": "blockType",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_http_downstream_rq_threats_logged_total,block_type)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": "",
+ "sort": 5,
+ "type": "query"
+ }
+ ]
+ },
+ "time": {
+ "from": "now-24h",
+ "to": "now"
+ },
+ "timepicker": {},
+ "timezone": "browser",
+ "title": "Airlock Microgateway Threats LogOnly - Metrics",
+ "uid": "ddnqoczu7qv2mfmsd3dd",
+ "version": 1,
+ "weekStart": ""
+ }
+kind: ConfigMap
+metadata:
+ annotations:
+ grafana_folder: Airlock Microgateway
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ grafana_dashboard: '1'
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-dashboard-logonlymetrics
+ namespace: syn-airlock-microgateway
+---
+apiVersion: v1
+data:
+ overview.json: |-
+ {
+ "__inputs": [
+ {
+ "name": "DS_PROMETHEUS",
+ "label": "Prometheus",
+ "description": "",
+ "type": "datasource",
+ "pluginId": "prometheus",
+ "pluginName": "Prometheus"
+ }
+ ],
+ "__elements": {},
+ "__requires": [
+ {
+ "type": "grafana",
+ "id": "grafana",
+ "name": "Grafana",
+ "version": "11.4.0"
+ },
+ {
+ "type": "datasource",
+ "id": "prometheus",
+ "name": "Prometheus",
+ "version": "1.0.0"
+ },
+ {
+ "type": "panel",
+ "id": "stat",
+ "name": "Stat",
+ "version": ""
+ },
+ {
+ "type": "panel",
+ "id": "table",
+ "name": "Table",
+ "version": ""
+ },
+ {
+ "type": "panel",
+ "id": "timeseries",
+ "name": "Time series",
+ "version": ""
+ }
+ ],
+ "annotations": {
+ "list": [
+ {
+ "builtIn": 1,
+ "datasource": {
+ "type": "grafana",
+ "uid": "-- Grafana --"
+ },
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "name": "Annotations & Alerts",
+ "type": "dashboard"
+ }
+ ]
+ },
+ "editable": true,
+ "fiscalYearStartMonth": 0,
+ "graphTooltip": 0,
+ "id": null,
+ "links": [
+ {
+ "asDropdown": true,
+ "icon": "external link",
+ "includeVars": true,
+ "keepTime": true,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "targetBlank": true,
+ "title": "Airlock Microgateway",
+ "tooltip": "",
+ "type": "dashboards",
+ "url": ""
+ }
+ ],
+ "panels": [
+ {
+ "collapsed": false,
+ "gridPos": {
+ "h": 1,
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "id": 3,
+ "panels": [],
+ "title": "Overview",
+ "type": "row"
+ },
+ {
+ "datasource": {
+ "default": false,
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Aggregated status of Airlock Microgateway resources.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "mode": "thresholds"
+ },
+ "fieldMinMax": false,
+ "mappings": [
+ {
+ "options": {
+ "0": {
+ "color": "orange",
+ "index": 1,
+ "text": "Warn"
+ },
+ "1": {
+ "color": "green",
+ "index": 0,
+ "text": "OK"
+ }
+ },
+ "type": "value"
+ }
+ ],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "string"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 3,
+ "x": 0,
+ "y": 1
+ },
+ "id": 12,
+ "options": {
+ "colorMode": "value",
+ "graphMode": "area",
+ "justifyMode": "auto",
+ "orientation": "auto",
+ "percentChangeColorMode": "standard",
+ "reduceOptions": {
+ "calcs": [
+ "firstNotNull"
+ ],
+ "fields": "",
+ "values": true
+ },
+ "showPercentChange": false,
+ "textMode": "auto",
+ "wideLayout": true
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "disableTextWrap": false,
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "min(microgateway_config_resource_condition{namespace=~\"${operator.regex}\", exported_namespace=~\"${namespace.regex}\", kind=~\"${gateway_kind:regex}\", name=~\"${gateway_name:regex}\"})",
+ "format": "table",
+ "fullMetaSearch": false,
+ "includeNullMetadata": true,
+ "instant": true,
+ "legendFormat": "__auto",
+ "range": false,
+ "refId": "Errors",
+ "useBackend": false
+ }
+ ],
+ "title": "System Status",
+ "transformations": [
+ {
+ "id": "organize",
+ "options": {
+ "excludeByName": {},
+ "includeByName": {},
+ "indexByName": {},
+ "renameByName": {
+ "Value": "System Status"
+ }
+ }
+ }
+ ],
+ "type": "stat"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Total number of requests processed by Airlock Microgateway.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "text",
+ "mode": "fixed"
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "short"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 3,
+ "x": 3,
+ "y": 1
+ },
+ "id": 4,
+ "options": {
+ "colorMode": "value",
+ "graphMode": "none",
+ "justifyMode": "auto",
+ "orientation": "auto",
+ "percentChangeColorMode": "standard",
+ "reduceOptions": {
+ "calcs": [
+ "last"
+ ],
+ "fields": "",
+ "values": false
+ },
+ "showPercentChange": false,
+ "textMode": "auto",
+ "wideLayout": true
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "disableTextWrap": false,
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "round(sum(increase(envoy_cluster_upstream_rq{managed_by=~\"${operator:regex}\",namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range]))+\nsum(increase(microgateway_http_downstream_rq_threats_blocked_total{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range]) or on() vector(0)))",
+ "format": "time_series",
+ "fullMetaSearch": false,
+ "hide": false,
+ "includeNullMetadata": true,
+ "instant": true,
+ "legendFormat": "Processed Requests",
+ "range": false,
+ "refId": "Requests",
+ "useBackend": false
+ }
+ ],
+ "title": "Requests",
+ "type": "stat"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Ratio of blocked requests vs. processed requests by Airlock Microgateway.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "text",
+ "mode": "fixed"
+ },
+ "mappings": [
+ {
+ "options": {
+ "match": "nan",
+ "result": {
+ "index": 0,
+ "text": "n/a"
+ }
+ },
+ "type": "special"
+ }
+ ],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "percentunit"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 3,
+ "x": 6,
+ "y": 1
+ },
+ "id": 5,
+ "options": {
+ "colorMode": "value",
+ "graphMode": "area",
+ "justifyMode": "auto",
+ "orientation": "auto",
+ "percentChangeColorMode": "standard",
+ "reduceOptions": {
+ "calcs": [
+ "last"
+ ],
+ "fields": "",
+ "values": false
+ },
+ "showPercentChange": false,
+ "textMode": "auto",
+ "wideLayout": true
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "disableTextWrap": false,
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "sum(increase(microgateway_http_downstream_rq_threats_blocked_total{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\",gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range]) or on() vector(0))\n/ \n(\nsum(increase(envoy_cluster_upstream_rq{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range]))\n+\nsum(increase(microgateway_http_downstream_rq_threats_blocked_total{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[$__range]) or on() vector(0))\n)",
+ "fullMetaSearch": false,
+ "includeNullMetadata": true,
+ "instant": true,
+ "legendFormat": "Blocked Requests (%)",
+ "range": false,
+ "refId": "A",
+ "useBackend": false
+ }
+ ],
+ "title": "% Blocked Requests",
+ "type": "stat"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "License status of Airlock Microgateway.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "mode": "thresholds"
+ },
+ "mappings": [
+ {
+ "options": {
+ "0": {
+ "color": "red",
+ "index": 1,
+ "text": "Invalid"
+ },
+ "1": {
+ "color": "green",
+ "index": 0,
+ "text": "Valid"
+ }
+ },
+ "type": "value"
+ }
+ ],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ }
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 3,
+ "x": 9,
+ "y": 1
+ },
+ "id": 10,
+ "options": {
+ "colorMode": "value",
+ "graphMode": "area",
+ "justifyMode": "auto",
+ "orientation": "auto",
+ "percentChangeColorMode": "standard",
+ "reduceOptions": {
+ "calcs": [
+ "lastNotNull"
+ ],
+ "fields": "",
+ "values": false
+ },
+ "showPercentChange": false,
+ "textMode": "auto",
+ "wideLayout": true
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "min(microgateway_license_valid{namespace=~\"${operator.regex}\"})",
+ "instant": true,
+ "legendFormat": "License Status",
+ "range": false,
+ "refId": "Licenses"
+ }
+ ],
+ "title": "License",
+ "type": "stat"
+ },
+ {
+ "collapsed": false,
+ "gridPos": {
+ "h": 1,
+ "w": 24,
+ "x": 0,
+ "y": 5
+ },
+ "id": 2,
+ "panels": [],
+ "title": "Blocks",
+ "type": "row"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Requests per second processed by Airlock Microgateway along with the corresponding block rate.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "blue",
+ "mode": "fixed"
+ },
+ "custom": {
+ "axisBorderShow": false,
+ "axisCenteredZero": false,
+ "axisColorMode": "text",
+ "axisLabel": "",
+ "axisPlacement": "left",
+ "barAlignment": 0,
+ "barWidthFactor": 0.6,
+ "drawStyle": "line",
+ "fillOpacity": 0,
+ "gradientMode": "none",
+ "hideFrom": {
+ "legend": false,
+ "tooltip": false,
+ "viz": false
+ },
+ "insertNulls": false,
+ "lineInterpolation": "linear",
+ "lineWidth": 1,
+ "pointSize": 5,
+ "scaleDistribution": {
+ "type": "linear"
+ },
+ "showPoints": "auto",
+ "spanNulls": false,
+ "stacking": {
+ "group": "A",
+ "mode": "none"
+ },
+ "thresholdsStyle": {
+ "mode": "off"
+ }
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "blue",
+ "value": null
+ }
+ ]
+ }
+ },
+ "overrides": [
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "% Blocks"
+ },
+ "properties": [
+ {
+ "id": "custom.axisPlacement",
+ "value": "right"
+ },
+ {
+ "id": "unit",
+ "value": "percentunit"
+ },
+ {
+ "id": "color",
+ "value": {
+ "fixedColor": "orange",
+ "mode": "fixed"
+ }
+ },
+ {
+ "id": "max",
+ "value": 1
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Requests per second"
+ },
+ "properties": [
+ {
+ "id": "unit",
+ "value": "short"
+ },
+ {
+ "id": "custom.fillOpacity",
+ "value": 25
+ }
+ ]
+ }
+ ]
+ },
+ "gridPos": {
+ "h": 10,
+ "w": 12,
+ "x": 0,
+ "y": 6
+ },
+ "id": 6,
+ "options": {
+ "legend": {
+ "calcs": [],
+ "displayMode": "list",
+ "placement": "bottom",
+ "showLegend": true
+ },
+ "timezone": [
+ ""
+ ],
+ "tooltip": {
+ "maxHeight": 600,
+ "mode": "single",
+ "sort": "none"
+ }
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "exemplar": false,
+ "expr": "sum(rate(envoy_cluster_upstream_rq{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m]))\n+\nsum(rate(microgateway_http_downstream_rq_threats_blocked_total{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m]) or on() vector(0))",
+ "instant": false,
+ "legendFormat": "Requests per second",
+ "range": true,
+ "refId": "Requests per Second"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "expr": "sum(rate(microgateway_http_downstream_rq_threats_blocked_total{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m]) or on() vector(0))\n/\n(\nsum(rate(envoy_cluster_upstream_rq{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m]))\n+\nsum(rate(microgateway_http_downstream_rq_threats_blocked_total{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m]) or on() vector(0))\n)",
+ "hide": false,
+ "instant": false,
+ "legendFormat": "% Blocks",
+ "range": true,
+ "refId": "Blocks"
+ }
+ ],
+ "title": "Requests vs. % Blocks",
+ "type": "timeseries"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Threats blocked by Airlock Microgateway categorized by their corresponding block type.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "mode": "thresholds"
+ },
+ "custom": {
+ "align": "auto",
+ "cellOptions": {
+ "barAlignment": 0,
+ "drawStyle": "line",
+ "gradientMode": "none",
+ "hideValue": false,
+ "lineInterpolation": "linear",
+ "lineStyle": {
+ "dash": [
+ 10,
+ 10
+ ],
+ "fill": "solid"
+ },
+ "showPoints": "never",
+ "spanNulls": false,
+ "type": "sparkline"
+ },
+ "inspect": false
+ },
+ "displayName": "Block Type",
+ "fieldMinMax": false,
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ }
+ },
+ "overrides": [
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "block_type"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 153
+ },
+ {
+ "id": "custom.cellOptions",
+ "value": {
+ "type": "auto"
+ }
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Trend #Block Types"
+ },
+ "properties": [
+ {
+ "id": "color",
+ "value": {
+ "fixedColor": "orange",
+ "mode": "fixed"
+ }
+ }
+ ]
+ }
+ ]
+ },
+ "gridPos": {
+ "h": 10,
+ "w": 12,
+ "x": 12,
+ "y": 6
+ },
+ "id": 7,
+ "options": {
+ "cellHeight": "lg",
+ "footer": {
+ "countRows": false,
+ "enablePagination": false,
+ "fields": [
+ "Value"
+ ],
+ "reducer": [
+ "sum"
+ ],
+ "show": false
+ },
+ "frameIndex": 0,
+ "showHeader": false,
+ "sortBy": [
+ {
+ "desc": true,
+ "displayName": "block_type"
+ }
+ ]
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "expr": "sum by (block_type) (increase(microgateway_http_downstream_rq_threats_blocked_total{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m] offset -1m))/(60000/$__interval_ms)",
+ "format": "time_series",
+ "hide": false,
+ "instant": false,
+ "legendFormat": "__auto",
+ "range": true,
+ "refId": "Block Types"
+ }
+ ],
+ "title": "Blocked Threats by Block Type",
+ "transformations": [
+ {
+ "id": "timeSeriesTable",
+ "options": {
+ "Block Types": {
+ "stat": "sum",
+ "timeField": "Time"
+ }
+ }
+ }
+ ],
+ "type": "table"
+ },
+ {
+ "collapsed": false,
+ "gridPos": {
+ "h": 1,
+ "w": 24,
+ "x": 0,
+ "y": 16
+ },
+ "id": 1,
+ "panels": [],
+ "title": "Latency",
+ "type": "row"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Percentiles of the application downstream latency over one minute.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "mode": "palette-classic"
+ },
+ "custom": {
+ "axisBorderShow": false,
+ "axisCenteredZero": false,
+ "axisColorMode": "text",
+ "axisLabel": "",
+ "axisPlacement": "auto",
+ "barAlignment": 0,
+ "barWidthFactor": 0.6,
+ "drawStyle": "line",
+ "fillOpacity": 0,
+ "gradientMode": "none",
+ "hideFrom": {
+ "legend": false,
+ "tooltip": false,
+ "viz": false
+ },
+ "insertNulls": false,
+ "lineInterpolation": "linear",
+ "lineWidth": 1,
+ "pointSize": 5,
+ "scaleDistribution": {
+ "type": "linear"
+ },
+ "showPoints": "auto",
+ "spanNulls": false,
+ "stacking": {
+ "group": "A",
+ "mode": "none"
+ },
+ "thresholdsStyle": {
+ "mode": "off"
+ }
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "ms"
+ },
+ "overrides": [
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "25th Percentile"
+ },
+ "properties": [
+ {
+ "id": "color",
+ "value": {
+ "fixedColor": "super-light-purple",
+ "mode": "fixed"
+ }
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "50th Percentile"
+ },
+ "properties": [
+ {
+ "id": "color",
+ "value": {
+ "fixedColor": "purple",
+ "mode": "fixed"
+ }
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "95th Percentile"
+ },
+ "properties": [
+ {
+ "id": "color",
+ "value": {
+ "fixedColor": "dark-purple",
+ "mode": "fixed"
+ }
+ }
+ ]
+ }
+ ]
+ },
+ "gridPos": {
+ "h": 9,
+ "w": 12,
+ "x": 0,
+ "y": 17
+ },
+ "id": 8,
+ "options": {
+ "legend": {
+ "calcs": [],
+ "displayMode": "list",
+ "placement": "bottom",
+ "showLegend": true
+ },
+ "tooltip": {
+ "maxHeight": 600,
+ "mode": "single",
+ "sort": "none"
+ }
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "expr": "histogram_quantile(0.25, sum(rate(envoy_http_downstream_rq_time_bucket{envoy_http_conn_manager_prefix=\"http\", managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\"}[1m])) by (le))",
+ "instant": false,
+ "legendFormat": "25th Percentile",
+ "range": true,
+ "refId": "25th Percentile"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "expr": "histogram_quantile(0.5, sum(rate(envoy_http_downstream_rq_time_bucket{envoy_http_conn_manager_prefix=\"http\", managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\"}[1m])) by (le))",
+ "hide": false,
+ "instant": false,
+ "legendFormat": "50th Percentile",
+ "range": true,
+ "refId": "50th Percentile"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "expr": "histogram_quantile(0.95, sum(rate(envoy_http_downstream_rq_time_bucket{envoy_http_conn_manager_prefix=\"http\", managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\",gateway=~\"${gateway_name:regex}\"}[1m])) by (le))",
+ "hide": false,
+ "instant": false,
+ "legendFormat": "95th Percentile",
+ "range": true,
+ "refId": "95th Percentile"
+ }
+ ],
+ "title": "Application Downstream Latency",
+ "type": "timeseries"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description": "Percentiles of the Airlock Microgateway processing time over one minute.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "mode": "palette-classic"
+ },
+ "custom": {
+ "axisBorderShow": false,
+ "axisCenteredZero": false,
+ "axisColorMode": "text",
+ "axisLabel": "",
+ "axisPlacement": "auto",
+ "barAlignment": 0,
+ "barWidthFactor": 0.6,
+ "drawStyle": "line",
+ "fillOpacity": 0,
+ "gradientMode": "none",
+ "hideFrom": {
+ "legend": false,
+ "tooltip": false,
+ "viz": false
+ },
+ "insertNulls": false,
+ "lineInterpolation": "linear",
+ "lineWidth": 1,
+ "pointSize": 5,
+ "scaleDistribution": {
+ "type": "linear"
+ },
+ "showPoints": "auto",
+ "spanNulls": false,
+ "stacking": {
+ "group": "A",
+ "mode": "none"
+ },
+ "thresholdsStyle": {
+ "mode": "off"
+ }
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ },
+ "unit": "ms"
+ },
+ "overrides": [
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "25th Percentile"
+ },
+ "properties": [
+ {
+ "id": "color",
+ "value": {
+ "fixedColor": "super-light-purple",
+ "mode": "fixed"
+ }
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "50th Percentile"
+ },
+ "properties": [
+ {
+ "id": "color",
+ "value": {
+ "fixedColor": "purple",
+ "mode": "fixed"
+ }
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "95th Percentile"
+ },
+ "properties": [
+ {
+ "id": "color",
+ "value": {
+ "fixedColor": "dark-purple",
+ "mode": "fixed"
+ }
+ }
+ ]
+ }
+ ]
+ },
+ "gridPos": {
+ "h": 9,
+ "w": 12,
+ "x": 12,
+ "y": 17
+ },
+ "id": 9,
+ "options": {
+ "legend": {
+ "calcs": [],
+ "displayMode": "list",
+ "placement": "bottom",
+ "showLegend": true
+ },
+ "tooltip": {
+ "maxHeight": 600,
+ "mode": "single",
+ "sort": "none"
+ }
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "expr": "histogram_quantile(0.25, sum(rate(microgateway_rq_processing_time_ms_bucket{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m])) by (le))",
+ "instant": false,
+ "legendFormat": "25th Percentile",
+ "range": true,
+ "refId": "0.25 Percentile"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "expr": "histogram_quantile(0.5, sum(rate(microgateway_rq_processing_time_ms_bucket{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m])) by (le))",
+ "hide": false,
+ "instant": false,
+ "legendFormat": "50th Percentile",
+ "range": true,
+ "refId": "0.5 Percentile"
+ },
+ {
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
+ "expr": "histogram_quantile(0.95, sum(rate(microgateway_rq_processing_time_ms_bucket{managed_by=~\"${operator:regex}\", namespace=~\"${namespace:regex}\", gateway_kind=~\"${gateway_kind:regex}\", gateway=~\"${gateway_name:regex}\", envoy_cluster_name=~`(^upstream_.+|^httproute/.+)`,upstream=~`(${gateway_httproute:regex}|${sidecar_application_port:regex})`}[1m])) by (le))",
+ "hide": false,
+ "instant": false,
+ "legendFormat": "95th Percentile",
+ "range": true,
+ "refId": "0.95 Percentile"
+ }
+ ],
+ "title": "Airlock Microgateway Processing Time",
+ "type": "timeseries"
+ }
+ ],
+ "refresh": "",
+ "schemaVersion": 40,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "templating": {
+ "list": [
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "DS_PROMETHEUS",
+ "name": "DS_PROMETHEUS",
+ "options": [],
+ "query": "prometheus",
+ "refresh": 1,
+ "regex": "",
+ "type": "datasource"
+ },
+ {
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_build_info,gateway_kind)",
+ "description": "Allows filtering on the gateway kind.",
+ "includeAll": true,
+ "label": "Gateway Kind",
+ "name": "gateway_kind",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_build_info,gateway_kind)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 1,
+ "regex": "",
+ "type": "query"
+ },
+ {
+ "allValue": ".+",
+ "description" : "Allows filtering on the managing operator instance.",
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_build_info,managed_by)",
+ "includeAll": true,
+ "label": "Microgateway Operator",
+ "multi": true,
+ "name": "operator",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_build_info,managed_by)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": ".*",
+ "type": "query"
+ },
+ {
+ "allValue": ".+",
+ "current": {},
+ "description" : "Allows filtering on the namespaces in which gateways are deployed.",
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_build_info{managed_by=~\"$operator\"},namespace)",
+ "includeAll": true,
+ "label": "Gateway Namespace",
+ "multi": true,
+ "name": "namespace",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_build_info{managed_by=~\"$operator\"},namespace)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": "",
+ "type": "query"
+ },
+ {
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description" : "Allows filtering on specific gateway instance names within the selected namespaces.",
+ "definition": "label_values(microgateway_build_info{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=~\"$gateway_kind\"},gateway)",
+ "includeAll": true,
+ "label": "Gateway Name",
+ "multi": true,
+ "name": "gateway_name",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_build_info{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=~\"$gateway_kind\"},gateway)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": "",
+ "sort": 1,
+ "type": "query"
+ },
+ {
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description" : "Allows filtering request metrics of the selected SidecarGateway instances on application container port. This filter is ignored for other gateway kinds.",
+ "definition": "label_values(envoy_cluster_bind_errors{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=~\"SidecarGateway\", gateway=~\"$gateway_name\"},upstream)",
+ "includeAll": true,
+ "label": "Sidecar Application Port",
+ "multi": true,
+ "name": "sidecar_application_port",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(envoy_cluster_bind_errors{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=~\"SidecarGateway\", gateway=~\"$gateway_name\"},upstream)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 1,
+ "regex": "",
+ "type": "query"
+ },
+ {
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "description" : "Allows filtering request metrics of the selected Gateway instances on the name of their matching HTTPRoute. This filter is ignored for other gateway kinds.",
+ "definition": "label_values(envoy_cluster_bind_errors{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=~\"Gateway\", gateway=~\"$gateway_name\"},upstream)",
+ "includeAll": true,
+ "label": "Gateway HTTPRoute",
+ "multi": true,
+ "name": "gateway_httproute",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(envoy_cluster_bind_errors{managed_by=~\"$operator\", namespace=~\"$namespace\", gateway_kind=~\"Gateway\", gateway=~\"$gateway_name\"},upstream)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 1,
+ "regex": "",
+ "type": "query"
+ }
+ ]
+ },
+ "time": {
+ "from": "now-24h",
+ "to": "now"
+ },
+ "timepicker": {},
+ "timezone": "browser",
+ "title": "Airlock Microgateway Overview",
+ "uid": "fdp5jb8fnrmyoa",
+ "version": 1,
+ "weekStart": ""
+ }
+kind: ConfigMap
+metadata:
+ annotations:
+ grafana_folder: Airlock Microgateway
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ grafana_dashboard: '1'
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-dashboard-overview
+ namespace: syn-airlock-microgateway
+---
+apiVersion: v1
+data:
+ requestLogs.json: |-
+ {
+ "__inputs": [
+ {
+ "name": "DS_LOKI",
+ "label": "Loki",
+ "description": "",
+ "type": "datasource",
+ "pluginId": "loki",
+ "pluginName": "Loki"
+ }
+ ],
+ "__elements": {},
+ "__requires": [
+ {
+ "type": "grafana",
+ "id": "grafana",
+ "name": "Grafana",
+ "version": "11.4.0"
+ },
+ {
+ "type": "datasource",
+ "id": "loki",
+ "name": "Loki",
+ "version": "1.0.0"
+ },
+ {
+ "type": "datasource",
+ "id": "prometheus",
+ "name": "Prometheus",
+ "version": "1.0.0"
+ },
+ {
+ "type": "panel",
+ "id": "table",
+ "name": "Table",
+ "version": ""
+ }
+ ],
+ "annotations": {
+ "list": [
+ {
+ "builtIn": 1,
+ "datasource": {
+ "type": "grafana",
+ "uid": "-- Grafana --"
+ },
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "name": "Annotations & Alerts",
+ "type": "dashboard"
+ }
+ ]
+ },
+ "editable": true,
+ "fiscalYearStartMonth": 0,
+ "graphTooltip": 0,
+ "id": null,
+ "links": [
+ {
+ "asDropdown": true,
+ "icon": "external link",
+ "includeVars": true,
+ "keepTime": true,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "targetBlank": true,
+ "title": "Airlock Microgateway",
+ "tooltip": "",
+ "type": "dashboards",
+ "url": ""
+ }
+ ],
+ "panels": [
+ {
+ "datasource": {
+ "default": false,
+ "type": "loki",
+ "uid": "${DS_LOKI}"
+ },
+ "description": "Request logs by Airlock Microgateway.\n\nThe dashboard can be filtered by namespace. Column filters on the table allow for an even more granular filtering of the logs.",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "fixedColor": "text",
+ "mode": "fixed"
+ },
+ "custom": {
+ "align": "auto",
+ "cellOptions": {
+ "type": "auto"
+ },
+ "filterable": true,
+ "inspect": true
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ }
+ },
+ "overrides": [
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Namespace"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 221
+ },
+ {
+ "id": "custom.filterable"
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Timestamp"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 214
+ },
+ {
+ "id": "unit",
+ "value": "time: YYYY-MM-DD HH:mm:ss.SSS"
+ },
+ {
+ "id": "custom.filterable"
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "HTTP Method"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 140
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Client IP"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 138
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Request ID"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 328
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Request Size"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 126
+ },
+ {
+ "id": "unit",
+ "value": "bytes"
+ },
+ {
+ "id": "custom.align",
+ "value": "right"
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "URL Path"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 373
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "HTTP Status"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 127
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Airlock Action"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 139
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "Response Size"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 148
+ },
+ {
+ "id": "unit",
+ "value": "bytes"
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "URL Domain"
+ },
+ "properties": [
+ {
+ "id": "custom.width",
+ "value": 272
+ }
+ ]
+ }
+ ]
+ },
+ "gridPos": {
+ "h": 27,
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "id": 2,
+ "options": {
+ "cellHeight": "sm",
+ "footer": {
+ "countRows": false,
+ "enablePagination": true,
+ "fields": "",
+ "reducer": [
+ "sum"
+ ],
+ "show": false
+ },
+ "showHeader": true,
+ "sortBy": []
+ },
+ "pluginVersion": "11.4.0",
+ "targets": [
+ {
+ "datasource": {
+ "type": "loki",
+ "uid": "${DS_LOKI}"
+ },
+ "editorMode": "code",
+ "expr": "{container=\"airlock-microgateway-engine\"} |= \"envoy.access\" | json http_method=\"http.request.method\", url=\"url.path\", domain=\"url.domain\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", response_status=\"http.response.status_code\", response_size=\"http.response.bytes\", action=\"airlock.summary.action\", log_type=\"event.dataset\" | log_type = `envoy.access`",
+ "hide": false,
+ "queryType": "range",
+ "refId": "Request Logs"
+ }
+ ],
+ "title": "Request Logs",
+ "transformations": [
+ {
+ "id": "extractFields",
+ "options": {
+ "format": "json",
+ "source": "labels"
+ }
+ },
+ {
+ "id": "filterFieldsByName",
+ "options": {
+ "byVariable": false,
+ "include": {
+ "names": [
+ "Time",
+ "Line",
+ "client_ip",
+ "domain",
+ "http_method",
+ "namespace",
+ "request_id",
+ "request_size",
+ "response_size",
+ "response_status",
+ "url",
+ "action"
+ ]
+ }
+ }
+ },
+ {
+ "id": "organize",
+ "options": {
+ "excludeByName": {
+ "Line": false,
+ "id": true,
+ "labelTypes": true,
+ "labels": true,
+ "tsNs": false
+ },
+ "includeByName": {},
+ "indexByName": {
+ "Line": 9,
+ "Time": 0,
+ "action": 8,
+ "client_ip": 10,
+ "domain": 2,
+ "http_method": 3,
+ "namespace": 1,
+ "request_id": 11,
+ "request_size": 6,
+ "response_size": 7,
+ "response_status": 5,
+ "url": 4
+ },
+ "renameByName": {
+ "Line": "Details",
+ "Time": "Timestamp",
+ "action": "Airlock Action",
+ "client_ip": "Client IP",
+ "domain": "URL Domain",
+ "http_method": "HTTP Method",
+ "namespace": "Namespace",
+ "request_id": "Request ID",
+ "request_size": "Request Size",
+ "response_size": "Response Size",
+ "response_status": "HTTP Status",
+ "url": "URL Path"
+ }
+ }
+ }
+ ],
+ "type": "table"
+ }
+ ],
+ "schemaVersion": 40,
+ "tags": [
+ "airlock-microgateway"
+ ],
+ "templating": {
+ "list": [
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "DS_LOKI",
+ "name": "DS_LOKI",
+ "options": [],
+ "query": "loki",
+ "refresh": 1,
+ "regex": "",
+ "type": "datasource"
+ },
+ {
+ "allValue": ".*",
+ "current": {},
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "definition": "label_values(microgateway_license_http_rq_total,namespace)",
+ "includeAll": true,
+ "label": "Gateway Namespace",
+ "multi": true,
+ "name": "namespace",
+ "options": [],
+ "query": {
+ "qryType": 1,
+ "query": "label_values(microgateway_license_http_rq_total,namespace)",
+ "refId": "PrometheusVariableQueryEditor-VariableQuery"
+ },
+ "refresh": 2,
+ "regex": "",
+ "sort": 5,
+ "type": "query"
+ },
+ {
+ "current": {},
+ "hide": 2,
+ "includeAll": false,
+ "label": "DS_PROMETHEUS",
+ "name": "DS_PROMETHEUS",
+ "options": [],
+ "query": "prometheus",
+ "refresh": 1,
+ "regex": "",
+ "type": "datasource"
+ }
+ ]
+ },
+ "time": {
+ "from": "now-15m",
+ "to": "now"
+ },
+ "timepicker": {},
+ "timezone": "browser",
+ "title": "Airlock Microgateway Requests - Logs",
+ "uid": "ee99ioci6gydcb",
+ "version": 1,
+ "weekStart": ""
+ }
+kind: ConfigMap
+metadata:
+ annotations:
+ grafana_folder: Airlock Microgateway
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ grafana_dashboard: '1'
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-dashboard-requestlogs
+ namespace: syn-airlock-microgateway
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/deployment.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/deployment.yaml
new file mode 100644
index 0000000..f5a0fbf
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/deployment.yaml
@@ -0,0 +1,141 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator
+ namespace: syn-airlock-microgateway
+spec:
+ replicas: 2
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/name: microgateway-operator
+ strategy:
+ type: RollingUpdate
+ template:
+ metadata:
+ annotations:
+ checksum/config: a736ed8f573b40093b83b2ea1ad793dd11e73f27bbce66df35847fca5d798ffe
+ kubectl.kubernetes.io/default-container: manager
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ spec:
+ containers:
+ - args:
+ - --config=/app/config/operator_config.yaml
+ env:
+ - name: ENGINE_IMAGE
+ value: quay.io/airlock/microgateway-engine@sha256:a9d92f42adbc10a96ab9a029d0c7f51658418946a657ca06f2301c0c5df2c0ab
+ - name: SESSION_AGENT_IMAGE
+ value: quay.io/airlock/microgateway-session-agent@sha256:7c14b0cd10bb302b71f84a074eac7c8caa70869abff8e9327d113bbc7f466637
+ - name: OPERATOR_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: OPERATOR_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: LOG_LEVEL
+ value: info
+ - name: GATEWAY_API_ENABLED
+ value: 'true'
+ - name: GATEWAY_API_CONTROLLER_NAME
+ value: microgateway.airlock.com/gatewayclass-controller
+ - name: GATEWAY_API_POD_MONITOR_CREATE
+ value: 'true'
+ - name: GATEWAY_API_POD_MONITOR_ADDITIONAL_LABELS
+ value: release=kube-prometheus-stack
+ image: quay.io/airlock/microgateway-operator@sha256:0e78a1afdc055537435a937d27dcf9b23bb9886756319858290a3e58d29ec2f6
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ httpGet:
+ path: /healthz
+ port: 8081
+ initialDelaySeconds: 15
+ periodSeconds: 20
+ timeoutSeconds: 5
+ name: manager
+ ports:
+ - containerPort: 9443
+ name: webhook-server
+ protocol: TCP
+ - containerPort: 13377
+ name: xds-server
+ protocol: TCP
+ - containerPort: 8080
+ protocol: TCP
+ - containerPort: 8081
+ protocol: TCP
+ readinessProbe:
+ httpGet:
+ path: /readyz
+ port: 8081
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 5
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: FallbackToLogsOnError
+ volumeMounts:
+ - mountPath: /tmp/k8s-webhook-server/serving-certs
+ name: cert
+ readOnly: true
+ - mountPath: /app/config/license/
+ name: airlock-microgateway-license
+ readOnly: true
+ - mountPath: /app/config/operator_config.yaml
+ name: operator-config
+ subPath: operator_config.yaml
+ - mountPath: /app/config/sidecar/engine_container_template.yaml
+ name: operator-config
+ subPath: engine_container_template.yaml
+ - mountPath: /app/config/sidecar/network_validator_container_template.yaml
+ name: operator-config
+ subPath: network_validator_container_template.yaml
+ - mountPath: /app/config/sidecar/session_agent_container_template.yaml
+ name: operator-config
+ subPath: session_agent_container_template.yaml
+ - mountPath: /app/config/engine_bootstrap_config_template.yaml
+ name: operator-config
+ subPath: engine_bootstrap_config_template.yaml
+ securityContext:
+ runAsNonRoot: true
+ serviceAccountName: airlock-microgateway-operator
+ terminationGracePeriodSeconds: 10
+ volumes:
+ - name: cert
+ secret:
+ defaultMode: 420
+ secretName: airlock-microgateway-operator-webhook-server-cert
+ - name: airlock-microgateway-license
+ secret:
+ defaultMode: 292
+ optional: true
+ secretName: airlock-microgateway-license
+ - configMap:
+ name: airlock-microgateway-operator-config
+ name: operator-config
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/manager-role.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/manager-role.yaml
new file mode 100644
index 0000000..132040d
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/manager-role.yaml
@@ -0,0 +1,232 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator-manager-syn-airlock-microgateway
+rules:
+ - apiGroups:
+ - ''
+ resources:
+ - configmaps
+ - namespaces
+ - nodes
+ - replicasets
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ''
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - ''
+ resources:
+ - pods
+ verbs:
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - ''
+ resources:
+ - pods/finalizers
+ verbs:
+ - update
+ - apiGroups:
+ - ''
+ resources:
+ - pods/status
+ verbs:
+ - patch
+ - update
+ - apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - ''
+ resources:
+ - services
+ verbs:
+ - create
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - apps
+ resources:
+ - deployments
+ verbs:
+ - create
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - apps
+ resources:
+ - replicasets
+ verbs:
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - apps
+ resources:
+ - replicasets/finalizers
+ verbs:
+ - patch
+ - update
+ - apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - backendtlspolicies
+ - gateways
+ - httproutes
+ - referencegrants
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - backendtlspolicies/status
+ - gatewayclasses/finalizers
+ - gatewayclasses/status
+ - gateways/finalizers
+ - gateways/status
+ - httproutes/status
+ verbs:
+ - patch
+ - update
+ - apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - gatewayclasses
+ verbs:
+ - get
+ - list
+ - patch
+ - watch
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - accesscontrolpolicies
+ - accesscontrols
+ - apiprotections
+ - contentsecurities
+ - contentsecuritypolicies
+ - csrfprotections
+ - denyrules
+ - envoyclusters
+ - envoyhttpfilters
+ - gatewayparameters
+ - graphqls
+ - headerrewrites
+ - identitypropagations
+ - jwks
+ - limits
+ - oidcproviders
+ - oidcrelyingparties
+ - openapis
+ - parsers
+ - redisproviders
+ - sessionhandlings
+ - telemetries
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - accesscontrolpolicies/status
+ - contentsecuritypolicies/status
+ verbs:
+ - patch
+ - update
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - envoyconfigurations
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - envoyconfigurations/status
+ - sidecargateways/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - sidecargateways
+ verbs:
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - sidecargateways/finalizers
+ verbs:
+ - update
+ - apiGroups:
+ - monitoring.coreos.com
+ resources:
+ - podmonitors
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/manager-rolebinding.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/manager-rolebinding.yaml
new file mode 100644
index 0000000..643e7db
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/manager-rolebinding.yaml
@@ -0,0 +1,20 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator-manager-syn-airlock-microgateway
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: airlock-microgateway-operator-manager-syn-airlock-microgateway
+subjects:
+ - kind: ServiceAccount
+ name: airlock-microgateway-operator
+ namespace: syn-airlock-microgateway
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/metrics-service.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/metrics-service.yaml
new file mode 100644
index 0000000..4ec2d93
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/metrics-service.yaml
@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator-metrics
+ namespace: syn-airlock-microgateway
+spec:
+ ports:
+ - appProtocol: http
+ name: metrics
+ port: 8080
+ protocol: TCP
+ selector:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/name: microgateway-operator
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ operator.microgateway.airlock.com/isLeader: 'true'
+ name: airlock-microgateway-operator-leader-metrics
+ namespace: syn-airlock-microgateway
+spec:
+ ports:
+ - appProtocol: http
+ name: metrics
+ port: 8080
+ protocol: TCP
+ selector:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/name: microgateway-operator
+ operator.microgateway.airlock.com/isLeader: 'true'
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/mutating-webhook.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/mutating-webhook.yaml
new file mode 100644
index 0000000..8433b71
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/mutating-webhook.yaml
@@ -0,0 +1,39 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+ annotations:
+ cert-manager.io/inject-ca-from: syn-airlock-microgateway/airlock-microgateway-operator-serving-cert
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator-webhook-syn-airlock-microgateway
+ namespace: syn-airlock-microgateway
+webhooks:
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /mutate-v1-pod
+ failurePolicy: Fail
+ name: mutate-pod.microgateway.airlock.com
+ objectSelector:
+ matchLabels:
+ sidecar.microgateway.airlock.com/inject: 'true'
+ reinvocationPolicy: IfNeeded
+ rules:
+ - apiGroups:
+ - ''
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ resources:
+ - pods
+ sideEffects: None
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/role.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/role.yaml
new file mode 100644
index 0000000..2f4a11e
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/role.yaml
@@ -0,0 +1,45 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator-leader-election
+ namespace: syn-airlock-microgateway
+rules:
+ - apiGroups:
+ - ''
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - ''
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/rolebinding.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/rolebinding.yaml
new file mode 100644
index 0000000..75d0bdd
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/rolebinding.yaml
@@ -0,0 +1,20 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator-leader-election
+ namespace: syn-airlock-microgateway
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: airlock-microgateway-operator-leader-election
+subjects:
+ - kind: ServiceAccount
+ name: airlock-microgateway-operator
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/selfsigned-issuer.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/selfsigned-issuer.yaml
new file mode 100644
index 0000000..c38f476
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/selfsigned-issuer.yaml
@@ -0,0 +1,15 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator-selfsigned-issuer
+ namespace: syn-airlock-microgateway
+spec:
+ selfSigned: {}
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/serviceaccount.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/serviceaccount.yaml
new file mode 100644
index 0000000..b417d83
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/serviceaccount.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator
+ namespace: syn-airlock-microgateway
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/servicemonitor.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/servicemonitor.yaml
new file mode 100644
index 0000000..f0800f0
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/servicemonitor.yaml
@@ -0,0 +1,63 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ release: kube-prometheus-stack
+ name: airlock-microgateway-operator
+ namespace: syn-airlock-microgateway
+spec:
+ endpoints:
+ - metricRelabelings:
+ - action: drop
+ regex: ^(microgateway_license|microgateway_sidecars).*$
+ sourceLabels:
+ - __name__
+ path: /metrics
+ port: metrics
+ scheme: http
+ selector:
+ matchExpressions:
+ - key: operator.microgateway.airlock.com/isLeader
+ operator: DoesNotExist
+ matchLabels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/name: microgateway-operator
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ release: kube-prometheus-stack
+ name: airlock-microgateway-operator-leader
+ namespace: syn-airlock-microgateway
+spec:
+ endpoints:
+ - metricRelabelings:
+ - action: keep
+ regex: ^(microgateway_license|microgateway_sidecars).*$
+ sourceLabels:
+ - __name__
+ path: /metrics
+ port: metrics
+ scheme: http
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/name: microgateway-operator
+ operator.microgateway.airlock.com/isLeader: 'true'
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/serving-certificate.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/serving-certificate.yaml
new file mode 100644
index 0000000..37e0445
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/serving-certificate.yaml
@@ -0,0 +1,21 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator-serving-cert
+ namespace: syn-airlock-microgateway
+spec:
+ dnsNames:
+ - airlock-microgateway-operator-webhook.syn-airlock-microgateway.svc
+ - airlock-microgateway-operator-webhook.syn-airlock-microgateway.svc.cluster.local
+ issuerRef:
+ kind: Issuer
+ name: airlock-microgateway-operator-selfsigned-issuer
+ secretName: airlock-microgateway-operator-webhook-server-cert
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/validating-admission-policy-binding.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/validating-admission-policy-binding.yaml
new file mode 100644
index 0000000..df80a71
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/validating-admission-policy-binding.yaml
@@ -0,0 +1,18 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+ annotations: null
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator-immutable-labels-syn-airlock-microgateway
+spec:
+ matchResources: null
+ policyName: airlock-microgateway-operator-immutable-labels-syn-airlock-microgateway
+ validationActions:
+ - Deny
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/validating-admission-policy.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/validating-admission-policy.yaml
new file mode 100644
index 0000000..5fef008
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/validating-admission-policy.yaml
@@ -0,0 +1,60 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+ annotations: null
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator-immutable-labels-syn-airlock-microgateway
+spec:
+ failurePolicy: Fail
+ matchConstraints:
+ objectSelector:
+ matchLabels:
+ microgateway.airlock.com/managedBy: syn-airlock-microgateway
+ resourceRules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - UPDATE
+ resources:
+ - envoyconfigurations
+ - apiGroups:
+ - apps
+ apiVersions:
+ - v1
+ operations:
+ - UPDATE
+ resources:
+ - deployments
+ - replicasets
+ - apiGroups:
+ - ''
+ apiVersions:
+ - v1
+ operations:
+ - UPDATE
+ resources:
+ - services
+ - apiGroups:
+ - monitoring.coreos.com
+ apiVersions:
+ - v1
+ operations:
+ - UPDATE
+ resources:
+ - podmonitors
+ validations:
+ - expression: object.metadata.?labels[?'microgateway.airlock.com/managedBy'] ==
+ oldObject.metadata.?labels[?'microgateway.airlock.com/managedBy']
+ message: label 'microgateway.airlock.com/managedBy' is immutable
+ - expression: object.metadata.?labels[?'gateway.networking.k8s.io/gateway-name']
+ == oldObject.metadata.?labels[?'gateway.networking.k8s.io/gateway-name']
+ message: label 'gateway.networking.k8s.io/gateway-name' is immutable
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/validating-webhook.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/validating-webhook.yaml
new file mode 100644
index 0000000..798ad18
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/validating-webhook.yaml
@@ -0,0 +1,479 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ annotations:
+ cert-manager.io/inject-ca-from: syn-airlock-microgateway/airlock-microgateway-operator-serving-cert
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator-webhook-syn-airlock-microgateway
+ namespace: syn-airlock-microgateway
+webhooks:
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-accesscontrol
+ failurePolicy: Fail
+ name: validate-accesscontrol.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - accesscontrols
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-accesscontrolpolicy
+ failurePolicy: Fail
+ name: validate-accesscontrolpolicy.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - accesscontrolpolicies
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-apiprotection
+ failurePolicy: Fail
+ name: validate-apiprotection.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - apiprotections
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-contentsecurity
+ failurePolicy: Fail
+ name: validate-contentsecurity.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - contentsecurities
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-contentsecuritypolicy
+ failurePolicy: Fail
+ name: validate-contentsecuritypolicy.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - contentsecuritypolicies
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-csrfprotection
+ failurePolicy: Fail
+ name: validate-csrfprotection.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - csrfprotections
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-denyrules
+ failurePolicy: Fail
+ name: validate-denyrules.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - denyrules
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-envoycluster
+ failurePolicy: Fail
+ name: validate-envoycluster.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - envoyclusters
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-envoyhttpfilter
+ failurePolicy: Fail
+ name: validate-envoyhttpfilter.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - envoyhttpfilters
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-gatewayparameters
+ failurePolicy: Fail
+ name: validate-gatewayparameters.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - gatewayparameters
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-graphql
+ failurePolicy: Fail
+ name: validate-graphql.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - graphqls
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-headerrewrites
+ failurePolicy: Fail
+ name: validate-headerrewrites.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - headerrewrites
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-identitypropagation
+ failurePolicy: Fail
+ name: validate-identitypropagation.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - identitypropagations
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-jwks
+ failurePolicy: Fail
+ name: validate-jwks.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - jwks
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-limits
+ failurePolicy: Fail
+ name: validate-limits.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - limits
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-oidcprovider
+ failurePolicy: Fail
+ name: validate-oidcprovider.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - oidcproviders
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-oidcrelyingparty
+ failurePolicy: Fail
+ name: validate-oidcrelyingparty.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - oidcrelyingparties
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-openapi
+ failurePolicy: Fail
+ name: validate-openapi.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - openapis
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-parser
+ failurePolicy: Fail
+ name: validate-parser.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - parsers
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-redisprovider
+ failurePolicy: Fail
+ name: validate-redisprovider.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - redisproviders
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-sessionhandling
+ failurePolicy: Fail
+ name: validate-sessionhandling.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - sessionhandlings
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-microgateway-airlock-com-v1alpha1-sidecargateway
+ failurePolicy: Fail
+ name: validate-sidecargateway.microgateway.airlock.com
+ rules:
+ - apiGroups:
+ - microgateway.airlock.com
+ apiVersions:
+ - v1alpha1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - sidecargateways
+ sideEffects: None
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+ path: /validate-v1-pod
+ failurePolicy: Fail
+ name: validate-pod.microgateway.airlock.com
+ objectSelector:
+ matchLabels:
+ sidecar.microgateway.airlock.com/inject: 'true'
+ rules:
+ - apiGroups:
+ - ''
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - pods
+ sideEffects: None
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/webhook-service.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/webhook-service.yaml
new file mode 100644
index 0000000..9a0c652
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/webhook-service.yaml
@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator-webhook
+ namespace: syn-airlock-microgateway
+spec:
+ ports:
+ - appProtocol: https
+ name: webhook
+ port: 443
+ protocol: TCP
+ targetPort: 9443
+ selector:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/name: microgateway-operator
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/xds-service.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/xds-service.yaml
new file mode 100644
index 0000000..889840c
--- /dev/null
+++ b/tests/golden/disable-gateway-api/airlock-microgateway/airlock-microgateway/01_airlock-microgateway_helmchart/microgateway/templates/operator/xds-service.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: microgateway-operator
+ app.kubernetes.io/part-of: microgateway
+ app.kubernetes.io/version: 4.5.2
+ helm.sh/chart: microgateway-4.5.2
+ name: airlock-microgateway-operator-xds
+ namespace: syn-airlock-microgateway
+spec:
+ ports:
+ - appProtocol: grpc
+ name: xds
+ port: 13377
+ protocol: TCP
+ targetPort: 13377
+ selector:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: airlock-microgateway
+ app.kubernetes.io/name: microgateway-operator
+ operator.microgateway.airlock.com/isLeader: 'true'
diff --git a/tests/golden/disable-gateway-api/airlock-microgateway/apps/airlock-microgateway.yaml b/tests/golden/disable-gateway-api/airlock-microgateway/apps/airlock-microgateway.yaml
new file mode 100644
index 0000000..e69de29
diff --git a/tests/golden/olm/airlock-microgateway/airlock-microgateway/00_prerequisites/00_gateway_api/standard-install.yaml b/tests/golden/olm/airlock-microgateway/airlock-microgateway/00_prerequisites/00_gateway_api/standard-install.yaml
new file mode 100644
index 0000000..5bf4f30
--- /dev/null
+++ b/tests/golden/olm/airlock-microgateway/airlock-microgateway/00_prerequisites/00_gateway_api/standard-install.yaml
@@ -0,0 +1,10345 @@
+# Copyright 2024 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#
+# Gateway API Standard channel install
+#
+---
+#
+# config/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.2.1
+ gateway.networking.k8s.io/channel: standard
+ creationTimestamp: null
+ name: gatewayclasses.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: GatewayClass
+ listKind: GatewayClassList
+ plural: gatewayclasses
+ shortNames:
+ - gc
+ singular: gatewayclass
+ scope: Cluster
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.controllerName
+ name: Controller
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Accepted")].status
+ name: Accepted
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - jsonPath: .spec.description
+ name: Description
+ priority: 1
+ type: string
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ GatewayClass describes a class of Gateways available to the user for creating
+ Gateway resources.
+
+ It is recommended that this resource be used as a template for Gateways. This
+ means that a Gateway is based on the state of the GatewayClass at the time it
+ was created and changes to the GatewayClass or associated parameters are not
+ propagated down to existing Gateways. This recommendation is intended to
+ limit the blast radius of changes to GatewayClass or associated parameters.
+ If implementations choose to propagate GatewayClass changes to existing
+ Gateways, that MUST be clearly documented by the implementation.
+
+ Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+ add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+ associated GatewayClass. This ensures that a GatewayClass associated with a
+ Gateway is not deleted while in use.
+
+ GatewayClass is a Cluster level resource.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of GatewayClass.
+ properties:
+ controllerName:
+ description: |-
+ ControllerName is the name of the controller that is managing Gateways of
+ this class. The value of this field MUST be a domain prefixed path.
+
+ Example: "example.net/gateway-controller".
+
+ This field is not mutable and cannot be empty.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ x-kubernetes-validations:
+ - message: Value is immutable
+ rule: self == oldSelf
+ description:
+ description: Description helps describe a GatewayClass with more details.
+ maxLength: 64
+ type: string
+ parametersRef:
+ description: |-
+ ParametersRef is a reference to a resource that contains the configuration
+ parameters corresponding to the GatewayClass. This is optional if the
+ controller does not require any additional configuration.
+
+ ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
+ or an implementation-specific custom resource. The resource can be
+ cluster-scoped or namespace-scoped.
+
+ If the referent cannot be found, refers to an unsupported kind, or when
+ the data within that resource is malformed, the GatewayClass SHOULD be
+ rejected with the "Accepted" status condition set to "False" and an
+ "InvalidParameters" reason.
+
+ A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
+ the merging behavior is implementation specific.
+ It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+
+ Support: Implementation-specific
+ properties:
+ group:
+ description: Group is the group of the referent.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent.
+ This field is required when referring to a Namespace-scoped resource and
+ MUST be unset when referring to a Cluster-scoped resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ required:
+ - controllerName
+ type: object
+ status:
+ default:
+ conditions:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ description: |-
+ Status defines the current state of GatewayClass.
+
+ Implementations MUST populate status on all GatewayClass resources which
+ specify their controller name.
+ properties:
+ conditions:
+ default:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ description: |-
+ Conditions is the current status from the controller for
+ this GatewayClass.
+
+ Controllers should prefer to publish conditions using values
+ of GatewayClassConditionType for the type of each Condition.
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .spec.controllerName
+ name: Controller
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Accepted")].status
+ name: Accepted
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - jsonPath: .spec.description
+ name: Description
+ priority: 1
+ type: string
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ GatewayClass describes a class of Gateways available to the user for creating
+ Gateway resources.
+
+ It is recommended that this resource be used as a template for Gateways. This
+ means that a Gateway is based on the state of the GatewayClass at the time it
+ was created and changes to the GatewayClass or associated parameters are not
+ propagated down to existing Gateways. This recommendation is intended to
+ limit the blast radius of changes to GatewayClass or associated parameters.
+ If implementations choose to propagate GatewayClass changes to existing
+ Gateways, that MUST be clearly documented by the implementation.
+
+ Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+ add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+ associated GatewayClass. This ensures that a GatewayClass associated with a
+ Gateway is not deleted while in use.
+
+ GatewayClass is a Cluster level resource.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of GatewayClass.
+ properties:
+ controllerName:
+ description: |-
+ ControllerName is the name of the controller that is managing Gateways of
+ this class. The value of this field MUST be a domain prefixed path.
+
+ Example: "example.net/gateway-controller".
+
+ This field is not mutable and cannot be empty.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ x-kubernetes-validations:
+ - message: Value is immutable
+ rule: self == oldSelf
+ description:
+ description: Description helps describe a GatewayClass with more details.
+ maxLength: 64
+ type: string
+ parametersRef:
+ description: |-
+ ParametersRef is a reference to a resource that contains the configuration
+ parameters corresponding to the GatewayClass. This is optional if the
+ controller does not require any additional configuration.
+
+ ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
+ or an implementation-specific custom resource. The resource can be
+ cluster-scoped or namespace-scoped.
+
+ If the referent cannot be found, refers to an unsupported kind, or when
+ the data within that resource is malformed, the GatewayClass SHOULD be
+ rejected with the "Accepted" status condition set to "False" and an
+ "InvalidParameters" reason.
+
+ A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
+ the merging behavior is implementation specific.
+ It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+
+ Support: Implementation-specific
+ properties:
+ group:
+ description: Group is the group of the referent.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent.
+ This field is required when referring to a Namespace-scoped resource and
+ MUST be unset when referring to a Cluster-scoped resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ required:
+ - controllerName
+ type: object
+ status:
+ default:
+ conditions:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ description: |-
+ Status defines the current state of GatewayClass.
+
+ Implementations MUST populate status on all GatewayClass resources which
+ specify their controller name.
+ properties:
+ conditions:
+ default:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ description: |-
+ Conditions is the current status from the controller for
+ this GatewayClass.
+
+ Controllers should prefer to publish conditions using values
+ of GatewayClassConditionType for the type of each Condition.
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
+# config/crd/standard/gateway.networking.k8s.io_gateways.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.2.1
+ gateway.networking.k8s.io/channel: standard
+ creationTimestamp: null
+ name: gateways.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: Gateway
+ listKind: GatewayList
+ plural: gateways
+ shortNames:
+ - gtw
+ singular: gateway
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.gatewayClassName
+ name: Class
+ type: string
+ - jsonPath: .status.addresses[*].value
+ name: Address
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Programmed")].status
+ name: Programmed
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ Gateway represents an instance of a service-traffic handling infrastructure
+ by binding Listeners to a set of IP addresses.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of Gateway.
+ properties:
+ addresses:
+ description: |+
+ Addresses requested for this Gateway. This is optional and behavior can
+ depend on the implementation. If a value is set in the spec and the
+ requested address is invalid or unavailable, the implementation MUST
+ indicate this in the associated entry in GatewayStatus.Addresses.
+
+ The Addresses field represents a request for the address(es) on the
+ "outside of the Gateway", that traffic bound for this Gateway will use.
+ This could be the IP address or hostname of an external load balancer or
+ other networking infrastructure, or some other address that traffic will
+ be sent to.
+
+ If no Addresses are specified, the implementation MAY schedule the
+ Gateway in an implementation-specific manner, assigning an appropriate
+ set of Addresses.
+
+ The implementation MUST bind all Listeners to every GatewayAddress that
+ it assigns to the Gateway and add a corresponding entry in
+ GatewayStatus.Addresses.
+
+ Support: Extended
+
+ items:
+ description: GatewayAddress describes an address that can be bound
+ to a Gateway.
+ oneOf:
+ - properties:
+ type:
+ enum:
+ - IPAddress
+ value:
+ anyOf:
+ - format: ipv4
+ - format: ipv6
+ - properties:
+ type:
+ not:
+ enum:
+ - IPAddress
+ properties:
+ type:
+ default: IPAddress
+ description: Type of the address.
+ maxLength: 253
+ minLength: 1
+ pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ value:
+ description: |-
+ Value of the address. The validity of the values will depend
+ on the type and support by the controller.
+
+ Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ x-kubernetes-validations:
+ - message: Hostname value must only contain valid characters (matching
+ ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
+ rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):
+ true'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: IPAddress values must be unique
+ rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2,
+ a2.type == a1.type && a2.value == a1.value) : true )'
+ - message: Hostname values must be unique
+ rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2,
+ a2.type == a1.type && a2.value == a1.value) : true )'
+ gatewayClassName:
+ description: |-
+ GatewayClassName used for this Gateway. This is the name of a
+ GatewayClass resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ infrastructure:
+ description: |-
+ Infrastructure defines infrastructure level attributes about this Gateway instance.
+
+ Support: Extended
+ properties:
+ annotations:
+ additionalProperties:
+ description: |-
+ AnnotationValue is the value of an annotation in Gateway API. This is used
+ for validation of maps such as TLS options. This roughly matches Kubernetes
+ annotation validation, although the length validation in that case is based
+ on the entire size of the annotations struct.
+ maxLength: 4096
+ minLength: 0
+ type: string
+ description: |-
+ Annotations that SHOULD be applied to any resources created in response to this Gateway.
+
+ For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
+ For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
+
+ An implementation may chose to add additional implementation-specific annotations as they see fit.
+
+ Support: Extended
+ maxProperties: 8
+ type: object
+ x-kubernetes-validations:
+ - message: Annotation keys must be in the form of an optional
+ DNS subdomain prefix followed by a required name segment of
+ up to 63 characters.
+ rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))
+ - message: If specified, the annotation key's prefix must be a
+ DNS subdomain not longer than 253 characters in total.
+ rule: self.all(key, key.split("/")[0].size() < 253)
+ labels:
+ additionalProperties:
+ description: |-
+ LabelValue is the value of a label in the Gateway API. This is used for validation
+ of maps such as Gateway infrastructure labels. This matches the Kubernetes
+ label validation rules:
+ * must be 63 characters or less (can be empty),
+ * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]),
+ * could contain dashes (-), underscores (_), dots (.), and alphanumerics between.
+
+ Valid values include:
+
+ * MyValue
+ * my.name
+ * 123-my-value
+ maxLength: 63
+ minLength: 0
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ Labels that SHOULD be applied to any resources created in response to this Gateway.
+
+ For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
+ For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
+
+ An implementation may chose to add additional implementation-specific labels as they see fit.
+
+ If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
+ change, it SHOULD clearly warn about this behavior in documentation.
+
+ Support: Extended
+ maxProperties: 8
+ type: object
+ x-kubernetes-validations:
+ - message: Label keys must be in the form of an optional DNS subdomain
+ prefix followed by a required name segment of up to 63 characters.
+ rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))
+ - message: If specified, the label key's prefix must be a DNS
+ subdomain not longer than 253 characters in total.
+ rule: self.all(key, key.split("/")[0].size() < 253)
+ parametersRef:
+ description: |-
+ ParametersRef is a reference to a resource that contains the configuration
+ parameters corresponding to the Gateway. This is optional if the
+ controller does not require any additional configuration.
+
+ This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
+
+ The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
+ the merging behavior is implementation specific.
+ It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+
+ Support: Implementation-specific
+ properties:
+ group:
+ description: Group is the group of the referent.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ type: object
+ listeners:
+ description: |-
+ Listeners associated with this Gateway. Listeners define
+ logical endpoints that are bound on this Gateway's addresses.
+ At least one Listener MUST be specified.
+
+ Each Listener in a set of Listeners (for example, in a single Gateway)
+ MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
+ exactly one listener. (This section uses "set of Listeners" rather than
+ "Listeners in a single Gateway" because implementations MAY merge configuration
+ from multiple Gateways onto a single data plane, and these rules _also_
+ apply in that case).
+
+ Practically, this means that each listener in a set MUST have a unique
+ combination of Port, Protocol, and, if supported by the protocol, Hostname.
+
+ Some combinations of port, protocol, and TLS settings are considered
+ Core support and MUST be supported by implementations based on their
+ targeted conformance profile:
+
+ HTTP Profile
+
+ 1. HTTPRoute, Port: 80, Protocol: HTTP
+ 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
+
+ TLS Profile
+
+ 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
+
+ "Distinct" Listeners have the following property:
+
+ The implementation can match inbound requests to a single distinct
+ Listener. When multiple Listeners share values for fields (for
+ example, two Listeners with the same Port value), the implementation
+ can match requests to only one of the Listeners using other
+ Listener fields.
+
+ For example, the following Listener scenarios are distinct:
+
+ 1. Multiple Listeners with the same Port that all use the "HTTP"
+ Protocol that all have unique Hostname values.
+ 2. Multiple Listeners with the same Port that use either the "HTTPS" or
+ "TLS" Protocol that all have unique Hostname values.
+ 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener
+ with the same Protocol has the same Port value.
+
+ Some fields in the Listener struct have possible values that affect
+ whether the Listener is distinct. Hostname is particularly relevant
+ for HTTP or HTTPS protocols.
+
+ When using the Hostname value to select between same-Port, same-Protocol
+ Listeners, the Hostname value must be different on each Listener for the
+ Listener to be distinct.
+
+ When the Listeners are distinct based on Hostname, inbound request
+ hostnames MUST match from the most specific to least specific Hostname
+ values to choose the correct Listener and its associated set of Routes.
+
+ Exact matches must be processed before wildcard matches, and wildcard
+ matches must be processed before fallback (empty Hostname value)
+ matches. For example, `"foo.example.com"` takes precedence over
+ `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
+
+ Additionally, if there are multiple wildcard entries, more specific
+ wildcard entries must be processed before less specific wildcard entries.
+ For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
+ The precise definition here is that the higher the number of dots in the
+ hostname to the right of the wildcard character, the higher the precedence.
+
+ The wildcard character will match any number of characters _and dots_ to
+ the left, however, so `"*.example.com"` will match both
+ `"foo.bar.example.com"` _and_ `"bar.example.com"`.
+
+ If a set of Listeners contains Listeners that are not distinct, then those
+ Listeners are Conflicted, and the implementation MUST set the "Conflicted"
+ condition in the Listener Status to "True".
+
+ Implementations MAY choose to accept a Gateway with some Conflicted
+ Listeners only if they only accept the partial Listener set that contains
+ no Conflicted Listeners. To put this another way, implementations may
+ accept a partial Listener set only if they throw out *all* the conflicting
+ Listeners. No picking one of the conflicting listeners as the winner.
+ This also means that the Gateway must have at least one non-conflicting
+ Listener in this case, otherwise it violates the requirement that at
+ least one Listener must be present.
+
+ The implementation MUST set a "ListenersNotValid" condition on the
+ Gateway Status when the Gateway contains Conflicted Listeners whether or
+ not they accept the Gateway. That Condition SHOULD clearly
+ indicate in the Message which Listeners are conflicted, and which are
+ Accepted. Additionally, the Listener status for those listeners SHOULD
+ indicate which Listeners are conflicted and not Accepted.
+
+ A Gateway's Listeners are considered "compatible" if:
+
+ 1. They are distinct.
+ 2. The implementation can serve them in compliance with the Addresses
+ requirement that all Listeners are available on all assigned
+ addresses.
+
+ Compatible combinations in Extended support are expected to vary across
+ implementations. A combination that is compatible for one implementation
+ may not be compatible for another.
+
+ For example, an implementation that cannot serve both TCP and UDP listeners
+ on the same address, or cannot mix HTTPS and generic TLS listens on the same port
+ would not consider those cases compatible, even though they are distinct.
+
+ Note that requests SHOULD match at most one Listener. For example, if
+ Listeners are defined for "foo.example.com" and "*.example.com", a
+ request to "foo.example.com" SHOULD only be routed using routes attached
+ to the "foo.example.com" Listener (and not the "*.example.com" Listener).
+ This concept is known as "Listener Isolation". Implementations that do
+ not support Listener Isolation MUST clearly document this.
+
+ Implementations MAY merge separate Gateways onto a single set of
+ Addresses if all Listeners across all Gateways are compatible.
+
+ Support: Core
+ items:
+ description: |-
+ Listener embodies the concept of a logical endpoint where a Gateway accepts
+ network connections.
+ properties:
+ allowedRoutes:
+ default:
+ namespaces:
+ from: Same
+ description: |-
+ AllowedRoutes defines the types of routes that MAY be attached to a
+ Listener and the trusted namespaces where those Route resources MAY be
+ present.
+
+ Although a client request may match multiple route rules, only one rule
+ may ultimately receive the request. Matching precedence MUST be
+ determined in order of the following criteria:
+
+ * The most specific match as defined by the Route type.
+ * The oldest Route based on creation timestamp. For example, a Route with
+ a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+ a Route with a creation timestamp of "2020-09-08 01:02:04".
+ * If everything else is equivalent, the Route appearing first in
+ alphabetical order (namespace/name) should be given precedence. For
+ example, foo/bar is given precedence over foo/baz.
+
+ All valid rules within a Route attached to this Listener should be
+ implemented. Invalid Route rules can be ignored (sometimes that will mean
+ the full Route). If a Route rule transitions from valid to invalid,
+ support for that Route rule should be dropped to ensure consistency. For
+ example, even if a filter specified by a Route rule is invalid, the rest
+ of the rules within that Route should still be supported.
+
+ Support: Core
+ properties:
+ kinds:
+ description: |-
+ Kinds specifies the groups and kinds of Routes that are allowed to bind
+ to this Gateway Listener. When unspecified or empty, the kinds of Routes
+ selected are determined using the Listener protocol.
+
+ A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+ with the application protocol specified in the Listener's Protocol field.
+ If an implementation does not support or recognize this resource type, it
+ MUST set the "ResolvedRefs" condition to False for this Listener with the
+ "InvalidRouteKinds" reason.
+
+ Support: Core
+ items:
+ description: RouteGroupKind indicates the group and kind
+ of a Route resource.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group of the Route.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the kind of the Route.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ required:
+ - kind
+ type: object
+ maxItems: 8
+ type: array
+ namespaces:
+ default:
+ from: Same
+ description: |-
+ Namespaces indicates namespaces from which Routes may be attached to this
+ Listener. This is restricted to the namespace of this Gateway by default.
+
+ Support: Core
+ properties:
+ from:
+ default: Same
+ description: |-
+ From indicates where Routes will be selected for this Gateway. Possible
+ values are:
+
+ * All: Routes in all namespaces may be used by this Gateway.
+ * Selector: Routes in namespaces selected by the selector may be used by
+ this Gateway.
+ * Same: Only Routes in the same namespace may be used by this Gateway.
+
+ Support: Core
+ enum:
+ - All
+ - Selector
+ - Same
+ type: string
+ selector:
+ description: |-
+ Selector must be specified when From is set to "Selector". In that case,
+ only Routes in Namespaces matching this Selector will be selected by this
+ Gateway. This field is ignored for other values of "From".
+
+ Support: Core
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: object
+ hostname:
+ description: |-
+ Hostname specifies the virtual hostname to match for protocol types that
+ define this concept. When unspecified, all hostnames are matched. This
+ field is ignored for protocols that don't require hostname based
+ matching.
+
+ Implementations MUST apply Hostname matching appropriately for each of
+ the following protocols:
+
+ * TLS: The Listener Hostname MUST match the SNI.
+ * HTTP: The Listener Hostname MUST match the Host header of the request.
+ * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP
+ protocol layers as described above. If an implementation does not
+ ensure that both the SNI and Host header match the Listener hostname,
+ it MUST clearly document that.
+
+ For HTTPRoute and TLSRoute resources, there is an interaction with the
+ `spec.hostnames` array. When both listener and route specify hostnames,
+ there MUST be an intersection between the values for a Route to be
+ accepted. For more information, refer to the Route specific Hostnames
+ documentation.
+
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+ as a suffix match. That means that a match for `*.example.com` would match
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ name:
+ description: |-
+ Name is the name of the Listener. This name MUST be unique within a
+ Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ port:
+ description: |-
+ Port is the network port. Multiple listeners may use the
+ same port, subject to the Listener compatibility rules.
+
+ Support: Core
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ protocol:
+ description: |-
+ Protocol specifies the network protocol this listener expects to receive.
+
+ Support: Core
+ maxLength: 255
+ minLength: 1
+ pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$
+ type: string
+ tls:
+ description: |-
+ TLS is the TLS configuration for the Listener. This field is required if
+ the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+ if the Protocol field is "HTTP", "TCP", or "UDP".
+
+ The association of SNIs to Certificate defined in GatewayTLSConfig is
+ defined based on the Hostname field for this listener.
+
+ The GatewayClass MUST use the longest matching SNI out of all
+ available certificates for any TLS handshake.
+
+ Support: Core
+ properties:
+ certificateRefs:
+ description: |-
+ CertificateRefs contains a series of references to Kubernetes objects that
+ contains TLS certificates and private keys. These certificates are used to
+ establish a TLS handshake for requests that match the hostname of the
+ associated listener.
+
+ A single CertificateRef to a Kubernetes Secret has "Core" support.
+ Implementations MAY choose to support attaching multiple certificates to
+ a Listener, but this behavior is implementation-specific.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+
+ This field is required to have at least one element when the mode is set
+ to "Terminate" (default) and is optional otherwise.
+
+ CertificateRefs can reference to standard Kubernetes resources, i.e.
+ Secret, or implementation-specific custom resources.
+
+ Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+
+ Support: Implementation-specific (More than one reference or other resource types)
+ items:
+ description: |-
+ SecretObjectReference identifies an API object including its namespace,
+ defaulting to Secret.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+
+ References to objects with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate Conditions set
+ on the containing object.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example
+ "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 64
+ type: array
+ mode:
+ default: Terminate
+ description: |-
+ Mode defines the TLS behavior for the TLS session initiated by the client.
+ There are two possible modes:
+
+ - Terminate: The TLS session between the downstream client and the
+ Gateway is terminated at the Gateway. This mode requires certificates
+ to be specified in some way, such as populating the certificateRefs
+ field.
+ - Passthrough: The TLS session is NOT terminated by the Gateway. This
+ implies that the Gateway can't decipher the TLS stream except for
+ the ClientHello message of the TLS protocol. The certificateRefs field
+ is ignored in this mode.
+
+ Support: Core
+ enum:
+ - Terminate
+ - Passthrough
+ type: string
+ options:
+ additionalProperties:
+ description: |-
+ AnnotationValue is the value of an annotation in Gateway API. This is used
+ for validation of maps such as TLS options. This roughly matches Kubernetes
+ annotation validation, although the length validation in that case is based
+ on the entire size of the annotations struct.
+ maxLength: 4096
+ minLength: 0
+ type: string
+ description: |-
+ Options are a list of key/value pairs to enable extended TLS
+ configuration for each implementation. For example, configuring the
+ minimum TLS version or supported cipher suites.
+
+ A set of common keys MAY be defined by the API in the future. To avoid
+ any ambiguity, implementation-specific definitions MUST use
+ domain-prefixed names, such as `example.com/my-custom-option`.
+ Un-prefixed names are reserved for key names defined by Gateway API.
+
+ Support: Implementation-specific
+ maxProperties: 16
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: certificateRefs or options must be specified when
+ mode is Terminate
+ rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs)
+ > 0 || size(self.options) > 0 : true'
+ required:
+ - name
+ - port
+ - protocol
+ type: object
+ maxItems: 64
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: tls must not be specified for protocols ['HTTP', 'TCP',
+ 'UDP']
+ rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ?
+ !has(l.tls) : true)'
+ - message: tls mode must be Terminate for protocol HTTPS
+ rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode
+ == '''' || l.tls.mode == ''Terminate'') : true)'
+ - message: hostname must not be specified for protocols ['TCP', 'UDP']
+ rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname)
+ || l.hostname == '''') : true)'
+ - message: Listener name must be unique within the Gateway
+ rule: self.all(l1, self.exists_one(l2, l1.name == l2.name))
+ - message: Combination of port, protocol and hostname must be unique
+ for each listener
+ rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol
+ == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname
+ == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))'
+ required:
+ - gatewayClassName
+ - listeners
+ type: object
+ status:
+ default:
+ conditions:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Programmed
+ description: Status defines the current state of Gateway.
+ properties:
+ addresses:
+ description: |+
+ Addresses lists the network addresses that have been bound to the
+ Gateway.
+
+ This list may differ from the addresses provided in the spec under some
+ conditions:
+
+ * no addresses are specified, all addresses are dynamically assigned
+ * a combination of specified and dynamic addresses are assigned
+ * a specified address was unusable (e.g. already in use)
+
+ items:
+ description: GatewayStatusAddress describes a network address that
+ is bound to a Gateway.
+ oneOf:
+ - properties:
+ type:
+ enum:
+ - IPAddress
+ value:
+ anyOf:
+ - format: ipv4
+ - format: ipv6
+ - properties:
+ type:
+ not:
+ enum:
+ - IPAddress
+ properties:
+ type:
+ default: IPAddress
+ description: Type of the address.
+ maxLength: 253
+ minLength: 1
+ pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ value:
+ description: |-
+ Value of the address. The validity of the values will depend
+ on the type and support by the controller.
+
+ Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ x-kubernetes-validations:
+ - message: Hostname value must only contain valid characters (matching
+ ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
+ rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):
+ true'
+ maxItems: 16
+ type: array
+ conditions:
+ default:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Programmed
+ description: |-
+ Conditions describe the current conditions of the Gateway.
+
+ Implementations should prefer to express Gateway conditions
+ using the `GatewayConditionType` and `GatewayConditionReason`
+ constants so that operators and tools can converge on a common
+ vocabulary to describe Gateway state.
+
+ Known condition types are:
+
+ * "Accepted"
+ * "Programmed"
+ * "Ready"
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ listeners:
+ description: Listeners provide status for each unique listener port
+ defined in the Spec.
+ items:
+ description: ListenerStatus is the status associated with a Listener.
+ properties:
+ attachedRoutes:
+ description: |-
+ AttachedRoutes represents the total number of Routes that have been
+ successfully attached to this Listener.
+
+ Successful attachment of a Route to a Listener is based solely on the
+ combination of the AllowedRoutes field on the corresponding Listener
+ and the Route's ParentRefs field. A Route is successfully attached to
+ a Listener when it is selected by the Listener's AllowedRoutes field
+ AND the Route has a valid ParentRef selecting the whole Gateway
+ resource or a specific Listener as a parent resource (more detail on
+ attachment semantics can be found in the documentation on the various
+ Route kinds ParentRefs fields). Listener or Route status does not impact
+ successful attachment, i.e. the AttachedRoutes field count MUST be set
+ for Listeners with condition Accepted: false and MUST count successfully
+ attached Routes that may themselves have Accepted: false conditions.
+
+ Uses for this field include troubleshooting Route attachment and
+ measuring blast radius/impact of changes to a Listener.
+ format: int32
+ type: integer
+ conditions:
+ description: Conditions describe the current condition of this
+ listener.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ name:
+ description: Name is the name of the Listener that this status
+ corresponds to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ supportedKinds:
+ description: |-
+ SupportedKinds is the list indicating the Kinds supported by this
+ listener. This MUST represent the kinds an implementation supports for
+ that Listener configuration.
+
+ If kinds are specified in Spec that are not supported, they MUST NOT
+ appear in this list and an implementation MUST set the "ResolvedRefs"
+ condition to "False" with the "InvalidRouteKinds" reason. If both valid
+ and invalid Route kinds are specified, the implementation MUST
+ reference the valid Route kinds that have been specified.
+ items:
+ description: RouteGroupKind indicates the group and kind of
+ a Route resource.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group of the Route.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the kind of the Route.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ required:
+ - kind
+ type: object
+ maxItems: 8
+ type: array
+ required:
+ - attachedRoutes
+ - conditions
+ - name
+ - supportedKinds
+ type: object
+ maxItems: 64
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .spec.gatewayClassName
+ name: Class
+ type: string
+ - jsonPath: .status.addresses[*].value
+ name: Address
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Programmed")].status
+ name: Programmed
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ Gateway represents an instance of a service-traffic handling infrastructure
+ by binding Listeners to a set of IP addresses.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of Gateway.
+ properties:
+ addresses:
+ description: |+
+ Addresses requested for this Gateway. This is optional and behavior can
+ depend on the implementation. If a value is set in the spec and the
+ requested address is invalid or unavailable, the implementation MUST
+ indicate this in the associated entry in GatewayStatus.Addresses.
+
+ The Addresses field represents a request for the address(es) on the
+ "outside of the Gateway", that traffic bound for this Gateway will use.
+ This could be the IP address or hostname of an external load balancer or
+ other networking infrastructure, or some other address that traffic will
+ be sent to.
+
+ If no Addresses are specified, the implementation MAY schedule the
+ Gateway in an implementation-specific manner, assigning an appropriate
+ set of Addresses.
+
+ The implementation MUST bind all Listeners to every GatewayAddress that
+ it assigns to the Gateway and add a corresponding entry in
+ GatewayStatus.Addresses.
+
+ Support: Extended
+
+ items:
+ description: GatewayAddress describes an address that can be bound
+ to a Gateway.
+ oneOf:
+ - properties:
+ type:
+ enum:
+ - IPAddress
+ value:
+ anyOf:
+ - format: ipv4
+ - format: ipv6
+ - properties:
+ type:
+ not:
+ enum:
+ - IPAddress
+ properties:
+ type:
+ default: IPAddress
+ description: Type of the address.
+ maxLength: 253
+ minLength: 1
+ pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ value:
+ description: |-
+ Value of the address. The validity of the values will depend
+ on the type and support by the controller.
+
+ Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ x-kubernetes-validations:
+ - message: Hostname value must only contain valid characters (matching
+ ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
+ rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):
+ true'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: IPAddress values must be unique
+ rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2,
+ a2.type == a1.type && a2.value == a1.value) : true )'
+ - message: Hostname values must be unique
+ rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2,
+ a2.type == a1.type && a2.value == a1.value) : true )'
+ gatewayClassName:
+ description: |-
+ GatewayClassName used for this Gateway. This is the name of a
+ GatewayClass resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ infrastructure:
+ description: |-
+ Infrastructure defines infrastructure level attributes about this Gateway instance.
+
+ Support: Extended
+ properties:
+ annotations:
+ additionalProperties:
+ description: |-
+ AnnotationValue is the value of an annotation in Gateway API. This is used
+ for validation of maps such as TLS options. This roughly matches Kubernetes
+ annotation validation, although the length validation in that case is based
+ on the entire size of the annotations struct.
+ maxLength: 4096
+ minLength: 0
+ type: string
+ description: |-
+ Annotations that SHOULD be applied to any resources created in response to this Gateway.
+
+ For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
+ For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
+
+ An implementation may chose to add additional implementation-specific annotations as they see fit.
+
+ Support: Extended
+ maxProperties: 8
+ type: object
+ x-kubernetes-validations:
+ - message: Annotation keys must be in the form of an optional
+ DNS subdomain prefix followed by a required name segment of
+ up to 63 characters.
+ rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))
+ - message: If specified, the annotation key's prefix must be a
+ DNS subdomain not longer than 253 characters in total.
+ rule: self.all(key, key.split("/")[0].size() < 253)
+ labels:
+ additionalProperties:
+ description: |-
+ LabelValue is the value of a label in the Gateway API. This is used for validation
+ of maps such as Gateway infrastructure labels. This matches the Kubernetes
+ label validation rules:
+ * must be 63 characters or less (can be empty),
+ * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]),
+ * could contain dashes (-), underscores (_), dots (.), and alphanumerics between.
+
+ Valid values include:
+
+ * MyValue
+ * my.name
+ * 123-my-value
+ maxLength: 63
+ minLength: 0
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ Labels that SHOULD be applied to any resources created in response to this Gateway.
+
+ For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
+ For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
+
+ An implementation may chose to add additional implementation-specific labels as they see fit.
+
+ If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
+ change, it SHOULD clearly warn about this behavior in documentation.
+
+ Support: Extended
+ maxProperties: 8
+ type: object
+ x-kubernetes-validations:
+ - message: Label keys must be in the form of an optional DNS subdomain
+ prefix followed by a required name segment of up to 63 characters.
+ rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))
+ - message: If specified, the label key's prefix must be a DNS
+ subdomain not longer than 253 characters in total.
+ rule: self.all(key, key.split("/")[0].size() < 253)
+ parametersRef:
+ description: |-
+ ParametersRef is a reference to a resource that contains the configuration
+ parameters corresponding to the Gateway. This is optional if the
+ controller does not require any additional configuration.
+
+ This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
+
+ The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
+ the merging behavior is implementation specific.
+ It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+
+ Support: Implementation-specific
+ properties:
+ group:
+ description: Group is the group of the referent.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ type: object
+ listeners:
+ description: |-
+ Listeners associated with this Gateway. Listeners define
+ logical endpoints that are bound on this Gateway's addresses.
+ At least one Listener MUST be specified.
+
+ Each Listener in a set of Listeners (for example, in a single Gateway)
+ MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
+ exactly one listener. (This section uses "set of Listeners" rather than
+ "Listeners in a single Gateway" because implementations MAY merge configuration
+ from multiple Gateways onto a single data plane, and these rules _also_
+ apply in that case).
+
+ Practically, this means that each listener in a set MUST have a unique
+ combination of Port, Protocol, and, if supported by the protocol, Hostname.
+
+ Some combinations of port, protocol, and TLS settings are considered
+ Core support and MUST be supported by implementations based on their
+ targeted conformance profile:
+
+ HTTP Profile
+
+ 1. HTTPRoute, Port: 80, Protocol: HTTP
+ 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
+
+ TLS Profile
+
+ 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
+
+ "Distinct" Listeners have the following property:
+
+ The implementation can match inbound requests to a single distinct
+ Listener. When multiple Listeners share values for fields (for
+ example, two Listeners with the same Port value), the implementation
+ can match requests to only one of the Listeners using other
+ Listener fields.
+
+ For example, the following Listener scenarios are distinct:
+
+ 1. Multiple Listeners with the same Port that all use the "HTTP"
+ Protocol that all have unique Hostname values.
+ 2. Multiple Listeners with the same Port that use either the "HTTPS" or
+ "TLS" Protocol that all have unique Hostname values.
+ 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener
+ with the same Protocol has the same Port value.
+
+ Some fields in the Listener struct have possible values that affect
+ whether the Listener is distinct. Hostname is particularly relevant
+ for HTTP or HTTPS protocols.
+
+ When using the Hostname value to select between same-Port, same-Protocol
+ Listeners, the Hostname value must be different on each Listener for the
+ Listener to be distinct.
+
+ When the Listeners are distinct based on Hostname, inbound request
+ hostnames MUST match from the most specific to least specific Hostname
+ values to choose the correct Listener and its associated set of Routes.
+
+ Exact matches must be processed before wildcard matches, and wildcard
+ matches must be processed before fallback (empty Hostname value)
+ matches. For example, `"foo.example.com"` takes precedence over
+ `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
+
+ Additionally, if there are multiple wildcard entries, more specific
+ wildcard entries must be processed before less specific wildcard entries.
+ For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
+ The precise definition here is that the higher the number of dots in the
+ hostname to the right of the wildcard character, the higher the precedence.
+
+ The wildcard character will match any number of characters _and dots_ to
+ the left, however, so `"*.example.com"` will match both
+ `"foo.bar.example.com"` _and_ `"bar.example.com"`.
+
+ If a set of Listeners contains Listeners that are not distinct, then those
+ Listeners are Conflicted, and the implementation MUST set the "Conflicted"
+ condition in the Listener Status to "True".
+
+ Implementations MAY choose to accept a Gateway with some Conflicted
+ Listeners only if they only accept the partial Listener set that contains
+ no Conflicted Listeners. To put this another way, implementations may
+ accept a partial Listener set only if they throw out *all* the conflicting
+ Listeners. No picking one of the conflicting listeners as the winner.
+ This also means that the Gateway must have at least one non-conflicting
+ Listener in this case, otherwise it violates the requirement that at
+ least one Listener must be present.
+
+ The implementation MUST set a "ListenersNotValid" condition on the
+ Gateway Status when the Gateway contains Conflicted Listeners whether or
+ not they accept the Gateway. That Condition SHOULD clearly
+ indicate in the Message which Listeners are conflicted, and which are
+ Accepted. Additionally, the Listener status for those listeners SHOULD
+ indicate which Listeners are conflicted and not Accepted.
+
+ A Gateway's Listeners are considered "compatible" if:
+
+ 1. They are distinct.
+ 2. The implementation can serve them in compliance with the Addresses
+ requirement that all Listeners are available on all assigned
+ addresses.
+
+ Compatible combinations in Extended support are expected to vary across
+ implementations. A combination that is compatible for one implementation
+ may not be compatible for another.
+
+ For example, an implementation that cannot serve both TCP and UDP listeners
+ on the same address, or cannot mix HTTPS and generic TLS listens on the same port
+ would not consider those cases compatible, even though they are distinct.
+
+ Note that requests SHOULD match at most one Listener. For example, if
+ Listeners are defined for "foo.example.com" and "*.example.com", a
+ request to "foo.example.com" SHOULD only be routed using routes attached
+ to the "foo.example.com" Listener (and not the "*.example.com" Listener).
+ This concept is known as "Listener Isolation". Implementations that do
+ not support Listener Isolation MUST clearly document this.
+
+ Implementations MAY merge separate Gateways onto a single set of
+ Addresses if all Listeners across all Gateways are compatible.
+
+ Support: Core
+ items:
+ description: |-
+ Listener embodies the concept of a logical endpoint where a Gateway accepts
+ network connections.
+ properties:
+ allowedRoutes:
+ default:
+ namespaces:
+ from: Same
+ description: |-
+ AllowedRoutes defines the types of routes that MAY be attached to a
+ Listener and the trusted namespaces where those Route resources MAY be
+ present.
+
+ Although a client request may match multiple route rules, only one rule
+ may ultimately receive the request. Matching precedence MUST be
+ determined in order of the following criteria:
+
+ * The most specific match as defined by the Route type.
+ * The oldest Route based on creation timestamp. For example, a Route with
+ a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+ a Route with a creation timestamp of "2020-09-08 01:02:04".
+ * If everything else is equivalent, the Route appearing first in
+ alphabetical order (namespace/name) should be given precedence. For
+ example, foo/bar is given precedence over foo/baz.
+
+ All valid rules within a Route attached to this Listener should be
+ implemented. Invalid Route rules can be ignored (sometimes that will mean
+ the full Route). If a Route rule transitions from valid to invalid,
+ support for that Route rule should be dropped to ensure consistency. For
+ example, even if a filter specified by a Route rule is invalid, the rest
+ of the rules within that Route should still be supported.
+
+ Support: Core
+ properties:
+ kinds:
+ description: |-
+ Kinds specifies the groups and kinds of Routes that are allowed to bind
+ to this Gateway Listener. When unspecified or empty, the kinds of Routes
+ selected are determined using the Listener protocol.
+
+ A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+ with the application protocol specified in the Listener's Protocol field.
+ If an implementation does not support or recognize this resource type, it
+ MUST set the "ResolvedRefs" condition to False for this Listener with the
+ "InvalidRouteKinds" reason.
+
+ Support: Core
+ items:
+ description: RouteGroupKind indicates the group and kind
+ of a Route resource.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group of the Route.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the kind of the Route.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ required:
+ - kind
+ type: object
+ maxItems: 8
+ type: array
+ namespaces:
+ default:
+ from: Same
+ description: |-
+ Namespaces indicates namespaces from which Routes may be attached to this
+ Listener. This is restricted to the namespace of this Gateway by default.
+
+ Support: Core
+ properties:
+ from:
+ default: Same
+ description: |-
+ From indicates where Routes will be selected for this Gateway. Possible
+ values are:
+
+ * All: Routes in all namespaces may be used by this Gateway.
+ * Selector: Routes in namespaces selected by the selector may be used by
+ this Gateway.
+ * Same: Only Routes in the same namespace may be used by this Gateway.
+
+ Support: Core
+ enum:
+ - All
+ - Selector
+ - Same
+ type: string
+ selector:
+ description: |-
+ Selector must be specified when From is set to "Selector". In that case,
+ only Routes in Namespaces matching this Selector will be selected by this
+ Gateway. This field is ignored for other values of "From".
+
+ Support: Core
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: object
+ hostname:
+ description: |-
+ Hostname specifies the virtual hostname to match for protocol types that
+ define this concept. When unspecified, all hostnames are matched. This
+ field is ignored for protocols that don't require hostname based
+ matching.
+
+ Implementations MUST apply Hostname matching appropriately for each of
+ the following protocols:
+
+ * TLS: The Listener Hostname MUST match the SNI.
+ * HTTP: The Listener Hostname MUST match the Host header of the request.
+ * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP
+ protocol layers as described above. If an implementation does not
+ ensure that both the SNI and Host header match the Listener hostname,
+ it MUST clearly document that.
+
+ For HTTPRoute and TLSRoute resources, there is an interaction with the
+ `spec.hostnames` array. When both listener and route specify hostnames,
+ there MUST be an intersection between the values for a Route to be
+ accepted. For more information, refer to the Route specific Hostnames
+ documentation.
+
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+ as a suffix match. That means that a match for `*.example.com` would match
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ name:
+ description: |-
+ Name is the name of the Listener. This name MUST be unique within a
+ Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ port:
+ description: |-
+ Port is the network port. Multiple listeners may use the
+ same port, subject to the Listener compatibility rules.
+
+ Support: Core
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ protocol:
+ description: |-
+ Protocol specifies the network protocol this listener expects to receive.
+
+ Support: Core
+ maxLength: 255
+ minLength: 1
+ pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$
+ type: string
+ tls:
+ description: |-
+ TLS is the TLS configuration for the Listener. This field is required if
+ the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+ if the Protocol field is "HTTP", "TCP", or "UDP".
+
+ The association of SNIs to Certificate defined in GatewayTLSConfig is
+ defined based on the Hostname field for this listener.
+
+ The GatewayClass MUST use the longest matching SNI out of all
+ available certificates for any TLS handshake.
+
+ Support: Core
+ properties:
+ certificateRefs:
+ description: |-
+ CertificateRefs contains a series of references to Kubernetes objects that
+ contains TLS certificates and private keys. These certificates are used to
+ establish a TLS handshake for requests that match the hostname of the
+ associated listener.
+
+ A single CertificateRef to a Kubernetes Secret has "Core" support.
+ Implementations MAY choose to support attaching multiple certificates to
+ a Listener, but this behavior is implementation-specific.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+
+ This field is required to have at least one element when the mode is set
+ to "Terminate" (default) and is optional otherwise.
+
+ CertificateRefs can reference to standard Kubernetes resources, i.e.
+ Secret, or implementation-specific custom resources.
+
+ Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+
+ Support: Implementation-specific (More than one reference or other resource types)
+ items:
+ description: |-
+ SecretObjectReference identifies an API object including its namespace,
+ defaulting to Secret.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+
+ References to objects with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate Conditions set
+ on the containing object.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example
+ "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 64
+ type: array
+ mode:
+ default: Terminate
+ description: |-
+ Mode defines the TLS behavior for the TLS session initiated by the client.
+ There are two possible modes:
+
+ - Terminate: The TLS session between the downstream client and the
+ Gateway is terminated at the Gateway. This mode requires certificates
+ to be specified in some way, such as populating the certificateRefs
+ field.
+ - Passthrough: The TLS session is NOT terminated by the Gateway. This
+ implies that the Gateway can't decipher the TLS stream except for
+ the ClientHello message of the TLS protocol. The certificateRefs field
+ is ignored in this mode.
+
+ Support: Core
+ enum:
+ - Terminate
+ - Passthrough
+ type: string
+ options:
+ additionalProperties:
+ description: |-
+ AnnotationValue is the value of an annotation in Gateway API. This is used
+ for validation of maps such as TLS options. This roughly matches Kubernetes
+ annotation validation, although the length validation in that case is based
+ on the entire size of the annotations struct.
+ maxLength: 4096
+ minLength: 0
+ type: string
+ description: |-
+ Options are a list of key/value pairs to enable extended TLS
+ configuration for each implementation. For example, configuring the
+ minimum TLS version or supported cipher suites.
+
+ A set of common keys MAY be defined by the API in the future. To avoid
+ any ambiguity, implementation-specific definitions MUST use
+ domain-prefixed names, such as `example.com/my-custom-option`.
+ Un-prefixed names are reserved for key names defined by Gateway API.
+
+ Support: Implementation-specific
+ maxProperties: 16
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: certificateRefs or options must be specified when
+ mode is Terminate
+ rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs)
+ > 0 || size(self.options) > 0 : true'
+ required:
+ - name
+ - port
+ - protocol
+ type: object
+ maxItems: 64
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: tls must not be specified for protocols ['HTTP', 'TCP',
+ 'UDP']
+ rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ?
+ !has(l.tls) : true)'
+ - message: tls mode must be Terminate for protocol HTTPS
+ rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode
+ == '''' || l.tls.mode == ''Terminate'') : true)'
+ - message: hostname must not be specified for protocols ['TCP', 'UDP']
+ rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname)
+ || l.hostname == '''') : true)'
+ - message: Listener name must be unique within the Gateway
+ rule: self.all(l1, self.exists_one(l2, l1.name == l2.name))
+ - message: Combination of port, protocol and hostname must be unique
+ for each listener
+ rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol
+ == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname
+ == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))'
+ required:
+ - gatewayClassName
+ - listeners
+ type: object
+ status:
+ default:
+ conditions:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Programmed
+ description: Status defines the current state of Gateway.
+ properties:
+ addresses:
+ description: |+
+ Addresses lists the network addresses that have been bound to the
+ Gateway.
+
+ This list may differ from the addresses provided in the spec under some
+ conditions:
+
+ * no addresses are specified, all addresses are dynamically assigned
+ * a combination of specified and dynamic addresses are assigned
+ * a specified address was unusable (e.g. already in use)
+
+ items:
+ description: GatewayStatusAddress describes a network address that
+ is bound to a Gateway.
+ oneOf:
+ - properties:
+ type:
+ enum:
+ - IPAddress
+ value:
+ anyOf:
+ - format: ipv4
+ - format: ipv6
+ - properties:
+ type:
+ not:
+ enum:
+ - IPAddress
+ properties:
+ type:
+ default: IPAddress
+ description: Type of the address.
+ maxLength: 253
+ minLength: 1
+ pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ value:
+ description: |-
+ Value of the address. The validity of the values will depend
+ on the type and support by the controller.
+
+ Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ x-kubernetes-validations:
+ - message: Hostname value must only contain valid characters (matching
+ ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
+ rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):
+ true'
+ maxItems: 16
+ type: array
+ conditions:
+ default:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Programmed
+ description: |-
+ Conditions describe the current conditions of the Gateway.
+
+ Implementations should prefer to express Gateway conditions
+ using the `GatewayConditionType` and `GatewayConditionReason`
+ constants so that operators and tools can converge on a common
+ vocabulary to describe Gateway state.
+
+ Known condition types are:
+
+ * "Accepted"
+ * "Programmed"
+ * "Ready"
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ listeners:
+ description: Listeners provide status for each unique listener port
+ defined in the Spec.
+ items:
+ description: ListenerStatus is the status associated with a Listener.
+ properties:
+ attachedRoutes:
+ description: |-
+ AttachedRoutes represents the total number of Routes that have been
+ successfully attached to this Listener.
+
+ Successful attachment of a Route to a Listener is based solely on the
+ combination of the AllowedRoutes field on the corresponding Listener
+ and the Route's ParentRefs field. A Route is successfully attached to
+ a Listener when it is selected by the Listener's AllowedRoutes field
+ AND the Route has a valid ParentRef selecting the whole Gateway
+ resource or a specific Listener as a parent resource (more detail on
+ attachment semantics can be found in the documentation on the various
+ Route kinds ParentRefs fields). Listener or Route status does not impact
+ successful attachment, i.e. the AttachedRoutes field count MUST be set
+ for Listeners with condition Accepted: false and MUST count successfully
+ attached Routes that may themselves have Accepted: false conditions.
+
+ Uses for this field include troubleshooting Route attachment and
+ measuring blast radius/impact of changes to a Listener.
+ format: int32
+ type: integer
+ conditions:
+ description: Conditions describe the current condition of this
+ listener.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ name:
+ description: Name is the name of the Listener that this status
+ corresponds to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ supportedKinds:
+ description: |-
+ SupportedKinds is the list indicating the Kinds supported by this
+ listener. This MUST represent the kinds an implementation supports for
+ that Listener configuration.
+
+ If kinds are specified in Spec that are not supported, they MUST NOT
+ appear in this list and an implementation MUST set the "ResolvedRefs"
+ condition to "False" with the "InvalidRouteKinds" reason. If both valid
+ and invalid Route kinds are specified, the implementation MUST
+ reference the valid Route kinds that have been specified.
+ items:
+ description: RouteGroupKind indicates the group and kind of
+ a Route resource.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group of the Route.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the kind of the Route.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ required:
+ - kind
+ type: object
+ maxItems: 8
+ type: array
+ required:
+ - attachedRoutes
+ - conditions
+ - name
+ - supportedKinds
+ type: object
+ maxItems: 64
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
+# config/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.2.1
+ gateway.networking.k8s.io/channel: standard
+ creationTimestamp: null
+ name: grpcroutes.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: GRPCRoute
+ listKind: GRPCRouteList
+ plural: grpcroutes
+ singular: grpcroute
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.hostnames
+ name: Hostnames
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ GRPCRoute provides a way to route gRPC requests. This includes the capability
+ to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header.
+ Filters can be used to specify additional processing steps. Backends specify
+ where matching requests will be routed.
+
+ GRPCRoute falls under extended support within the Gateway API. Within the
+ following specification, the word "MUST" indicates that an implementation
+ supporting GRPCRoute must conform to the indicated requirement, but an
+ implementation not supporting this route type need not follow the requirement
+ unless explicitly indicated.
+
+ Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST
+ accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via
+ ALPN. If the implementation does not support this, then it MUST set the
+ "Accepted" condition to "False" for the affected listener with a reason of
+ "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections
+ with an upgrade from HTTP/1.
+
+ Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST
+ support HTTP/2 over cleartext TCP (h2c,
+ https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial
+ upgrade from HTTP/1.1, i.e. with prior knowledge
+ (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation
+ does not support this, then it MUST set the "Accepted" condition to "False"
+ for the affected listener with a reason of "UnsupportedProtocol".
+ Implementations MAY also accept HTTP/2 connections with an upgrade from
+ HTTP/1, i.e. without prior knowledge.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of GRPCRoute.
+ properties:
+ hostnames:
+ description: |-
+ Hostnames defines a set of hostnames to match against the GRPC
+ Host header to select a GRPCRoute to process the request. This matches
+ the RFC 1123 definition of a hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label MUST appear by itself as the first label.
+
+ If a hostname is specified by both the Listener and GRPCRoute, there
+ MUST be at least one intersecting hostname for the GRPCRoute to be
+ attached to the Listener. For example:
+
+ * A Listener with `test.example.com` as the hostname matches GRPCRoutes
+ that have either not specified any hostnames, or have specified at
+ least one of `test.example.com` or `*.example.com`.
+ * A Listener with `*.example.com` as the hostname matches GRPCRoutes
+ that have either not specified any hostnames or have specified at least
+ one hostname that matches the Listener hostname. For example,
+ `test.example.com` and `*.example.com` would both match. On the other
+ hand, `example.com` and `test.example.net` would not match.
+
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+ as a suffix match. That means that a match for `*.example.com` would match
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+
+ If both the Listener and GRPCRoute have specified hostnames, any
+ GRPCRoute hostnames that do not match the Listener hostname MUST be
+ ignored. For example, if a Listener specified `*.example.com`, and the
+ GRPCRoute specified `test.example.com` and `test.example.net`,
+ `test.example.net` MUST NOT be considered for a match.
+
+ If both the Listener and GRPCRoute have specified hostnames, and none
+ match with the criteria above, then the GRPCRoute MUST NOT be accepted by
+ the implementation. The implementation MUST raise an 'Accepted' Condition
+ with a status of `False` in the corresponding RouteParentStatus.
+
+ If a Route (A) of type HTTPRoute or GRPCRoute is attached to a
+ Listener and that listener already has another Route (B) of the other
+ type attached and the intersection of the hostnames of A and B is
+ non-empty, then the implementation MUST accept exactly one of these two
+ routes, determined by the following criteria, in order:
+
+ * The oldest Route based on creation timestamp.
+ * The Route appearing first in alphabetical order by
+ "{namespace}/{name}".
+
+ The rejected Route MUST raise an 'Accepted' condition with a status of
+ 'False' in the corresponding RouteParentStatus.
+
+ Support: Core
+ items:
+ description: |-
+ Hostname is the fully qualified domain name of a network host. This matches
+ the RFC 1123 definition of a hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+
+ Hostname can be "precise" which is a domain name without the terminating
+ dot of a network host (e.g. "foo.example.com") or "wildcard", which is a
+ domain name prefixed with a single wildcard label (e.g. `*.example.com`).
+
+ Note that as per RFC1035 and RFC1123, a *label* must consist of lower case
+ alphanumeric characters or '-', and must start and end with an alphanumeric
+ character. No other punctuation is allowed.
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ maxItems: 16
+ type: array
+ parentRefs:
+ description: |+
+ ParentRefs references the resources (usually Gateways) that a Route wants
+ to be attached to. Note that the referenced parent resource needs to
+ allow this for the attachment to be complete. For Gateways, that means
+ the Gateway needs to allow attachment from Routes of this kind and
+ namespace. For Services, that means the Service must either be in the same
+ namespace for a "producer" route, or the mesh implementation must support
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is
+ not applicable for governing ParentRefs to Services - it is not possible to
+ create a "producer" route for a Service in a different namespace from the
+ Route.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ ParentRefs must be _distinct_. This means either that:
+
+ * They select different objects. If this is the case, then parentRef
+ entries are distinct. In terms of fields, this means that the
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+ be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field used,
+ each ParentRef that selects the same object must set the same set of
+ optional fields to different values. If one ParentRef sets a
+ combination of optional fields, all must set the same combination.
+
+ Some examples:
+
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+ same object must also set `sectionName`.
+ * If one ParentRef sets `port`, all ParentRefs referencing the same
+ object must also set `port`.
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+ referencing the same object must also set `sectionName` and `port`.
+
+ It is possible to separately reference multiple distinct objects that may
+ be collapsed by an implementation. For example, some implementations may
+ choose to merge compatible Gateway Listeners together. If that is the
+ case, the list of routes attached to those resources should also be
+ merged.
+
+ Note that for ParentRefs that cross namespace boundaries, there are specific
+ rules. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example,
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable other kinds of cross-namespace reference.
+
+
+
+
+
+
+ items:
+ description: |-
+ ParentReference identifies an API object (usually a Gateway) that can be considered
+ a parent of this resource (usually a route). There are two kinds of parent resources
+ with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 32
+ type: array
+ x-kubernetes-validations:
+ - message: sectionName must be specified when parentRefs includes
+ 2 or more references to the same parent
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName)
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
+ == '''')) : true))'
+ - message: sectionName must be unique when parentRefs includes 2 or
+ more references to the same parent
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName
+ == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName
+ == p2.sectionName))))
+ rules:
+ description: |+
+ Rules are a list of GRPC matchers, filters and actions.
+
+ items:
+ description: |-
+ GRPCRouteRule defines the semantics for matching a gRPC request based on
+ conditions (matches), processing it (filters), and forwarding the request to
+ an API object (backendRefs).
+ properties:
+ backendRefs:
+ description: |-
+ BackendRefs defines the backend(s) where matching requests should be
+ sent.
+
+ Failure behavior here depends on how many BackendRefs are specified and
+ how many are invalid.
+
+ If *all* entries in BackendRefs are invalid, and there are also no filters
+ specified in this route rule, *all* traffic which matches this rule MUST
+ receive an `UNAVAILABLE` status.
+
+ See the GRPCBackendRef definition for the rules about what makes a single
+ GRPCBackendRef invalid.
+
+ When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for
+ requests that would have otherwise been routed to an invalid backend. If
+ multiple backends are specified, and some are invalid, the proportion of
+ requests that would otherwise have been routed to an invalid backend
+ MUST receive an `UNAVAILABLE` status.
+
+ For example, if two backends are specified with equal weights, and one is
+ invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status.
+ Implementations may choose how that 50 percent is determined.
+
+ Support: Core for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
+
+ Support for weight: Core
+ items:
+ description: |-
+ GRPCBackendRef defines how a GRPCRoute forwards a gRPC request.
+
+ Note that when a namespace different than the local namespace is specified, a
+ ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+
+
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD
+ honor the appProtocol field if it is set for the target Service Port.
+
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes
+ Standard Application Protocols defined in KEP-3726.
+
+ If a Service appProtocol isn't specified, an implementation MAY infer the
+ backend protocol through its own means. Implementations MAY infer the
+ protocol from the Route type referring to the backend Service.
+
+ If a Route is not able to send traffic to the backend using the specified
+ protocol then the backend is considered invalid. Implementations MUST set the
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+
+
+ properties:
+ filters:
+ description: |-
+ Filters defined at this level MUST be executed if and only if the
+ request is being forwarded to the backend defined here.
+
+ Support: Implementation-specific (For broader support of filters, use the
+ Filters field in GRPCRouteRule.)
+ items:
+ description: |-
+ GRPCRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. GRPCRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
+ properties:
+ extensionRef:
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
+
+ Support: Implementation-specific
+
+ This filter can be used multiple times within the same rule.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For
+ example "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ requestHeaderModifier:
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
+
+ Support: Core
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: |+
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
+
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
+
+ Support: Extended
+
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
+
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
+
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
+ this backend in the underlying implementation.
+
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
+
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
+
+ Support: Extended for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind
+ == ''Service'') ? has(self.port) : true'
+ required:
+ - backendRef
+ type: object
+ responseHeaderModifier:
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
+
+ Support: Extended
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: |+
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
+
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations supporting GRPCRoute MUST support core filters.
+
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
+
+ - Implementation-specific: Filters that are defined and supported by specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` MUST be set to
+ "ExtensionRef" for custom filters.
+
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
+
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
+
+ enum:
+ - ResponseHeaderModifier
+ - RequestHeaderModifier
+ - RequestMirror
+ - ExtensionRef
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: filter.requestHeaderModifier must be nil
+ if the filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type
+ != ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type
+ == ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil
+ if the filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type
+ != ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for
+ RequestMirror filter.type
+ rule: '!(!has(self.requestMirror) && self.type ==
+ ''RequestMirror'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for
+ ExtensionRef filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
+
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
+
+ Support for this field varies based on the context where used.
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ filters:
+ description: |-
+ Filters define the filters that are applied to requests that match
+ this rule.
+
+ The effects of ordering of multiple behaviors are currently unspecified.
+ This can change in the future based on feedback during the alpha stage.
+
+ Conformance-levels at this level are defined based on the type of filter:
+
+ - ALL core filters MUST be supported by all implementations that support
+ GRPCRoute.
+ - Implementers are encouraged to support extended filters.
+ - Implementation-specific custom filters have no API guarantees across
+ implementations.
+
+ Specifying the same filter multiple times is not supported unless explicitly
+ indicated in the filter.
+
+ If an implementation can not support a combination of filters, it must clearly
+ document that limitation. In cases where incompatible or unsupported
+ filters are specified and cause the `Accepted` condition to be set to status
+ `False`, implementations may use the `IncompatibleFilters` reason to specify
+ this configuration error.
+
+ Support: Core
+ items:
+ description: |-
+ GRPCRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. GRPCRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
+ properties:
+ extensionRef:
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
+
+ Support: Implementation-specific
+
+ This filter can be used multiple times within the same rule.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For example
+ "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ requestHeaderModifier:
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
+
+ Support: Core
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: |+
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
+
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
+
+ Support: Extended
+
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
+
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
+
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
+ this backend in the underlying implementation.
+
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
+
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
+
+ Support: Extended for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ required:
+ - backendRef
+ type: object
+ responseHeaderModifier:
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
+
+ Support: Extended
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: |+
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
+
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations supporting GRPCRoute MUST support core filters.
+
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
+
+ - Implementation-specific: Filters that are defined and supported by specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` MUST be set to
+ "ExtensionRef" for custom filters.
+
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
+
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
+
+ enum:
+ - ResponseHeaderModifier
+ - RequestHeaderModifier
+ - RequestMirror
+ - ExtensionRef
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: filter.requestHeaderModifier must be nil if the
+ filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type !=
+ ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type ==
+ ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil if the
+ filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type !=
+ ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for RequestMirror
+ filter.type
+ rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for ExtensionRef
+ filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ matches:
+ description: |-
+ Matches define conditions used for matching the rule against incoming
+ gRPC requests. Each match is independent, i.e. this rule will be matched
+ if **any** one of the matches is satisfied.
+
+ For example, take the following matches configuration:
+
+ ```
+ matches:
+ - method:
+ service: foo.bar
+ headers:
+ values:
+ version: 2
+ - method:
+ service: foo.bar.v2
+ ```
+
+ For a request to match against this rule, it MUST satisfy
+ EITHER of the two conditions:
+
+ - service of foo.bar AND contains the header `version: 2`
+ - service of foo.bar.v2
+
+ See the documentation for GRPCRouteMatch on how to specify multiple
+ match conditions to be ANDed together.
+
+ If no matches are specified, the implementation MUST match every gRPC request.
+
+ Proxy or Load Balancer routing configuration generated from GRPCRoutes
+ MUST prioritize rules based on the following criteria, continuing on
+ ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes.
+ Precedence MUST be given to the rule with the largest number of:
+
+ * Characters in a matching non-wildcard hostname.
+ * Characters in a matching hostname.
+ * Characters in a matching service.
+ * Characters in a matching method.
+ * Header matches.
+
+ If ties still exist across multiple Routes, matching precedence MUST be
+ determined in order of the following criteria, continuing on ties:
+
+ * The oldest Route based on creation timestamp.
+ * The Route appearing first in alphabetical order by
+ "{namespace}/{name}".
+
+ If ties still exist within the Route that has been given precedence,
+ matching precedence MUST be granted to the first matching rule meeting
+ the above criteria.
+ items:
+ description: |-
+ GRPCRouteMatch defines the predicate used to match requests to a given
+ action. Multiple match types are ANDed together, i.e. the match will
+ evaluate to true only if all conditions are satisfied.
+
+ For example, the match below will match a gRPC request only if its service
+ is `foo` AND it contains the `version: v1` header:
+
+ ```
+ matches:
+ - method:
+ type: Exact
+ service: "foo"
+ headers:
+ - name: "version"
+ value "v1"
+
+ ```
+ properties:
+ headers:
+ description: |-
+ Headers specifies gRPC request header matchers. Multiple match values are
+ ANDed together, meaning, a request MUST match all the specified headers
+ to select the route.
+ items:
+ description: |-
+ GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request
+ headers.
+ properties:
+ name:
+ description: |-
+ Name is the name of the gRPC Header to be matched.
+
+ If multiple entries specify equivalent header names, only the first
+ entry with an equivalent name MUST be considered for a match. Subsequent
+ entries with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ type:
+ default: Exact
+ description: Type specifies how to match against
+ the value of the header.
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ value:
+ description: Value is the value of the gRPC Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ method:
+ description: |-
+ Method specifies a gRPC request service/method matcher. If this field is
+ not specified, all services and methods will match.
+ properties:
+ method:
+ description: |-
+ Value of the method to match against. If left empty or omitted, will
+ match all services.
+
+ At least one of Service and Method MUST be a non-empty string.
+ maxLength: 1024
+ type: string
+ service:
+ description: |-
+ Value of the service to match against. If left empty or omitted, will
+ match any service.
+
+ At least one of Service and Method MUST be a non-empty string.
+ maxLength: 1024
+ type: string
+ type:
+ default: Exact
+ description: |-
+ Type specifies how to match against the service and/or method.
+ Support: Core (Exact with service and method specified)
+
+ Support: Implementation-specific (Exact with method specified but no service specified)
+
+ Support: Implementation-specific (RegularExpression)
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: One or both of 'service' or 'method' must be
+ specified
+ rule: 'has(self.type) ? has(self.service) || has(self.method)
+ : true'
+ - message: service must only contain valid characters
+ (matching ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$)
+ rule: '(!has(self.type) || self.type == ''Exact'') &&
+ has(self.service) ? self.service.matches(r"""^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$"""):
+ true'
+ - message: method must only contain valid characters (matching
+ ^[A-Za-z_][A-Za-z_0-9]*$)
+ rule: '(!has(self.type) || self.type == ''Exact'') &&
+ has(self.method) ? self.method.matches(r"""^[A-Za-z_][A-Za-z_0-9]*$"""):
+ true'
+ type: object
+ maxItems: 8
+ type: array
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: While 16 rules and 64 matches per rule are allowed, the
+ total number of matches across all rules in a route must be less
+ than 128
+ rule: '(self.size() > 0 ? (has(self[0].matches) ? self[0].matches.size()
+ : 0) : 0) + (self.size() > 1 ? (has(self[1].matches) ? self[1].matches.size()
+ : 0) : 0) + (self.size() > 2 ? (has(self[2].matches) ? self[2].matches.size()
+ : 0) : 0) + (self.size() > 3 ? (has(self[3].matches) ? self[3].matches.size()
+ : 0) : 0) + (self.size() > 4 ? (has(self[4].matches) ? self[4].matches.size()
+ : 0) : 0) + (self.size() > 5 ? (has(self[5].matches) ? self[5].matches.size()
+ : 0) : 0) + (self.size() > 6 ? (has(self[6].matches) ? self[6].matches.size()
+ : 0) : 0) + (self.size() > 7 ? (has(self[7].matches) ? self[7].matches.size()
+ : 0) : 0) + (self.size() > 8 ? (has(self[8].matches) ? self[8].matches.size()
+ : 0) : 0) + (self.size() > 9 ? (has(self[9].matches) ? self[9].matches.size()
+ : 0) : 0) + (self.size() > 10 ? (has(self[10].matches) ? self[10].matches.size()
+ : 0) : 0) + (self.size() > 11 ? (has(self[11].matches) ? self[11].matches.size()
+ : 0) : 0) + (self.size() > 12 ? (has(self[12].matches) ? self[12].matches.size()
+ : 0) : 0) + (self.size() > 13 ? (has(self[13].matches) ? self[13].matches.size()
+ : 0) : 0) + (self.size() > 14 ? (has(self[14].matches) ? self[14].matches.size()
+ : 0) : 0) + (self.size() > 15 ? (has(self[15].matches) ? self[15].matches.size()
+ : 0) : 0) <= 128'
+ type: object
+ status:
+ description: Status defines the current state of GRPCRoute.
+ properties:
+ parents:
+ description: |-
+ Parents is a list of parent resources (usually Gateways) that are
+ associated with the route, and the status of the route with respect to
+ each parent. When this route attaches to a parent, the controller that
+ manages the parent must add an entry to this list when the controller
+ first sees the route and should update the entry as appropriate when the
+ route or gateway is modified.
+
+ Note that parent references that cannot be resolved by an implementation
+ of this API will not be added to this list. Implementations of this API
+ can only populate Route status for the Gateways/parent resources they are
+ responsible for.
+
+ A maximum of 32 Gateways will be represented in this list. An empty list
+ means the route has not been attached to any Gateway.
+ items:
+ description: |-
+ RouteParentStatus describes the status of a route with respect to an
+ associated Parent.
+ properties:
+ conditions:
+ description: |-
+ Conditions describes the status of the route with respect to the Gateway.
+ Note that the route's availability is also subject to the Gateway's own
+ status conditions and listener status.
+
+ If the Route's ParentRef specifies an existing Gateway that supports
+ Routes of this kind AND that Gateway's controller has sufficient access,
+ then that Gateway's controller MUST set the "Accepted" condition on the
+ Route, to indicate whether the route has been accepted or rejected by the
+ Gateway, and why.
+
+ A Route MUST be considered "Accepted" if at least one of the Route's
+ rules is implemented by the Gateway.
+
+ There are a number of cases where the "Accepted" condition may not be set
+ due to lack of controller visibility, that includes when:
+
+ * The Route refers to a non-existent parent.
+ * The Route is of a type that the controller does not support.
+ * The Route is in a namespace the controller does not have access to.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ parentRef:
+ description: |-
+ ParentRef corresponds with a ParentRef in the spec that this
+ RouteParentStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - controllerName
+ - parentRef
+ type: object
+ maxItems: 32
+ type: array
+ required:
+ - parents
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
+# config/crd/standard/gateway.networking.k8s.io_httproutes.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.2.1
+ gateway.networking.k8s.io/channel: standard
+ creationTimestamp: null
+ name: httproutes.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: HTTPRoute
+ listKind: HTTPRouteList
+ plural: httproutes
+ singular: httproute
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.hostnames
+ name: Hostnames
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ HTTPRoute provides a way to route HTTP requests. This includes the capability
+ to match requests by hostname, path, header, or query param. Filters can be
+ used to specify additional processing steps. Backends specify where matching
+ requests should be routed.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of HTTPRoute.
+ properties:
+ hostnames:
+ description: |-
+ Hostnames defines a set of hostnames that should match against the HTTP Host
+ header to select a HTTPRoute used to process the request. Implementations
+ MUST ignore any port value specified in the HTTP Host header while
+ performing a match and (absent of any applicable header modification
+ configuration) MUST forward this header unmodified to the backend.
+
+ Valid values for Hostnames are determined by RFC 1123 definition of a
+ hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+
+ If a hostname is specified by both the Listener and HTTPRoute, there
+ must be at least one intersecting hostname for the HTTPRoute to be
+ attached to the Listener. For example:
+
+ * A Listener with `test.example.com` as the hostname matches HTTPRoutes
+ that have either not specified any hostnames, or have specified at
+ least one of `test.example.com` or `*.example.com`.
+ * A Listener with `*.example.com` as the hostname matches HTTPRoutes
+ that have either not specified any hostnames or have specified at least
+ one hostname that matches the Listener hostname. For example,
+ `*.example.com`, `test.example.com`, and `foo.test.example.com` would
+ all match. On the other hand, `example.com` and `test.example.net` would
+ not match.
+
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+ as a suffix match. That means that a match for `*.example.com` would match
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+
+ If both the Listener and HTTPRoute have specified hostnames, any
+ HTTPRoute hostnames that do not match the Listener hostname MUST be
+ ignored. For example, if a Listener specified `*.example.com`, and the
+ HTTPRoute specified `test.example.com` and `test.example.net`,
+ `test.example.net` must not be considered for a match.
+
+ If both the Listener and HTTPRoute have specified hostnames, and none
+ match with the criteria above, then the HTTPRoute is not accepted. The
+ implementation must raise an 'Accepted' Condition with a status of
+ `False` in the corresponding RouteParentStatus.
+
+ In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.
+ overlapping wildcard matching and exact matching hostnames), precedence must
+ be given to rules from the HTTPRoute with the largest number of:
+
+ * Characters in a matching non-wildcard hostname.
+ * Characters in a matching hostname.
+
+ If ties exist across multiple Routes, the matching precedence rules for
+ HTTPRouteMatches takes over.
+
+ Support: Core
+ items:
+ description: |-
+ Hostname is the fully qualified domain name of a network host. This matches
+ the RFC 1123 definition of a hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+
+ Hostname can be "precise" which is a domain name without the terminating
+ dot of a network host (e.g. "foo.example.com") or "wildcard", which is a
+ domain name prefixed with a single wildcard label (e.g. `*.example.com`).
+
+ Note that as per RFC1035 and RFC1123, a *label* must consist of lower case
+ alphanumeric characters or '-', and must start and end with an alphanumeric
+ character. No other punctuation is allowed.
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ maxItems: 16
+ type: array
+ parentRefs:
+ description: |+
+ ParentRefs references the resources (usually Gateways) that a Route wants
+ to be attached to. Note that the referenced parent resource needs to
+ allow this for the attachment to be complete. For Gateways, that means
+ the Gateway needs to allow attachment from Routes of this kind and
+ namespace. For Services, that means the Service must either be in the same
+ namespace for a "producer" route, or the mesh implementation must support
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is
+ not applicable for governing ParentRefs to Services - it is not possible to
+ create a "producer" route for a Service in a different namespace from the
+ Route.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ ParentRefs must be _distinct_. This means either that:
+
+ * They select different objects. If this is the case, then parentRef
+ entries are distinct. In terms of fields, this means that the
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+ be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field used,
+ each ParentRef that selects the same object must set the same set of
+ optional fields to different values. If one ParentRef sets a
+ combination of optional fields, all must set the same combination.
+
+ Some examples:
+
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+ same object must also set `sectionName`.
+ * If one ParentRef sets `port`, all ParentRefs referencing the same
+ object must also set `port`.
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+ referencing the same object must also set `sectionName` and `port`.
+
+ It is possible to separately reference multiple distinct objects that may
+ be collapsed by an implementation. For example, some implementations may
+ choose to merge compatible Gateway Listeners together. If that is the
+ case, the list of routes attached to those resources should also be
+ merged.
+
+ Note that for ParentRefs that cross namespace boundaries, there are specific
+ rules. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example,
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable other kinds of cross-namespace reference.
+
+
+
+
+
+
+ items:
+ description: |-
+ ParentReference identifies an API object (usually a Gateway) that can be considered
+ a parent of this resource (usually a route). There are two kinds of parent resources
+ with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 32
+ type: array
+ x-kubernetes-validations:
+ - message: sectionName must be specified when parentRefs includes
+ 2 or more references to the same parent
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName)
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
+ == '''')) : true))'
+ - message: sectionName must be unique when parentRefs includes 2 or
+ more references to the same parent
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName
+ == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName
+ == p2.sectionName))))
+ rules:
+ default:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /
+ description: |+
+ Rules are a list of HTTP matchers, filters and actions.
+
+ items:
+ description: |-
+ HTTPRouteRule defines semantics for matching an HTTP request based on
+ conditions (matches), processing it (filters), and forwarding the request to
+ an API object (backendRefs).
+ properties:
+ backendRefs:
+ description: |-
+ BackendRefs defines the backend(s) where matching requests should be
+ sent.
+
+ Failure behavior here depends on how many BackendRefs are specified and
+ how many are invalid.
+
+ If *all* entries in BackendRefs are invalid, and there are also no filters
+ specified in this route rule, *all* traffic which matches this rule MUST
+ receive a 500 status code.
+
+ See the HTTPBackendRef definition for the rules about what makes a single
+ HTTPBackendRef invalid.
+
+ When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
+ requests that would have otherwise been routed to an invalid backend. If
+ multiple backends are specified, and some are invalid, the proportion of
+ requests that would otherwise have been routed to an invalid backend
+ MUST receive a 500 status code.
+
+ For example, if two backends are specified with equal weights, and one is
+ invalid, 50 percent of traffic must receive a 500. Implementations may
+ choose how that 50 percent is determined.
+
+ When a HTTPBackendRef refers to a Service that has no ready endpoints,
+ implementations SHOULD return a 503 for requests to that backend instead.
+ If an implementation chooses to do this, all of the above rules for 500 responses
+ MUST also apply for responses that return a 503.
+
+ Support: Core for Kubernetes Service
+
+ Support: Extended for Kubernetes ServiceImport
+
+ Support: Implementation-specific for any other resource
+
+ Support for weight: Core
+ items:
+ description: |-
+ HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.
+
+ Note that when a namespace different than the local namespace is specified, a
+ ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+
+
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD
+ honor the appProtocol field if it is set for the target Service Port.
+
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes
+ Standard Application Protocols defined in KEP-3726.
+
+ If a Service appProtocol isn't specified, an implementation MAY infer the
+ backend protocol through its own means. Implementations MAY infer the
+ protocol from the Route type referring to the backend Service.
+
+ If a Route is not able to send traffic to the backend using the specified
+ protocol then the backend is considered invalid. Implementations MUST set the
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+
+
+ properties:
+ filters:
+ description: |-
+ Filters defined at this level should be executed if and only if the
+ request is being forwarded to the backend defined here.
+
+ Support: Implementation-specific (For broader support of filters, use the
+ Filters field in HTTPRouteRule.)
+ items:
+ description: |-
+ HTTPRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. HTTPRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
+ properties:
+ extensionRef:
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
+
+ This filter can be used multiple times within the same rule.
+
+ Support: Implementation-specific
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For
+ example "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ requestHeaderModifier:
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
+
+ Support: Core
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: |+
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
+
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
+
+ Support: Extended
+
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
+
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
+
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
+ this backend in the underlying implementation.
+
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
+
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
+
+ Support: Extended for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind
+ == ''Service'') ? has(self.port) : true'
+ required:
+ - backendRef
+ type: object
+ requestRedirect:
+ description: |-
+ RequestRedirect defines a schema for a filter that responds to the
+ request with an HTTP redirection.
+
+ Support: Core
+ properties:
+ hostname:
+ description: |-
+ Hostname is the hostname to be used in the value of the `Location`
+ header in the response.
+ When empty, the hostname in the `Host` header of the request is used.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines parameters used to modify the path of the incoming request.
+ The modified path is then used to construct the `Location` header. When
+ empty, the request path is used as-is.
+
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified
+ when type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ?
+ has(self.replaceFullPath) : true'
+ - message: type must be 'ReplaceFullPath' when
+ replaceFullPath is set
+ rule: 'has(self.replaceFullPath) ? self.type
+ == ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified
+ when type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch''
+ ? has(self.replacePrefixMatch) : true'
+ - message: type must be 'ReplacePrefixMatch'
+ when replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ port:
+ description: |-
+ Port is the port to be used in the value of the `Location`
+ header in the response.
+
+ If no port is specified, the redirect port MUST be derived using the
+ following rules:
+
+ * If redirect scheme is not-empty, the redirect port MUST be the well-known
+ port associated with the redirect scheme. Specifically "http" to port 80
+ and "https" to port 443. If the redirect scheme does not have a
+ well-known port, the listener port of the Gateway SHOULD be used.
+ * If redirect scheme is empty, the redirect port MUST be the Gateway
+ Listener port.
+
+ Implementations SHOULD NOT add the port number in the 'Location'
+ header in the following cases:
+
+ * A Location header that will use HTTP (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 80.
+ * A Location header that will use HTTPS (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 443.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ scheme:
+ description: |-
+ Scheme is the scheme to be used in the value of the `Location` header in
+ the response. When empty, the scheme of the request is used.
+
+ Scheme redirects can affect the port of the redirect, for more information,
+ refer to the documentation for the port field of this filter.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Extended
+ enum:
+ - http
+ - https
+ type: string
+ statusCode:
+ default: 302
+ description: |-
+ StatusCode is the HTTP status code to be used in response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Core
+ enum:
+ - 301
+ - 302
+ type: integer
+ type: object
+ responseHeaderModifier:
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
+
+ Support: Extended
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: |-
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
+
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations must support core filters.
+
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
+
+ - Implementation-specific: Filters that are defined and supported by
+ specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` should be set to
+ "ExtensionRef" for custom filters.
+
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
+
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - RequestHeaderModifier
+ - ResponseHeaderModifier
+ - RequestMirror
+ - RequestRedirect
+ - URLRewrite
+ - ExtensionRef
+ type: string
+ urlRewrite:
+ description: |-
+ URLRewrite defines a schema for a filter that modifies a request during forwarding.
+
+ Support: Extended
+ properties:
+ hostname:
+ description: |-
+ Hostname is the value to be used to replace the Host header value during
+ forwarding.
+
+ Support: Extended
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines a path rewrite.
+
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified
+ when type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ?
+ has(self.replaceFullPath) : true'
+ - message: type must be 'ReplaceFullPath' when
+ replaceFullPath is set
+ rule: 'has(self.replaceFullPath) ? self.type
+ == ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified
+ when type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch''
+ ? has(self.replacePrefixMatch) : true'
+ - message: type must be 'ReplacePrefixMatch'
+ when replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: filter.requestHeaderModifier must be nil
+ if the filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type
+ != ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type
+ == ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil
+ if the filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type
+ != ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for
+ RequestMirror filter.type
+ rule: '!(!has(self.requestMirror) && self.type ==
+ ''RequestMirror'')'
+ - message: filter.requestRedirect must be nil if the
+ filter.type is not RequestRedirect
+ rule: '!(has(self.requestRedirect) && self.type !=
+ ''RequestRedirect'')'
+ - message: filter.requestRedirect must be specified
+ for RequestRedirect filter.type
+ rule: '!(!has(self.requestRedirect) && self.type ==
+ ''RequestRedirect'')'
+ - message: filter.urlRewrite must be nil if the filter.type
+ is not URLRewrite
+ rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'
+ - message: filter.urlRewrite must be specified for URLRewrite
+ filter.type
+ rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for
+ ExtensionRef filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: May specify either httpRouteFilterRequestRedirect
+ or httpRouteFilterRequestRewrite, but not both
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'')
+ && self.exists(f, f.type == ''URLRewrite''))'
+ - message: May specify either httpRouteFilterRequestRedirect
+ or httpRouteFilterRequestRewrite, but not both
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'')
+ && self.exists(f, f.type == ''URLRewrite''))'
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ - message: RequestRedirect filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestRedirect').size()
+ <= 1
+ - message: URLRewrite filter cannot be repeated
+ rule: self.filter(f, f.type == 'URLRewrite').size()
+ <= 1
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
+
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
+
+ Support for this field varies based on the context where used.
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ filters:
+ description: |-
+ Filters define the filters that are applied to requests that match
+ this rule.
+
+ Wherever possible, implementations SHOULD implement filters in the order
+ they are specified.
+
+ Implementations MAY choose to implement this ordering strictly, rejecting
+ any combination or order of filters that can not be supported. If implementations
+ choose a strict interpretation of filter ordering, they MUST clearly document
+ that behavior.
+
+ To reject an invalid combination or order of filters, implementations SHOULD
+ consider the Route Rules with this configuration invalid. If all Route Rules
+ in a Route are invalid, the entire Route would be considered invalid. If only
+ a portion of Route Rules are invalid, implementations MUST set the
+ "PartiallyInvalid" condition for the Route.
+
+ Conformance-levels at this level are defined based on the type of filter:
+
+ - ALL core filters MUST be supported by all implementations.
+ - Implementers are encouraged to support extended filters.
+ - Implementation-specific custom filters have no API guarantees across
+ implementations.
+
+ Specifying the same filter multiple times is not supported unless explicitly
+ indicated in the filter.
+
+ All filters are expected to be compatible with each other except for the
+ URLRewrite and RequestRedirect filters, which may not be combined. If an
+ implementation can not support other combinations of filters, they must clearly
+ document that limitation. In cases where incompatible or unsupported
+ filters are specified and cause the `Accepted` condition to be set to status
+ `False`, implementations may use the `IncompatibleFilters` reason to specify
+ this configuration error.
+
+ Support: Core
+ items:
+ description: |-
+ HTTPRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. HTTPRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
+ properties:
+ extensionRef:
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
+
+ This filter can be used multiple times within the same rule.
+
+ Support: Implementation-specific
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For example
+ "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ requestHeaderModifier:
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
+
+ Support: Core
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: |+
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
+
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
+
+ Support: Extended
+
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
+
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
+
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
+ this backend in the underlying implementation.
+
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
+
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
+
+ Support: Extended for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ required:
+ - backendRef
+ type: object
+ requestRedirect:
+ description: |-
+ RequestRedirect defines a schema for a filter that responds to the
+ request with an HTTP redirection.
+
+ Support: Core
+ properties:
+ hostname:
+ description: |-
+ Hostname is the hostname to be used in the value of the `Location`
+ header in the response.
+ When empty, the hostname in the `Host` header of the request is used.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines parameters used to modify the path of the incoming request.
+ The modified path is then used to construct the `Location` header. When
+ empty, the request path is used as-is.
+
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified when
+ type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)
+ : true'
+ - message: type must be 'ReplaceFullPath' when replaceFullPath
+ is set
+ rule: 'has(self.replaceFullPath) ? self.type ==
+ ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified when
+ type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)
+ : true'
+ - message: type must be 'ReplacePrefixMatch' when
+ replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ port:
+ description: |-
+ Port is the port to be used in the value of the `Location`
+ header in the response.
+
+ If no port is specified, the redirect port MUST be derived using the
+ following rules:
+
+ * If redirect scheme is not-empty, the redirect port MUST be the well-known
+ port associated with the redirect scheme. Specifically "http" to port 80
+ and "https" to port 443. If the redirect scheme does not have a
+ well-known port, the listener port of the Gateway SHOULD be used.
+ * If redirect scheme is empty, the redirect port MUST be the Gateway
+ Listener port.
+
+ Implementations SHOULD NOT add the port number in the 'Location'
+ header in the following cases:
+
+ * A Location header that will use HTTP (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 80.
+ * A Location header that will use HTTPS (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 443.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ scheme:
+ description: |-
+ Scheme is the scheme to be used in the value of the `Location` header in
+ the response. When empty, the scheme of the request is used.
+
+ Scheme redirects can affect the port of the redirect, for more information,
+ refer to the documentation for the port field of this filter.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Extended
+ enum:
+ - http
+ - https
+ type: string
+ statusCode:
+ default: 302
+ description: |-
+ StatusCode is the HTTP status code to be used in response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Core
+ enum:
+ - 301
+ - 302
+ type: integer
+ type: object
+ responseHeaderModifier:
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
+
+ Support: Extended
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: |-
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
+
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations must support core filters.
+
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
+
+ - Implementation-specific: Filters that are defined and supported by
+ specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` should be set to
+ "ExtensionRef" for custom filters.
+
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
+
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - RequestHeaderModifier
+ - ResponseHeaderModifier
+ - RequestMirror
+ - RequestRedirect
+ - URLRewrite
+ - ExtensionRef
+ type: string
+ urlRewrite:
+ description: |-
+ URLRewrite defines a schema for a filter that modifies a request during forwarding.
+
+ Support: Extended
+ properties:
+ hostname:
+ description: |-
+ Hostname is the value to be used to replace the Host header value during
+ forwarding.
+
+ Support: Extended
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines a path rewrite.
+
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified when
+ type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)
+ : true'
+ - message: type must be 'ReplaceFullPath' when replaceFullPath
+ is set
+ rule: 'has(self.replaceFullPath) ? self.type ==
+ ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified when
+ type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)
+ : true'
+ - message: type must be 'ReplacePrefixMatch' when
+ replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: filter.requestHeaderModifier must be nil if the
+ filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type !=
+ ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type ==
+ ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil if the
+ filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type !=
+ ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for RequestMirror
+ filter.type
+ rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')'
+ - message: filter.requestRedirect must be nil if the filter.type
+ is not RequestRedirect
+ rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')'
+ - message: filter.requestRedirect must be specified for RequestRedirect
+ filter.type
+ rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')'
+ - message: filter.urlRewrite must be nil if the filter.type
+ is not URLRewrite
+ rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'
+ - message: filter.urlRewrite must be specified for URLRewrite
+ filter.type
+ rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for ExtensionRef
+ filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: May specify either httpRouteFilterRequestRedirect
+ or httpRouteFilterRequestRewrite, but not both
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'') &&
+ self.exists(f, f.type == ''URLRewrite''))'
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ - message: RequestRedirect filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestRedirect').size() <=
+ 1
+ - message: URLRewrite filter cannot be repeated
+ rule: self.filter(f, f.type == 'URLRewrite').size() <= 1
+ matches:
+ default:
+ - path:
+ type: PathPrefix
+ value: /
+ description: |-
+ Matches define conditions used for matching the rule against incoming
+ HTTP requests. Each match is independent, i.e. this rule will be matched
+ if **any** one of the matches is satisfied.
+
+ For example, take the following matches configuration:
+
+ ```
+ matches:
+ - path:
+ value: "/foo"
+ headers:
+ - name: "version"
+ value: "v2"
+ - path:
+ value: "/v2/foo"
+ ```
+
+ For a request to match against this rule, a request must satisfy
+ EITHER of the two conditions:
+
+ - path prefixed with `/foo` AND contains the header `version: v2`
+ - path prefix of `/v2/foo`
+
+ See the documentation for HTTPRouteMatch on how to specify multiple
+ match conditions that should be ANDed together.
+
+ If no matches are specified, the default is a prefix
+ path match on "/", which has the effect of matching every
+ HTTP request.
+
+ Proxy or Load Balancer routing configuration generated from HTTPRoutes
+ MUST prioritize matches based on the following criteria, continuing on
+ ties. Across all rules specified on applicable Routes, precedence must be
+ given to the match having:
+
+ * "Exact" path match.
+ * "Prefix" path match with largest number of characters.
+ * Method match.
+ * Largest number of header matches.
+ * Largest number of query param matches.
+
+ Note: The precedence of RegularExpression path matches are implementation-specific.
+
+ If ties still exist across multiple Routes, matching precedence MUST be
+ determined in order of the following criteria, continuing on ties:
+
+ * The oldest Route based on creation timestamp.
+ * The Route appearing first in alphabetical order by
+ "{namespace}/{name}".
+
+ If ties still exist within an HTTPRoute, matching precedence MUST be granted
+ to the FIRST matching rule (in list order) with a match meeting the above
+ criteria.
+
+ When no rules matching a request have been successfully attached to the
+ parent a request is coming from, a HTTP 404 status code MUST be returned.
+ items:
+ description: "HTTPRouteMatch defines the predicate used to
+ match requests to a given\naction. Multiple match types
+ are ANDed together, i.e. the match will\nevaluate to true
+ only if all conditions are satisfied.\n\nFor example, the
+ match below will match a HTTP request only if its path\nstarts
+ with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t
+ \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t
+ \ value \"v1\"\n\n```"
+ properties:
+ headers:
+ description: |-
+ Headers specifies HTTP request header matchers. Multiple match values are
+ ANDed together, meaning, a request must match all the specified headers
+ to select the route.
+ items:
+ description: |-
+ HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request
+ headers.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, only the first
+ entry with an equivalent name MUST be considered for a match. Subsequent
+ entries with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+
+ When a header is repeated in an HTTP request, it is
+ implementation-specific behavior as to how this is represented.
+ Generally, proxies should follow the guidance from the RFC:
+ https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
+ processing a repeated header, with special handling for "Set-Cookie".
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ type:
+ default: Exact
+ description: |-
+ Type specifies how to match against the value of the header.
+
+ Support: Core (Exact)
+
+ Support: Implementation-specific (RegularExpression)
+
+ Since RegularExpression HeaderMatchType has implementation-specific
+ conformance, implementations can support POSIX, PCRE or any other dialects
+ of regular expressions. Please read the implementation's documentation to
+ determine the supported dialect.
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ value:
+ description: Value is the value of HTTP Header to
+ be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ method:
+ description: |-
+ Method specifies HTTP method matcher.
+ When specified, this route will be matched only if the request has the
+ specified method.
+
+ Support: Extended
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ - PATCH
+ type: string
+ path:
+ default:
+ type: PathPrefix
+ value: /
+ description: |-
+ Path specifies a HTTP request path matcher. If this field is not
+ specified, a default prefix match on the "/" path is provided.
+ properties:
+ type:
+ default: PathPrefix
+ description: |-
+ Type specifies how to match against the path Value.
+
+ Support: Core (Exact, PathPrefix)
+
+ Support: Implementation-specific (RegularExpression)
+ enum:
+ - Exact
+ - PathPrefix
+ - RegularExpression
+ type: string
+ value:
+ default: /
+ description: Value of the HTTP path to match against.
+ maxLength: 1024
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: value must be an absolute path and start with
+ '/' when type one of ['Exact', 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'')
+ : true'
+ - message: must not contain '//' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'')
+ : true'
+ - message: must not contain '/./' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'')
+ : true'
+ - message: must not contain '/../' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'')
+ : true'
+ - message: must not contain '%2f' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'')
+ : true'
+ - message: must not contain '%2F' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'')
+ : true'
+ - message: must not contain '#' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'')
+ : true'
+ - message: must not end with '/..' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'')
+ : true'
+ - message: must not end with '/.' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'')
+ : true'
+ - message: type must be one of ['Exact', 'PathPrefix',
+ 'RegularExpression']
+ rule: self.type in ['Exact','PathPrefix'] || self.type
+ == 'RegularExpression'
+ - message: must only contain valid characters (matching
+ ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$)
+ for types ['Exact', 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""")
+ : true'
+ queryParams:
+ description: |-
+ QueryParams specifies HTTP query parameter matchers. Multiple match
+ values are ANDed together, meaning, a request must match all the
+ specified query parameters to select the route.
+
+ Support: Extended
+ items:
+ description: |-
+ HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP
+ query parameters.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP query param to be matched. This must be an
+ exact string match. (See
+ https://tools.ietf.org/html/rfc7230#section-2.7.3).
+
+ If multiple entries specify equivalent query param names, only the first
+ entry with an equivalent name MUST be considered for a match. Subsequent
+ entries with an equivalent query param name MUST be ignored.
+
+ If a query param is repeated in an HTTP request, the behavior is
+ purposely left undefined, since different data planes have different
+ capabilities. However, it is *recommended* that implementations should
+ match against the first value of the param if the data plane supports it,
+ as this behavior is expected in other load balancing contexts outside of
+ the Gateway API.
+
+ Users SHOULD NOT route traffic based on repeated query params to guard
+ themselves against potential differences in the implementations.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ type:
+ default: Exact
+ description: |-
+ Type specifies how to match against the value of the query parameter.
+
+ Support: Extended (Exact)
+
+ Support: Implementation-specific (RegularExpression)
+
+ Since RegularExpression QueryParamMatchType has Implementation-specific
+ conformance, implementations can support POSIX, PCRE or any other
+ dialects of regular expressions. Please read the implementation's
+ documentation to determine the supported dialect.
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ value:
+ description: Value is the value of HTTP query param
+ to be matched.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ maxItems: 64
+ type: array
+ timeouts:
+ description: |-
+ Timeouts defines the timeouts that can be configured for an HTTP request.
+
+ Support: Extended
+ properties:
+ backendRequest:
+ description: |-
+ BackendRequest specifies a timeout for an individual request from the gateway
+ to a backend. This covers the time from when the request first starts being
+ sent from the gateway to when the full response has been received from the backend.
+
+ Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+ completely. Implementations that cannot completely disable the timeout MUST
+ instead interpret the zero duration as the longest possible value to which
+ the timeout can be set.
+
+ An entire client HTTP transaction with a gateway, covered by the Request timeout,
+ may result in more than one call from the gateway to the destination backend,
+ for example, if automatic retries are supported.
+
+ The value of BackendRequest must be a Gateway API Duration string as defined by
+ GEP-2257. When this field is unspecified, its behavior is implementation-specific;
+ when specified, the value of BackendRequest must be no more than the value of the
+ Request timeout (since the Request timeout encompasses the BackendRequest timeout).
+
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ request:
+ description: |-
+ Request specifies the maximum duration for a gateway to respond to an HTTP request.
+ If the gateway has not been able to respond before this deadline is met, the gateway
+ MUST return a timeout error.
+
+ For example, setting the `rules.timeouts.request` field to the value `10s` in an
+ `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds
+ to complete.
+
+ Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+ completely. Implementations that cannot completely disable the timeout MUST
+ instead interpret the zero duration as the longest possible value to which
+ the timeout can be set.
+
+ This timeout is intended to cover as close to the whole request-response transaction
+ as possible although an implementation MAY choose to start the timeout after the entire
+ request stream has been received instead of immediately after the transaction is
+ initiated by the client.
+
+ The value of Request is a Gateway API Duration string as defined by GEP-2257. When this
+ field is unspecified, request timeout behavior is implementation-specific.
+
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: backendRequest timeout cannot be longer than request
+ timeout
+ rule: '!(has(self.request) && has(self.backendRequest) &&
+ duration(self.request) != duration(''0s'') && duration(self.backendRequest)
+ > duration(self.request))'
+ type: object
+ x-kubernetes-validations:
+ - message: RequestRedirect filter must not be used together with
+ backendRefs
+ rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ?
+ (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))):
+ true'
+ - message: When using RequestRedirect filter with path.replacePrefixMatch,
+ exactly one PathPrefix match must be specified
+ rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect)
+ && has(f.requestRedirect.path) && f.requestRedirect.path.type
+ == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))
+ ? ((size(self.matches) != 1 || !has(self.matches[0].path) ||
+ self.matches[0].path.type != ''PathPrefix'') ? false : true)
+ : true'
+ - message: When using URLRewrite filter with path.replacePrefixMatch,
+ exactly one PathPrefix match must be specified
+ rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite)
+ && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''
+ && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches)
+ != 1 || !has(self.matches[0].path) || self.matches[0].path.type
+ != ''PathPrefix'') ? false : true) : true'
+ - message: Within backendRefs, when using RequestRedirect filter
+ with path.replacePrefixMatch, exactly one PathPrefix match must
+ be specified
+ rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,
+ (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect)
+ && has(f.requestRedirect.path) && f.requestRedirect.path.type
+ == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))
+ )) ? ((size(self.matches) != 1 || !has(self.matches[0].path)
+ || self.matches[0].path.type != ''PathPrefix'') ? false : true)
+ : true'
+ - message: Within backendRefs, When using URLRewrite filter with
+ path.replacePrefixMatch, exactly one PathPrefix match must be
+ specified
+ rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,
+ (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite)
+ && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''
+ && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches)
+ != 1 || !has(self.matches[0].path) || self.matches[0].path.type
+ != ''PathPrefix'') ? false : true) : true'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: While 16 rules and 64 matches per rule are allowed, the
+ total number of matches across all rules in a route must be less
+ than 128
+ rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size()
+ > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size()
+ : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size()
+ > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size()
+ : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size()
+ > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size()
+ : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size()
+ > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size()
+ : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size()
+ > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size()
+ : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128'
+ type: object
+ status:
+ description: Status defines the current state of HTTPRoute.
+ properties:
+ parents:
+ description: |-
+ Parents is a list of parent resources (usually Gateways) that are
+ associated with the route, and the status of the route with respect to
+ each parent. When this route attaches to a parent, the controller that
+ manages the parent must add an entry to this list when the controller
+ first sees the route and should update the entry as appropriate when the
+ route or gateway is modified.
+
+ Note that parent references that cannot be resolved by an implementation
+ of this API will not be added to this list. Implementations of this API
+ can only populate Route status for the Gateways/parent resources they are
+ responsible for.
+
+ A maximum of 32 Gateways will be represented in this list. An empty list
+ means the route has not been attached to any Gateway.
+ items:
+ description: |-
+ RouteParentStatus describes the status of a route with respect to an
+ associated Parent.
+ properties:
+ conditions:
+ description: |-
+ Conditions describes the status of the route with respect to the Gateway.
+ Note that the route's availability is also subject to the Gateway's own
+ status conditions and listener status.
+
+ If the Route's ParentRef specifies an existing Gateway that supports
+ Routes of this kind AND that Gateway's controller has sufficient access,
+ then that Gateway's controller MUST set the "Accepted" condition on the
+ Route, to indicate whether the route has been accepted or rejected by the
+ Gateway, and why.
+
+ A Route MUST be considered "Accepted" if at least one of the Route's
+ rules is implemented by the Gateway.
+
+ There are a number of cases where the "Accepted" condition may not be set
+ due to lack of controller visibility, that includes when:
+
+ * The Route refers to a non-existent parent.
+ * The Route is of a type that the controller does not support.
+ * The Route is in a namespace the controller does not have access to.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ parentRef:
+ description: |-
+ ParentRef corresponds with a ParentRef in the spec that this
+ RouteParentStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - controllerName
+ - parentRef
+ type: object
+ maxItems: 32
+ type: array
+ required:
+ - parents
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .spec.hostnames
+ name: Hostnames
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ HTTPRoute provides a way to route HTTP requests. This includes the capability
+ to match requests by hostname, path, header, or query param. Filters can be
+ used to specify additional processing steps. Backends specify where matching
+ requests should be routed.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of HTTPRoute.
+ properties:
+ hostnames:
+ description: |-
+ Hostnames defines a set of hostnames that should match against the HTTP Host
+ header to select a HTTPRoute used to process the request. Implementations
+ MUST ignore any port value specified in the HTTP Host header while
+ performing a match and (absent of any applicable header modification
+ configuration) MUST forward this header unmodified to the backend.
+
+ Valid values for Hostnames are determined by RFC 1123 definition of a
+ hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+
+ If a hostname is specified by both the Listener and HTTPRoute, there
+ must be at least one intersecting hostname for the HTTPRoute to be
+ attached to the Listener. For example:
+
+ * A Listener with `test.example.com` as the hostname matches HTTPRoutes
+ that have either not specified any hostnames, or have specified at
+ least one of `test.example.com` or `*.example.com`.
+ * A Listener with `*.example.com` as the hostname matches HTTPRoutes
+ that have either not specified any hostnames or have specified at least
+ one hostname that matches the Listener hostname. For example,
+ `*.example.com`, `test.example.com`, and `foo.test.example.com` would
+ all match. On the other hand, `example.com` and `test.example.net` would
+ not match.
+
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+ as a suffix match. That means that a match for `*.example.com` would match
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+
+ If both the Listener and HTTPRoute have specified hostnames, any
+ HTTPRoute hostnames that do not match the Listener hostname MUST be
+ ignored. For example, if a Listener specified `*.example.com`, and the
+ HTTPRoute specified `test.example.com` and `test.example.net`,
+ `test.example.net` must not be considered for a match.
+
+ If both the Listener and HTTPRoute have specified hostnames, and none
+ match with the criteria above, then the HTTPRoute is not accepted. The
+ implementation must raise an 'Accepted' Condition with a status of
+ `False` in the corresponding RouteParentStatus.
+
+ In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.
+ overlapping wildcard matching and exact matching hostnames), precedence must
+ be given to rules from the HTTPRoute with the largest number of:
+
+ * Characters in a matching non-wildcard hostname.
+ * Characters in a matching hostname.
+
+ If ties exist across multiple Routes, the matching precedence rules for
+ HTTPRouteMatches takes over.
+
+ Support: Core
+ items:
+ description: |-
+ Hostname is the fully qualified domain name of a network host. This matches
+ the RFC 1123 definition of a hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+
+ Hostname can be "precise" which is a domain name without the terminating
+ dot of a network host (e.g. "foo.example.com") or "wildcard", which is a
+ domain name prefixed with a single wildcard label (e.g. `*.example.com`).
+
+ Note that as per RFC1035 and RFC1123, a *label* must consist of lower case
+ alphanumeric characters or '-', and must start and end with an alphanumeric
+ character. No other punctuation is allowed.
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ maxItems: 16
+ type: array
+ parentRefs:
+ description: |+
+ ParentRefs references the resources (usually Gateways) that a Route wants
+ to be attached to. Note that the referenced parent resource needs to
+ allow this for the attachment to be complete. For Gateways, that means
+ the Gateway needs to allow attachment from Routes of this kind and
+ namespace. For Services, that means the Service must either be in the same
+ namespace for a "producer" route, or the mesh implementation must support
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is
+ not applicable for governing ParentRefs to Services - it is not possible to
+ create a "producer" route for a Service in a different namespace from the
+ Route.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ ParentRefs must be _distinct_. This means either that:
+
+ * They select different objects. If this is the case, then parentRef
+ entries are distinct. In terms of fields, this means that the
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+ be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field used,
+ each ParentRef that selects the same object must set the same set of
+ optional fields to different values. If one ParentRef sets a
+ combination of optional fields, all must set the same combination.
+
+ Some examples:
+
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+ same object must also set `sectionName`.
+ * If one ParentRef sets `port`, all ParentRefs referencing the same
+ object must also set `port`.
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+ referencing the same object must also set `sectionName` and `port`.
+
+ It is possible to separately reference multiple distinct objects that may
+ be collapsed by an implementation. For example, some implementations may
+ choose to merge compatible Gateway Listeners together. If that is the
+ case, the list of routes attached to those resources should also be
+ merged.
+
+ Note that for ParentRefs that cross namespace boundaries, there are specific
+ rules. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example,
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable other kinds of cross-namespace reference.
+
+
+
+
+
+
+ items:
+ description: |-
+ ParentReference identifies an API object (usually a Gateway) that can be considered
+ a parent of this resource (usually a route). There are two kinds of parent resources
+ with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 32
+ type: array
+ x-kubernetes-validations:
+ - message: sectionName must be specified when parentRefs includes
+ 2 or more references to the same parent
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName)
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
+ == '''')) : true))'
+ - message: sectionName must be unique when parentRefs includes 2 or
+ more references to the same parent
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName
+ == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName
+ == p2.sectionName))))
+ rules:
+ default:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /
+ description: |+
+ Rules are a list of HTTP matchers, filters and actions.
+
+ items:
+ description: |-
+ HTTPRouteRule defines semantics for matching an HTTP request based on
+ conditions (matches), processing it (filters), and forwarding the request to
+ an API object (backendRefs).
+ properties:
+ backendRefs:
+ description: |-
+ BackendRefs defines the backend(s) where matching requests should be
+ sent.
+
+ Failure behavior here depends on how many BackendRefs are specified and
+ how many are invalid.
+
+ If *all* entries in BackendRefs are invalid, and there are also no filters
+ specified in this route rule, *all* traffic which matches this rule MUST
+ receive a 500 status code.
+
+ See the HTTPBackendRef definition for the rules about what makes a single
+ HTTPBackendRef invalid.
+
+ When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
+ requests that would have otherwise been routed to an invalid backend. If
+ multiple backends are specified, and some are invalid, the proportion of
+ requests that would otherwise have been routed to an invalid backend
+ MUST receive a 500 status code.
+
+ For example, if two backends are specified with equal weights, and one is
+ invalid, 50 percent of traffic must receive a 500. Implementations may
+ choose how that 50 percent is determined.
+
+ When a HTTPBackendRef refers to a Service that has no ready endpoints,
+ implementations SHOULD return a 503 for requests to that backend instead.
+ If an implementation chooses to do this, all of the above rules for 500 responses
+ MUST also apply for responses that return a 503.
+
+ Support: Core for Kubernetes Service
+
+ Support: Extended for Kubernetes ServiceImport
+
+ Support: Implementation-specific for any other resource
+
+ Support for weight: Core
+ items:
+ description: |-
+ HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.
+
+ Note that when a namespace different than the local namespace is specified, a
+ ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+
+
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD
+ honor the appProtocol field if it is set for the target Service Port.
+
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes
+ Standard Application Protocols defined in KEP-3726.
+
+ If a Service appProtocol isn't specified, an implementation MAY infer the
+ backend protocol through its own means. Implementations MAY infer the
+ protocol from the Route type referring to the backend Service.
+
+ If a Route is not able to send traffic to the backend using the specified
+ protocol then the backend is considered invalid. Implementations MUST set the
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+
+
+ properties:
+ filters:
+ description: |-
+ Filters defined at this level should be executed if and only if the
+ request is being forwarded to the backend defined here.
+
+ Support: Implementation-specific (For broader support of filters, use the
+ Filters field in HTTPRouteRule.)
+ items:
+ description: |-
+ HTTPRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. HTTPRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
+ properties:
+ extensionRef:
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
+
+ This filter can be used multiple times within the same rule.
+
+ Support: Implementation-specific
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For
+ example "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ requestHeaderModifier:
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
+
+ Support: Core
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: |+
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
+
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
+
+ Support: Extended
+
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
+
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
+
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
+ this backend in the underlying implementation.
+
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
+
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
+
+ Support: Extended for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind
+ == ''Service'') ? has(self.port) : true'
+ required:
+ - backendRef
+ type: object
+ requestRedirect:
+ description: |-
+ RequestRedirect defines a schema for a filter that responds to the
+ request with an HTTP redirection.
+
+ Support: Core
+ properties:
+ hostname:
+ description: |-
+ Hostname is the hostname to be used in the value of the `Location`
+ header in the response.
+ When empty, the hostname in the `Host` header of the request is used.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines parameters used to modify the path of the incoming request.
+ The modified path is then used to construct the `Location` header. When
+ empty, the request path is used as-is.
+
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified
+ when type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ?
+ has(self.replaceFullPath) : true'
+ - message: type must be 'ReplaceFullPath' when
+ replaceFullPath is set
+ rule: 'has(self.replaceFullPath) ? self.type
+ == ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified
+ when type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch''
+ ? has(self.replacePrefixMatch) : true'
+ - message: type must be 'ReplacePrefixMatch'
+ when replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ port:
+ description: |-
+ Port is the port to be used in the value of the `Location`
+ header in the response.
+
+ If no port is specified, the redirect port MUST be derived using the
+ following rules:
+
+ * If redirect scheme is not-empty, the redirect port MUST be the well-known
+ port associated with the redirect scheme. Specifically "http" to port 80
+ and "https" to port 443. If the redirect scheme does not have a
+ well-known port, the listener port of the Gateway SHOULD be used.
+ * If redirect scheme is empty, the redirect port MUST be the Gateway
+ Listener port.
+
+ Implementations SHOULD NOT add the port number in the 'Location'
+ header in the following cases:
+
+ * A Location header that will use HTTP (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 80.
+ * A Location header that will use HTTPS (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 443.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ scheme:
+ description: |-
+ Scheme is the scheme to be used in the value of the `Location` header in
+ the response. When empty, the scheme of the request is used.
+
+ Scheme redirects can affect the port of the redirect, for more information,
+ refer to the documentation for the port field of this filter.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Extended
+ enum:
+ - http
+ - https
+ type: string
+ statusCode:
+ default: 302
+ description: |-
+ StatusCode is the HTTP status code to be used in response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Core
+ enum:
+ - 301
+ - 302
+ type: integer
+ type: object
+ responseHeaderModifier:
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
+
+ Support: Extended
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: |-
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
+
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations must support core filters.
+
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
+
+ - Implementation-specific: Filters that are defined and supported by
+ specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` should be set to
+ "ExtensionRef" for custom filters.
+
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
+
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - RequestHeaderModifier
+ - ResponseHeaderModifier
+ - RequestMirror
+ - RequestRedirect
+ - URLRewrite
+ - ExtensionRef
+ type: string
+ urlRewrite:
+ description: |-
+ URLRewrite defines a schema for a filter that modifies a request during forwarding.
+
+ Support: Extended
+ properties:
+ hostname:
+ description: |-
+ Hostname is the value to be used to replace the Host header value during
+ forwarding.
+
+ Support: Extended
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines a path rewrite.
+
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified
+ when type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ?
+ has(self.replaceFullPath) : true'
+ - message: type must be 'ReplaceFullPath' when
+ replaceFullPath is set
+ rule: 'has(self.replaceFullPath) ? self.type
+ == ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified
+ when type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch''
+ ? has(self.replacePrefixMatch) : true'
+ - message: type must be 'ReplacePrefixMatch'
+ when replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: filter.requestHeaderModifier must be nil
+ if the filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type
+ != ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type
+ == ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil
+ if the filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type
+ != ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for
+ RequestMirror filter.type
+ rule: '!(!has(self.requestMirror) && self.type ==
+ ''RequestMirror'')'
+ - message: filter.requestRedirect must be nil if the
+ filter.type is not RequestRedirect
+ rule: '!(has(self.requestRedirect) && self.type !=
+ ''RequestRedirect'')'
+ - message: filter.requestRedirect must be specified
+ for RequestRedirect filter.type
+ rule: '!(!has(self.requestRedirect) && self.type ==
+ ''RequestRedirect'')'
+ - message: filter.urlRewrite must be nil if the filter.type
+ is not URLRewrite
+ rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'
+ - message: filter.urlRewrite must be specified for URLRewrite
+ filter.type
+ rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for
+ ExtensionRef filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: May specify either httpRouteFilterRequestRedirect
+ or httpRouteFilterRequestRewrite, but not both
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'')
+ && self.exists(f, f.type == ''URLRewrite''))'
+ - message: May specify either httpRouteFilterRequestRedirect
+ or httpRouteFilterRequestRewrite, but not both
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'')
+ && self.exists(f, f.type == ''URLRewrite''))'
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ - message: RequestRedirect filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestRedirect').size()
+ <= 1
+ - message: URLRewrite filter cannot be repeated
+ rule: self.filter(f, f.type == 'URLRewrite').size()
+ <= 1
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
+
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
+
+ Support for this field varies based on the context where used.
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ filters:
+ description: |-
+ Filters define the filters that are applied to requests that match
+ this rule.
+
+ Wherever possible, implementations SHOULD implement filters in the order
+ they are specified.
+
+ Implementations MAY choose to implement this ordering strictly, rejecting
+ any combination or order of filters that can not be supported. If implementations
+ choose a strict interpretation of filter ordering, they MUST clearly document
+ that behavior.
+
+ To reject an invalid combination or order of filters, implementations SHOULD
+ consider the Route Rules with this configuration invalid. If all Route Rules
+ in a Route are invalid, the entire Route would be considered invalid. If only
+ a portion of Route Rules are invalid, implementations MUST set the
+ "PartiallyInvalid" condition for the Route.
+
+ Conformance-levels at this level are defined based on the type of filter:
+
+ - ALL core filters MUST be supported by all implementations.
+ - Implementers are encouraged to support extended filters.
+ - Implementation-specific custom filters have no API guarantees across
+ implementations.
+
+ Specifying the same filter multiple times is not supported unless explicitly
+ indicated in the filter.
+
+ All filters are expected to be compatible with each other except for the
+ URLRewrite and RequestRedirect filters, which may not be combined. If an
+ implementation can not support other combinations of filters, they must clearly
+ document that limitation. In cases where incompatible or unsupported
+ filters are specified and cause the `Accepted` condition to be set to status
+ `False`, implementations may use the `IncompatibleFilters` reason to specify
+ this configuration error.
+
+ Support: Core
+ items:
+ description: |-
+ HTTPRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. HTTPRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
+ properties:
+ extensionRef:
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
+
+ This filter can be used multiple times within the same rule.
+
+ Support: Implementation-specific
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For example
+ "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ requestHeaderModifier:
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
+
+ Support: Core
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: |+
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
+
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
+
+ Support: Extended
+
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
+
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
+
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
+ this backend in the underlying implementation.
+
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
+
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
+
+ Support: Extended for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ required:
+ - backendRef
+ type: object
+ requestRedirect:
+ description: |-
+ RequestRedirect defines a schema for a filter that responds to the
+ request with an HTTP redirection.
+
+ Support: Core
+ properties:
+ hostname:
+ description: |-
+ Hostname is the hostname to be used in the value of the `Location`
+ header in the response.
+ When empty, the hostname in the `Host` header of the request is used.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines parameters used to modify the path of the incoming request.
+ The modified path is then used to construct the `Location` header. When
+ empty, the request path is used as-is.
+
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified when
+ type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)
+ : true'
+ - message: type must be 'ReplaceFullPath' when replaceFullPath
+ is set
+ rule: 'has(self.replaceFullPath) ? self.type ==
+ ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified when
+ type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)
+ : true'
+ - message: type must be 'ReplacePrefixMatch' when
+ replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ port:
+ description: |-
+ Port is the port to be used in the value of the `Location`
+ header in the response.
+
+ If no port is specified, the redirect port MUST be derived using the
+ following rules:
+
+ * If redirect scheme is not-empty, the redirect port MUST be the well-known
+ port associated with the redirect scheme. Specifically "http" to port 80
+ and "https" to port 443. If the redirect scheme does not have a
+ well-known port, the listener port of the Gateway SHOULD be used.
+ * If redirect scheme is empty, the redirect port MUST be the Gateway
+ Listener port.
+
+ Implementations SHOULD NOT add the port number in the 'Location'
+ header in the following cases:
+
+ * A Location header that will use HTTP (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 80.
+ * A Location header that will use HTTPS (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 443.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ scheme:
+ description: |-
+ Scheme is the scheme to be used in the value of the `Location` header in
+ the response. When empty, the scheme of the request is used.
+
+ Scheme redirects can affect the port of the redirect, for more information,
+ refer to the documentation for the port field of this filter.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Extended
+ enum:
+ - http
+ - https
+ type: string
+ statusCode:
+ default: 302
+ description: |-
+ StatusCode is the HTTP status code to be used in response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Core
+ enum:
+ - 301
+ - 302
+ type: integer
+ type: object
+ responseHeaderModifier:
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
+
+ Support: Extended
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: |-
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
+
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations must support core filters.
+
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
+
+ - Implementation-specific: Filters that are defined and supported by
+ specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` should be set to
+ "ExtensionRef" for custom filters.
+
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
+
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - RequestHeaderModifier
+ - ResponseHeaderModifier
+ - RequestMirror
+ - RequestRedirect
+ - URLRewrite
+ - ExtensionRef
+ type: string
+ urlRewrite:
+ description: |-
+ URLRewrite defines a schema for a filter that modifies a request during forwarding.
+
+ Support: Extended
+ properties:
+ hostname:
+ description: |-
+ Hostname is the value to be used to replace the Host header value during
+ forwarding.
+
+ Support: Extended
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines a path rewrite.
+
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified when
+ type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)
+ : true'
+ - message: type must be 'ReplaceFullPath' when replaceFullPath
+ is set
+ rule: 'has(self.replaceFullPath) ? self.type ==
+ ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified when
+ type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)
+ : true'
+ - message: type must be 'ReplacePrefixMatch' when
+ replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: filter.requestHeaderModifier must be nil if the
+ filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type !=
+ ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type ==
+ ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil if the
+ filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type !=
+ ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for RequestMirror
+ filter.type
+ rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')'
+ - message: filter.requestRedirect must be nil if the filter.type
+ is not RequestRedirect
+ rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')'
+ - message: filter.requestRedirect must be specified for RequestRedirect
+ filter.type
+ rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')'
+ - message: filter.urlRewrite must be nil if the filter.type
+ is not URLRewrite
+ rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'
+ - message: filter.urlRewrite must be specified for URLRewrite
+ filter.type
+ rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for ExtensionRef
+ filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: May specify either httpRouteFilterRequestRedirect
+ or httpRouteFilterRequestRewrite, but not both
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'') &&
+ self.exists(f, f.type == ''URLRewrite''))'
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ - message: RequestRedirect filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestRedirect').size() <=
+ 1
+ - message: URLRewrite filter cannot be repeated
+ rule: self.filter(f, f.type == 'URLRewrite').size() <= 1
+ matches:
+ default:
+ - path:
+ type: PathPrefix
+ value: /
+ description: |-
+ Matches define conditions used for matching the rule against incoming
+ HTTP requests. Each match is independent, i.e. this rule will be matched
+ if **any** one of the matches is satisfied.
+
+ For example, take the following matches configuration:
+
+ ```
+ matches:
+ - path:
+ value: "/foo"
+ headers:
+ - name: "version"
+ value: "v2"
+ - path:
+ value: "/v2/foo"
+ ```
+
+ For a request to match against this rule, a request must satisfy
+ EITHER of the two conditions:
+
+ - path prefixed with `/foo` AND contains the header `version: v2`
+ - path prefix of `/v2/foo`
+
+ See the documentation for HTTPRouteMatch on how to specify multiple
+ match conditions that should be ANDed together.
+
+ If no matches are specified, the default is a prefix
+ path match on "/", which has the effect of matching every
+ HTTP request.
+
+ Proxy or Load Balancer routing configuration generated from HTTPRoutes
+ MUST prioritize matches based on the following criteria, continuing on
+ ties. Across all rules specified on applicable Routes, precedence must be
+ given to the match having:
+
+ * "Exact" path match.
+ * "Prefix" path match with largest number of characters.
+ * Method match.
+ * Largest number of header matches.
+ * Largest number of query param matches.
+
+ Note: The precedence of RegularExpression path matches are implementation-specific.
+
+ If ties still exist across multiple Routes, matching precedence MUST be
+ determined in order of the following criteria, continuing on ties:
+
+ * The oldest Route based on creation timestamp.
+ * The Route appearing first in alphabetical order by
+ "{namespace}/{name}".
+
+ If ties still exist within an HTTPRoute, matching precedence MUST be granted
+ to the FIRST matching rule (in list order) with a match meeting the above
+ criteria.
+
+ When no rules matching a request have been successfully attached to the
+ parent a request is coming from, a HTTP 404 status code MUST be returned.
+ items:
+ description: "HTTPRouteMatch defines the predicate used to
+ match requests to a given\naction. Multiple match types
+ are ANDed together, i.e. the match will\nevaluate to true
+ only if all conditions are satisfied.\n\nFor example, the
+ match below will match a HTTP request only if its path\nstarts
+ with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t
+ \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t
+ \ value \"v1\"\n\n```"
+ properties:
+ headers:
+ description: |-
+ Headers specifies HTTP request header matchers. Multiple match values are
+ ANDed together, meaning, a request must match all the specified headers
+ to select the route.
+ items:
+ description: |-
+ HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request
+ headers.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, only the first
+ entry with an equivalent name MUST be considered for a match. Subsequent
+ entries with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+
+ When a header is repeated in an HTTP request, it is
+ implementation-specific behavior as to how this is represented.
+ Generally, proxies should follow the guidance from the RFC:
+ https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
+ processing a repeated header, with special handling for "Set-Cookie".
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ type:
+ default: Exact
+ description: |-
+ Type specifies how to match against the value of the header.
+
+ Support: Core (Exact)
+
+ Support: Implementation-specific (RegularExpression)
+
+ Since RegularExpression HeaderMatchType has implementation-specific
+ conformance, implementations can support POSIX, PCRE or any other dialects
+ of regular expressions. Please read the implementation's documentation to
+ determine the supported dialect.
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ value:
+ description: Value is the value of HTTP Header to
+ be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ method:
+ description: |-
+ Method specifies HTTP method matcher.
+ When specified, this route will be matched only if the request has the
+ specified method.
+
+ Support: Extended
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ - PATCH
+ type: string
+ path:
+ default:
+ type: PathPrefix
+ value: /
+ description: |-
+ Path specifies a HTTP request path matcher. If this field is not
+ specified, a default prefix match on the "/" path is provided.
+ properties:
+ type:
+ default: PathPrefix
+ description: |-
+ Type specifies how to match against the path Value.
+
+ Support: Core (Exact, PathPrefix)
+
+ Support: Implementation-specific (RegularExpression)
+ enum:
+ - Exact
+ - PathPrefix
+ - RegularExpression
+ type: string
+ value:
+ default: /
+ description: Value of the HTTP path to match against.
+ maxLength: 1024
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: value must be an absolute path and start with
+ '/' when type one of ['Exact', 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'')
+ : true'
+ - message: must not contain '//' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'')
+ : true'
+ - message: must not contain '/./' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'')
+ : true'
+ - message: must not contain '/../' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'')
+ : true'
+ - message: must not contain '%2f' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'')
+ : true'
+ - message: must not contain '%2F' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'')
+ : true'
+ - message: must not contain '#' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'')
+ : true'
+ - message: must not end with '/..' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'')
+ : true'
+ - message: must not end with '/.' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'')
+ : true'
+ - message: type must be one of ['Exact', 'PathPrefix',
+ 'RegularExpression']
+ rule: self.type in ['Exact','PathPrefix'] || self.type
+ == 'RegularExpression'
+ - message: must only contain valid characters (matching
+ ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$)
+ for types ['Exact', 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""")
+ : true'
+ queryParams:
+ description: |-
+ QueryParams specifies HTTP query parameter matchers. Multiple match
+ values are ANDed together, meaning, a request must match all the
+ specified query parameters to select the route.
+
+ Support: Extended
+ items:
+ description: |-
+ HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP
+ query parameters.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP query param to be matched. This must be an
+ exact string match. (See
+ https://tools.ietf.org/html/rfc7230#section-2.7.3).
+
+ If multiple entries specify equivalent query param names, only the first
+ entry with an equivalent name MUST be considered for a match. Subsequent
+ entries with an equivalent query param name MUST be ignored.
+
+ If a query param is repeated in an HTTP request, the behavior is
+ purposely left undefined, since different data planes have different
+ capabilities. However, it is *recommended* that implementations should
+ match against the first value of the param if the data plane supports it,
+ as this behavior is expected in other load balancing contexts outside of
+ the Gateway API.
+
+ Users SHOULD NOT route traffic based on repeated query params to guard
+ themselves against potential differences in the implementations.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ type:
+ default: Exact
+ description: |-
+ Type specifies how to match against the value of the query parameter.
+
+ Support: Extended (Exact)
+
+ Support: Implementation-specific (RegularExpression)
+
+ Since RegularExpression QueryParamMatchType has Implementation-specific
+ conformance, implementations can support POSIX, PCRE or any other
+ dialects of regular expressions. Please read the implementation's
+ documentation to determine the supported dialect.
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ value:
+ description: Value is the value of HTTP query param
+ to be matched.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ maxItems: 64
+ type: array
+ timeouts:
+ description: |-
+ Timeouts defines the timeouts that can be configured for an HTTP request.
+
+ Support: Extended
+ properties:
+ backendRequest:
+ description: |-
+ BackendRequest specifies a timeout for an individual request from the gateway
+ to a backend. This covers the time from when the request first starts being
+ sent from the gateway to when the full response has been received from the backend.
+
+ Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+ completely. Implementations that cannot completely disable the timeout MUST
+ instead interpret the zero duration as the longest possible value to which
+ the timeout can be set.
+
+ An entire client HTTP transaction with a gateway, covered by the Request timeout,
+ may result in more than one call from the gateway to the destination backend,
+ for example, if automatic retries are supported.
+
+ The value of BackendRequest must be a Gateway API Duration string as defined by
+ GEP-2257. When this field is unspecified, its behavior is implementation-specific;
+ when specified, the value of BackendRequest must be no more than the value of the
+ Request timeout (since the Request timeout encompasses the BackendRequest timeout).
+
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ request:
+ description: |-
+ Request specifies the maximum duration for a gateway to respond to an HTTP request.
+ If the gateway has not been able to respond before this deadline is met, the gateway
+ MUST return a timeout error.
+
+ For example, setting the `rules.timeouts.request` field to the value `10s` in an
+ `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds
+ to complete.
+
+ Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+ completely. Implementations that cannot completely disable the timeout MUST
+ instead interpret the zero duration as the longest possible value to which
+ the timeout can be set.
+
+ This timeout is intended to cover as close to the whole request-response transaction
+ as possible although an implementation MAY choose to start the timeout after the entire
+ request stream has been received instead of immediately after the transaction is
+ initiated by the client.
+
+ The value of Request is a Gateway API Duration string as defined by GEP-2257. When this
+ field is unspecified, request timeout behavior is implementation-specific.
+
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: backendRequest timeout cannot be longer than request
+ timeout
+ rule: '!(has(self.request) && has(self.backendRequest) &&
+ duration(self.request) != duration(''0s'') && duration(self.backendRequest)
+ > duration(self.request))'
+ type: object
+ x-kubernetes-validations:
+ - message: RequestRedirect filter must not be used together with
+ backendRefs
+ rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ?
+ (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))):
+ true'
+ - message: When using RequestRedirect filter with path.replacePrefixMatch,
+ exactly one PathPrefix match must be specified
+ rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect)
+ && has(f.requestRedirect.path) && f.requestRedirect.path.type
+ == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))
+ ? ((size(self.matches) != 1 || !has(self.matches[0].path) ||
+ self.matches[0].path.type != ''PathPrefix'') ? false : true)
+ : true'
+ - message: When using URLRewrite filter with path.replacePrefixMatch,
+ exactly one PathPrefix match must be specified
+ rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite)
+ && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''
+ && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches)
+ != 1 || !has(self.matches[0].path) || self.matches[0].path.type
+ != ''PathPrefix'') ? false : true) : true'
+ - message: Within backendRefs, when using RequestRedirect filter
+ with path.replacePrefixMatch, exactly one PathPrefix match must
+ be specified
+ rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,
+ (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect)
+ && has(f.requestRedirect.path) && f.requestRedirect.path.type
+ == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))
+ )) ? ((size(self.matches) != 1 || !has(self.matches[0].path)
+ || self.matches[0].path.type != ''PathPrefix'') ? false : true)
+ : true'
+ - message: Within backendRefs, When using URLRewrite filter with
+ path.replacePrefixMatch, exactly one PathPrefix match must be
+ specified
+ rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,
+ (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite)
+ && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''
+ && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches)
+ != 1 || !has(self.matches[0].path) || self.matches[0].path.type
+ != ''PathPrefix'') ? false : true) : true'
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: While 16 rules and 64 matches per rule are allowed, the
+ total number of matches across all rules in a route must be less
+ than 128
+ rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size()
+ > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size()
+ : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size()
+ > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size()
+ : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size()
+ > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size()
+ : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size()
+ > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size()
+ : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size()
+ > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size()
+ : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128'
+ type: object
+ status:
+ description: Status defines the current state of HTTPRoute.
+ properties:
+ parents:
+ description: |-
+ Parents is a list of parent resources (usually Gateways) that are
+ associated with the route, and the status of the route with respect to
+ each parent. When this route attaches to a parent, the controller that
+ manages the parent must add an entry to this list when the controller
+ first sees the route and should update the entry as appropriate when the
+ route or gateway is modified.
+
+ Note that parent references that cannot be resolved by an implementation
+ of this API will not be added to this list. Implementations of this API
+ can only populate Route status for the Gateways/parent resources they are
+ responsible for.
+
+ A maximum of 32 Gateways will be represented in this list. An empty list
+ means the route has not been attached to any Gateway.
+ items:
+ description: |-
+ RouteParentStatus describes the status of a route with respect to an
+ associated Parent.
+ properties:
+ conditions:
+ description: |-
+ Conditions describes the status of the route with respect to the Gateway.
+ Note that the route's availability is also subject to the Gateway's own
+ status conditions and listener status.
+
+ If the Route's ParentRef specifies an existing Gateway that supports
+ Routes of this kind AND that Gateway's controller has sufficient access,
+ then that Gateway's controller MUST set the "Accepted" condition on the
+ Route, to indicate whether the route has been accepted or rejected by the
+ Gateway, and why.
+
+ A Route MUST be considered "Accepted" if at least one of the Route's
+ rules is implemented by the Gateway.
+
+ There are a number of cases where the "Accepted" condition may not be set
+ due to lack of controller visibility, that includes when:
+
+ * The Route refers to a non-existent parent.
+ * The Route is of a type that the controller does not support.
+ * The Route is in a namespace the controller does not have access to.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ parentRef:
+ description: |-
+ ParentRef corresponds with a ParentRef in the spec that this
+ RouteParentStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - controllerName
+ - parentRef
+ type: object
+ maxItems: 32
+ type: array
+ required:
+ - parents
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
+# config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.2.1
+ gateway.networking.k8s.io/channel: standard
+ creationTimestamp: null
+ name: referencegrants.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: ReferenceGrant
+ listKind: ReferenceGrantList
+ plural: referencegrants
+ shortNames:
+ - refgrant
+ singular: referencegrant
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ ReferenceGrant identifies kinds of resources in other namespaces that are
+ trusted to reference the specified kinds of resources in the same namespace
+ as the policy.
+
+ Each ReferenceGrant can be used to represent a unique trust relationship.
+ Additional Reference Grants can be used to add to the set of trusted
+ sources of inbound references for the namespace they are defined within.
+
+ All cross-namespace references in Gateway API (with the exception of cross-namespace
+ Gateway-route attachment) require a ReferenceGrant.
+
+ ReferenceGrant is a form of runtime verification allowing users to assert
+ which cross-namespace object references are permitted. Implementations that
+ support ReferenceGrant MUST NOT permit cross-namespace references which have
+ no grant, and MUST respond to the removal of a grant by revoking the access
+ that the grant allowed.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of ReferenceGrant.
+ properties:
+ from:
+ description: |-
+ From describes the trusted namespaces and kinds that can reference the
+ resources described in "To". Each entry in this list MUST be considered
+ to be an additional place that references can be valid from, or to put
+ this another way, entries MUST be combined using OR.
+
+ Support: Core
+ items:
+ description: ReferenceGrantFrom describes trusted namespaces and
+ kinds.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent.
+ When empty, the Kubernetes core API group is inferred.
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: |-
+ Kind is the kind of the referent. Although implementations may support
+ additional resources, the following types are part of the "Core"
+ support level for this field.
+
+ When used to permit a SecretObjectReference:
+
+ * Gateway
+
+ When used to permit a BackendObjectReference:
+
+ * GRPCRoute
+ * HTTPRoute
+ * TCPRoute
+ * TLSRoute
+ * UDPRoute
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - group
+ - kind
+ - namespace
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ to:
+ description: |-
+ To describes the resources that may be referenced by the resources
+ described in "From". Each entry in this list MUST be considered to be an
+ additional place that references can be valid to, or to put this another
+ way, entries MUST be combined using OR.
+
+ Support: Core
+ items:
+ description: |-
+ ReferenceGrantTo describes what Kinds are allowed as targets of the
+ references.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent.
+ When empty, the Kubernetes core API group is inferred.
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: |-
+ Kind is the kind of the referent. Although implementations may support
+ additional resources, the following types are part of the "Core"
+ support level for this field:
+
+ * Secret when used to permit a SecretObjectReference
+ * Service when used to permit a BackendObjectReference
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent. When unspecified, this policy
+ refers to all resources of the specified Group and Kind in the local
+ namespace.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ required:
+ - from
+ - to
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
diff --git a/tests/golden/olm/airlock-microgateway/airlock-microgateway/00_prerequisites/00_namespace.yaml b/tests/golden/olm/airlock-microgateway/airlock-microgateway/00_prerequisites/00_namespace.yaml
new file mode 100644
index 0000000..91c261c
--- /dev/null
+++ b/tests/golden/olm/airlock-microgateway/airlock-microgateway/00_prerequisites/00_namespace.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ annotations: {}
+ labels:
+ name: syn-airlock-microgateway
+ name: syn-airlock-microgateway
diff --git a/tests/golden/olm/airlock-microgateway/airlock-microgateway/00_prerequisites/01_license_secret.yaml b/tests/golden/olm/airlock-microgateway/airlock-microgateway/00_prerequisites/01_license_secret.yaml
new file mode 100644
index 0000000..2aedd0f
--- /dev/null
+++ b/tests/golden/olm/airlock-microgateway/airlock-microgateway/00_prerequisites/01_license_secret.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+data:
+ microgateway-license.txt: ''
+kind: Secret
+metadata:
+ annotations: {}
+ labels:
+ name: airlock-microgateway-license
+ name: airlock-microgateway-license
+ namespace: syn-airlock-microgateway
+type: Opaque
diff --git a/tests/golden/olm/airlock-microgateway/airlock-microgateway/00_prerequisites/01_network_policy.yaml b/tests/golden/olm/airlock-microgateway/airlock-microgateway/00_prerequisites/01_network_policy.yaml
new file mode 100644
index 0000000..33d7a9d
--- /dev/null
+++ b/tests/golden/olm/airlock-microgateway/airlock-microgateway/00_prerequisites/01_network_policy.yaml
@@ -0,0 +1,16 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ annotations: {}
+ labels:
+ name: allow-from-waf-namespaces
+ name: allow-from-waf-namespaces
+ namespace: syn-airlock-microgateway
+spec:
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ appuio.ch/waf: airlock
+ policyTypes:
+ - Ingress
diff --git a/tests/golden/olm/airlock-microgateway/airlock-microgateway/01_olm/10_operator_group.yaml b/tests/golden/olm/airlock-microgateway/airlock-microgateway/01_olm/10_operator_group.yaml
new file mode 100644
index 0000000..81cd94a
--- /dev/null
+++ b/tests/golden/olm/airlock-microgateway/airlock-microgateway/01_olm/10_operator_group.yaml
@@ -0,0 +1,9 @@
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+ annotations:
+ argocd.argoproj.io/sync-wave: '-90'
+ labels:
+ name: airlock-microgateway
+ name: airlock-microgateway
+ namespace: syn-airlock-microgateway
diff --git a/tests/golden/olm/airlock-microgateway/airlock-microgateway/01_olm/10_operator_subscription.yaml b/tests/golden/olm/airlock-microgateway/airlock-microgateway/01_olm/10_operator_subscription.yaml
new file mode 100644
index 0000000..04bc517
--- /dev/null
+++ b/tests/golden/olm/airlock-microgateway/airlock-microgateway/01_olm/10_operator_subscription.yaml
@@ -0,0 +1,19 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+ annotations:
+ argocd.argoproj.io/sync-wave: '-80'
+ labels:
+ name: airlock-microgateway
+ name: airlock-microgateway
+ namespace: syn-airlock-microgateway
+spec:
+ channel: release-4.5.2
+ config:
+ env:
+ - name: GATEWAY_API_POD_MONITOR_CREATE
+ value: 'true'
+ installPlanApproval: Automatic
+ name: airlock-microgateway
+ source: certified-operators
+ sourceNamespace: openshift-operators-redhat
diff --git a/tests/golden/olm/airlock-microgateway/apps/airlock-microgateway.yaml b/tests/golden/olm/airlock-microgateway/apps/airlock-microgateway.yaml
new file mode 100644
index 0000000..e69de29
diff --git a/tests/olm.yml b/tests/olm.yml
new file mode 100644
index 0000000..e283105
--- /dev/null
+++ b/tests/olm.yml
@@ -0,0 +1,16 @@
+# Overwrite parameters here
+
+parameters:
+ kapitan:
+ dependencies:
+ - type: https
+ source: https://raw.githubusercontent.com/appuio/component-openshift4-operators/master/lib/openshift4-operators.libsonnet
+ output_path: vendor/lib/openshift4-operators.libsonnet
+
+ airlock_microgateway:
+ install_method: olm
+
+ openshift4_operators:
+ defaultInstallPlanApproval: Automatic
+ defaultSource: openshift-operators-redhat
+ defaultSourceNamespace: openshift-operators-redhat