gateway_api/apis/experimental/gateways.rs
1// WARNING: generated by kopium - manual changes will be overwritten
2// kopium command: kopium --schema=derived --derive=JsonSchema --derive=Default --derive=PartialEq --docs -f -
3// kopium version: 0.21.2
4
5#[allow(unused_imports)]
6mod prelude {
7 pub use k8s_openapi::apimachinery::pkg::apis::meta::v1::Condition;
8 pub use kube::CustomResource;
9 pub use schemars::JsonSchema;
10 pub use serde::{Deserialize, Serialize};
11 pub use std::collections::BTreeMap;
12}
13use self::prelude::*;
14
15/// Spec defines the desired state of Gateway.
16#[derive(CustomResource, Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
17#[kube(
18 group = "gateway.networking.k8s.io",
19 version = "v1",
20 kind = "Gateway",
21 plural = "gateways"
22)]
23#[kube(namespaced)]
24#[kube(status = "GatewayStatus")]
25#[kube(derive = "Default")]
26#[kube(derive = "PartialEq")]
27pub struct GatewaySpec {
28 /// Addresses requested for this Gateway. This is optional and behavior can
29 /// depend on the implementation. If a value is set in the spec and the
30 /// requested address is invalid or unavailable, the implementation MUST
31 /// indicate this in the associated entry in GatewayStatus.Addresses.
32 ///
33 /// The Addresses field represents a request for the address(es) on the
34 /// "outside of the Gateway", that traffic bound for this Gateway will use.
35 /// This could be the IP address or hostname of an external load balancer or
36 /// other networking infrastructure, or some other address that traffic will
37 /// be sent to.
38 ///
39 /// If no Addresses are specified, the implementation MAY schedule the
40 /// Gateway in an implementation-specific manner, assigning an appropriate
41 /// set of Addresses.
42 ///
43 /// The implementation MUST bind all Listeners to every GatewayAddress that
44 /// it assigns to the Gateway and add a corresponding entry in
45 /// GatewayStatus.Addresses.
46 ///
47 /// Support: Extended
48 ///
49 ///
50 #[serde(default, skip_serializing_if = "Option::is_none")]
51 pub addresses: Option<Vec<GatewayAddresses>>,
52 /// BackendTLS configures TLS settings for when this Gateway is connecting to
53 /// backends with TLS.
54 ///
55 /// Support: Core
56 ///
57 ///
58 #[serde(
59 default,
60 skip_serializing_if = "Option::is_none",
61 rename = "backendTLS"
62 )]
63 pub backend_tls: Option<GatewayBackendTls>,
64 /// GatewayClassName used for this Gateway. This is the name of a
65 /// GatewayClass resource.
66 #[serde(rename = "gatewayClassName")]
67 pub gateway_class_name: String,
68 /// Infrastructure defines infrastructure level attributes about this Gateway instance.
69 ///
70 /// Support: Extended
71 #[serde(default, skip_serializing_if = "Option::is_none")]
72 pub infrastructure: Option<GatewayInfrastructure>,
73 /// Listeners associated with this Gateway. Listeners define
74 /// logical endpoints that are bound on this Gateway's addresses.
75 /// At least one Listener MUST be specified.
76 ///
77 /// Each Listener in a set of Listeners (for example, in a single Gateway)
78 /// MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
79 /// exactly one listener. (This section uses "set of Listeners" rather than
80 /// "Listeners in a single Gateway" because implementations MAY merge configuration
81 /// from multiple Gateways onto a single data plane, and these rules _also_
82 /// apply in that case).
83 ///
84 /// Practically, this means that each listener in a set MUST have a unique
85 /// combination of Port, Protocol, and, if supported by the protocol, Hostname.
86 ///
87 /// Some combinations of port, protocol, and TLS settings are considered
88 /// Core support and MUST be supported by implementations based on their
89 /// targeted conformance profile:
90 ///
91 /// HTTP Profile
92 ///
93 /// 1. HTTPRoute, Port: 80, Protocol: HTTP
94 /// 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
95 ///
96 /// TLS Profile
97 ///
98 /// 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
99 ///
100 /// "Distinct" Listeners have the following property:
101 ///
102 /// The implementation can match inbound requests to a single distinct
103 /// Listener. When multiple Listeners share values for fields (for
104 /// example, two Listeners with the same Port value), the implementation
105 /// can match requests to only one of the Listeners using other
106 /// Listener fields.
107 ///
108 /// For example, the following Listener scenarios are distinct:
109 ///
110 /// 1. Multiple Listeners with the same Port that all use the "HTTP"
111 /// Protocol that all have unique Hostname values.
112 /// 2. Multiple Listeners with the same Port that use either the "HTTPS" or
113 /// "TLS" Protocol that all have unique Hostname values.
114 /// 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener
115 /// with the same Protocol has the same Port value.
116 ///
117 /// Some fields in the Listener struct have possible values that affect
118 /// whether the Listener is distinct. Hostname is particularly relevant
119 /// for HTTP or HTTPS protocols.
120 ///
121 /// When using the Hostname value to select between same-Port, same-Protocol
122 /// Listeners, the Hostname value must be different on each Listener for the
123 /// Listener to be distinct.
124 ///
125 /// When the Listeners are distinct based on Hostname, inbound request
126 /// hostnames MUST match from the most specific to least specific Hostname
127 /// values to choose the correct Listener and its associated set of Routes.
128 ///
129 /// Exact matches must be processed before wildcard matches, and wildcard
130 /// matches must be processed before fallback (empty Hostname value)
131 /// matches. For example, `"foo.example.com"` takes precedence over
132 /// `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
133 ///
134 /// Additionally, if there are multiple wildcard entries, more specific
135 /// wildcard entries must be processed before less specific wildcard entries.
136 /// For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
137 /// The precise definition here is that the higher the number of dots in the
138 /// hostname to the right of the wildcard character, the higher the precedence.
139 ///
140 /// The wildcard character will match any number of characters _and dots_ to
141 /// the left, however, so `"*.example.com"` will match both
142 /// `"foo.bar.example.com"` _and_ `"bar.example.com"`.
143 ///
144 /// If a set of Listeners contains Listeners that are not distinct, then those
145 /// Listeners are Conflicted, and the implementation MUST set the "Conflicted"
146 /// condition in the Listener Status to "True".
147 ///
148 /// Implementations MAY choose to accept a Gateway with some Conflicted
149 /// Listeners only if they only accept the partial Listener set that contains
150 /// no Conflicted Listeners. To put this another way, implementations may
151 /// accept a partial Listener set only if they throw out *all* the conflicting
152 /// Listeners. No picking one of the conflicting listeners as the winner.
153 /// This also means that the Gateway must have at least one non-conflicting
154 /// Listener in this case, otherwise it violates the requirement that at
155 /// least one Listener must be present.
156 ///
157 /// The implementation MUST set a "ListenersNotValid" condition on the
158 /// Gateway Status when the Gateway contains Conflicted Listeners whether or
159 /// not they accept the Gateway. That Condition SHOULD clearly
160 /// indicate in the Message which Listeners are conflicted, and which are
161 /// Accepted. Additionally, the Listener status for those listeners SHOULD
162 /// indicate which Listeners are conflicted and not Accepted.
163 ///
164 /// A Gateway's Listeners are considered "compatible" if:
165 ///
166 /// 1. They are distinct.
167 /// 2. The implementation can serve them in compliance with the Addresses
168 /// requirement that all Listeners are available on all assigned
169 /// addresses.
170 ///
171 /// Compatible combinations in Extended support are expected to vary across
172 /// implementations. A combination that is compatible for one implementation
173 /// may not be compatible for another.
174 ///
175 /// For example, an implementation that cannot serve both TCP and UDP listeners
176 /// on the same address, or cannot mix HTTPS and generic TLS listens on the same port
177 /// would not consider those cases compatible, even though they are distinct.
178 ///
179 /// Note that requests SHOULD match at most one Listener. For example, if
180 /// Listeners are defined for "foo.example.com" and "*.example.com", a
181 /// request to "foo.example.com" SHOULD only be routed using routes attached
182 /// to the "foo.example.com" Listener (and not the "*.example.com" Listener).
183 /// This concept is known as "Listener Isolation". Implementations that do
184 /// not support Listener Isolation MUST clearly document this.
185 ///
186 /// Implementations MAY merge separate Gateways onto a single set of
187 /// Addresses if all Listeners across all Gateways are compatible.
188 ///
189 /// Support: Core
190 pub listeners: Vec<GatewayListeners>,
191}
192
193/// GatewayAddress describes an address that can be bound to a Gateway.
194#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
195pub struct GatewayAddresses {
196 /// Type of the address.
197 #[serde(default, skip_serializing_if = "Option::is_none", rename = "type")]
198 pub r#type: Option<String>,
199 /// Value of the address. The validity of the values will depend
200 /// on the type and support by the controller.
201 ///
202 /// Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
203 pub value: String,
204}
205
206/// BackendTLS configures TLS settings for when this Gateway is connecting to
207/// backends with TLS.
208///
209/// Support: Core
210///
211///
212#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
213pub struct GatewayBackendTls {
214 /// ClientCertificateRef is a reference to an object that contains a Client
215 /// Certificate and the associated private key.
216 ///
217 /// References to a resource in different namespace are invalid UNLESS there
218 /// is a ReferenceGrant in the target namespace that allows the certificate
219 /// to be attached. If a ReferenceGrant does not allow this reference, the
220 /// "ResolvedRefs" condition MUST be set to False for this listener with the
221 /// "RefNotPermitted" reason.
222 ///
223 /// ClientCertificateRef can reference to standard Kubernetes resources, i.e.
224 /// Secret, or implementation-specific custom resources.
225 ///
226 /// This setting can be overridden on the service level by use of BackendTLSPolicy.
227 ///
228 /// Support: Core
229 ///
230 ///
231 #[serde(
232 default,
233 skip_serializing_if = "Option::is_none",
234 rename = "clientCertificateRef"
235 )]
236 pub client_certificate_ref: Option<GatewayBackendTlsClientCertificateRef>,
237}
238
239/// ClientCertificateRef is a reference to an object that contains a Client
240/// Certificate and the associated private key.
241///
242/// References to a resource in different namespace are invalid UNLESS there
243/// is a ReferenceGrant in the target namespace that allows the certificate
244/// to be attached. If a ReferenceGrant does not allow this reference, the
245/// "ResolvedRefs" condition MUST be set to False for this listener with the
246/// "RefNotPermitted" reason.
247///
248/// ClientCertificateRef can reference to standard Kubernetes resources, i.e.
249/// Secret, or implementation-specific custom resources.
250///
251/// This setting can be overridden on the service level by use of BackendTLSPolicy.
252///
253/// Support: Core
254///
255///
256#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
257pub struct GatewayBackendTlsClientCertificateRef {
258 /// Group is the group of the referent. For example, "gateway.networking.k8s.io".
259 /// When unspecified or empty string, core API group is inferred.
260 #[serde(default, skip_serializing_if = "Option::is_none")]
261 pub group: Option<String>,
262 /// Kind is kind of the referent. For example "Secret".
263 #[serde(default, skip_serializing_if = "Option::is_none")]
264 pub kind: Option<String>,
265 /// Name is the name of the referent.
266 pub name: String,
267 /// Namespace is the namespace of the referenced object. When unspecified, the local
268 /// namespace is inferred.
269 ///
270 /// Note that when a namespace different than the local namespace is specified,
271 /// a ReferenceGrant object is required in the referent namespace to allow that
272 /// namespace's owner to accept the reference. See the ReferenceGrant
273 /// documentation for details.
274 ///
275 /// Support: Core
276 #[serde(default, skip_serializing_if = "Option::is_none")]
277 pub namespace: Option<String>,
278}
279
280/// Infrastructure defines infrastructure level attributes about this Gateway instance.
281///
282/// Support: Extended
283#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
284pub struct GatewayInfrastructure {
285 /// Annotations that SHOULD be applied to any resources created in response to this Gateway.
286 ///
287 /// For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
288 /// For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
289 ///
290 /// An implementation may chose to add additional implementation-specific annotations as they see fit.
291 ///
292 /// Support: Extended
293 #[serde(default, skip_serializing_if = "Option::is_none")]
294 pub annotations: Option<BTreeMap<String, String>>,
295 /// Labels that SHOULD be applied to any resources created in response to this Gateway.
296 ///
297 /// For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
298 /// For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
299 ///
300 /// An implementation may chose to add additional implementation-specific labels as they see fit.
301 ///
302 /// If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
303 /// change, it SHOULD clearly warn about this behavior in documentation.
304 ///
305 /// Support: Extended
306 #[serde(default, skip_serializing_if = "Option::is_none")]
307 pub labels: Option<BTreeMap<String, String>>,
308 /// ParametersRef is a reference to a resource that contains the configuration
309 /// parameters corresponding to the Gateway. This is optional if the
310 /// controller does not require any additional configuration.
311 ///
312 /// This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
313 ///
314 /// The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
315 /// the merging behavior is implementation specific.
316 /// It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
317 ///
318 /// Support: Implementation-specific
319 #[serde(
320 default,
321 skip_serializing_if = "Option::is_none",
322 rename = "parametersRef"
323 )]
324 pub parameters_ref: Option<GatewayInfrastructureParametersRef>,
325}
326
327/// ParametersRef is a reference to a resource that contains the configuration
328/// parameters corresponding to the Gateway. This is optional if the
329/// controller does not require any additional configuration.
330///
331/// This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
332///
333/// The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
334/// the merging behavior is implementation specific.
335/// It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
336///
337/// Support: Implementation-specific
338#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
339pub struct GatewayInfrastructureParametersRef {
340 /// Group is the group of the referent.
341 pub group: String,
342 /// Kind is kind of the referent.
343 pub kind: String,
344 /// Name is the name of the referent.
345 pub name: String,
346}
347
348/// Listener embodies the concept of a logical endpoint where a Gateway accepts
349/// network connections.
350#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
351pub struct GatewayListeners {
352 /// AllowedRoutes defines the types of routes that MAY be attached to a
353 /// Listener and the trusted namespaces where those Route resources MAY be
354 /// present.
355 ///
356 /// Although a client request may match multiple route rules, only one rule
357 /// may ultimately receive the request. Matching precedence MUST be
358 /// determined in order of the following criteria:
359 ///
360 /// * The most specific match as defined by the Route type.
361 /// * The oldest Route based on creation timestamp. For example, a Route with
362 /// a creation timestamp of "2020-09-08 01:02:03" is given precedence over
363 /// a Route with a creation timestamp of "2020-09-08 01:02:04".
364 /// * If everything else is equivalent, the Route appearing first in
365 /// alphabetical order (namespace/name) should be given precedence. For
366 /// example, foo/bar is given precedence over foo/baz.
367 ///
368 /// All valid rules within a Route attached to this Listener should be
369 /// implemented. Invalid Route rules can be ignored (sometimes that will mean
370 /// the full Route). If a Route rule transitions from valid to invalid,
371 /// support for that Route rule should be dropped to ensure consistency. For
372 /// example, even if a filter specified by a Route rule is invalid, the rest
373 /// of the rules within that Route should still be supported.
374 ///
375 /// Support: Core
376 #[serde(
377 default,
378 skip_serializing_if = "Option::is_none",
379 rename = "allowedRoutes"
380 )]
381 pub allowed_routes: Option<GatewayListenersAllowedRoutes>,
382 /// Hostname specifies the virtual hostname to match for protocol types that
383 /// define this concept. When unspecified, all hostnames are matched. This
384 /// field is ignored for protocols that don't require hostname based
385 /// matching.
386 ///
387 /// Implementations MUST apply Hostname matching appropriately for each of
388 /// the following protocols:
389 ///
390 /// * TLS: The Listener Hostname MUST match the SNI.
391 /// * HTTP: The Listener Hostname MUST match the Host header of the request.
392 /// * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP
393 /// protocol layers as described above. If an implementation does not
394 /// ensure that both the SNI and Host header match the Listener hostname,
395 /// it MUST clearly document that.
396 ///
397 /// For HTTPRoute and TLSRoute resources, there is an interaction with the
398 /// `spec.hostnames` array. When both listener and route specify hostnames,
399 /// there MUST be an intersection between the values for a Route to be
400 /// accepted. For more information, refer to the Route specific Hostnames
401 /// documentation.
402 ///
403 /// Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
404 /// as a suffix match. That means that a match for `*.example.com` would match
405 /// both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
406 ///
407 /// Support: Core
408 #[serde(default, skip_serializing_if = "Option::is_none")]
409 pub hostname: Option<String>,
410 /// Name is the name of the Listener. This name MUST be unique within a
411 /// Gateway.
412 ///
413 /// Support: Core
414 pub name: String,
415 /// Port is the network port. Multiple listeners may use the
416 /// same port, subject to the Listener compatibility rules.
417 ///
418 /// Support: Core
419 pub port: i32,
420 /// Protocol specifies the network protocol this listener expects to receive.
421 ///
422 /// Support: Core
423 pub protocol: String,
424 /// TLS is the TLS configuration for the Listener. This field is required if
425 /// the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
426 /// if the Protocol field is "HTTP", "TCP", or "UDP".
427 ///
428 /// The association of SNIs to Certificate defined in GatewayTLSConfig is
429 /// defined based on the Hostname field for this listener.
430 ///
431 /// The GatewayClass MUST use the longest matching SNI out of all
432 /// available certificates for any TLS handshake.
433 ///
434 /// Support: Core
435 #[serde(default, skip_serializing_if = "Option::is_none")]
436 pub tls: Option<GatewayListenersTls>,
437}
438
439/// AllowedRoutes defines the types of routes that MAY be attached to a
440/// Listener and the trusted namespaces where those Route resources MAY be
441/// present.
442///
443/// Although a client request may match multiple route rules, only one rule
444/// may ultimately receive the request. Matching precedence MUST be
445/// determined in order of the following criteria:
446///
447/// * The most specific match as defined by the Route type.
448/// * The oldest Route based on creation timestamp. For example, a Route with
449/// a creation timestamp of "2020-09-08 01:02:03" is given precedence over
450/// a Route with a creation timestamp of "2020-09-08 01:02:04".
451/// * If everything else is equivalent, the Route appearing first in
452/// alphabetical order (namespace/name) should be given precedence. For
453/// example, foo/bar is given precedence over foo/baz.
454///
455/// All valid rules within a Route attached to this Listener should be
456/// implemented. Invalid Route rules can be ignored (sometimes that will mean
457/// the full Route). If a Route rule transitions from valid to invalid,
458/// support for that Route rule should be dropped to ensure consistency. For
459/// example, even if a filter specified by a Route rule is invalid, the rest
460/// of the rules within that Route should still be supported.
461///
462/// Support: Core
463#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
464pub struct GatewayListenersAllowedRoutes {
465 /// Kinds specifies the groups and kinds of Routes that are allowed to bind
466 /// to this Gateway Listener. When unspecified or empty, the kinds of Routes
467 /// selected are determined using the Listener protocol.
468 ///
469 /// A RouteGroupKind MUST correspond to kinds of Routes that are compatible
470 /// with the application protocol specified in the Listener's Protocol field.
471 /// If an implementation does not support or recognize this resource type, it
472 /// MUST set the "ResolvedRefs" condition to False for this Listener with the
473 /// "InvalidRouteKinds" reason.
474 ///
475 /// Support: Core
476 #[serde(default, skip_serializing_if = "Option::is_none")]
477 pub kinds: Option<Vec<GatewayListenersAllowedRoutesKinds>>,
478 /// Namespaces indicates namespaces from which Routes may be attached to this
479 /// Listener. This is restricted to the namespace of this Gateway by default.
480 ///
481 /// Support: Core
482 #[serde(default, skip_serializing_if = "Option::is_none")]
483 pub namespaces: Option<GatewayListenersAllowedRoutesNamespaces>,
484}
485
486/// RouteGroupKind indicates the group and kind of a Route resource.
487#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
488pub struct GatewayListenersAllowedRoutesKinds {
489 /// Group is the group of the Route.
490 #[serde(default, skip_serializing_if = "Option::is_none")]
491 pub group: Option<String>,
492 /// Kind is the kind of the Route.
493 pub kind: String,
494}
495
496/// Namespaces indicates namespaces from which Routes may be attached to this
497/// Listener. This is restricted to the namespace of this Gateway by default.
498///
499/// Support: Core
500#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
501pub struct GatewayListenersAllowedRoutesNamespaces {
502 /// From indicates where Routes will be selected for this Gateway. Possible
503 /// values are:
504 ///
505 /// * All: Routes in all namespaces may be used by this Gateway.
506 /// * Selector: Routes in namespaces selected by the selector may be used by
507 /// this Gateway.
508 /// * Same: Only Routes in the same namespace may be used by this Gateway.
509 ///
510 /// Support: Core
511 #[serde(default, skip_serializing_if = "Option::is_none")]
512 pub from: Option<GatewayListenersAllowedRoutesNamespacesFrom>,
513 /// Selector must be specified when From is set to "Selector". In that case,
514 /// only Routes in Namespaces matching this Selector will be selected by this
515 /// Gateway. This field is ignored for other values of "From".
516 ///
517 /// Support: Core
518 #[serde(default, skip_serializing_if = "Option::is_none")]
519 pub selector: Option<GatewayListenersAllowedRoutesNamespacesSelector>,
520}
521
522/// Namespaces indicates namespaces from which Routes may be attached to this
523/// Listener. This is restricted to the namespace of this Gateway by default.
524///
525/// Support: Core
526#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, PartialEq)]
527pub enum GatewayListenersAllowedRoutesNamespacesFrom {
528 All,
529 Selector,
530 Same,
531}
532
533/// Selector must be specified when From is set to "Selector". In that case,
534/// only Routes in Namespaces matching this Selector will be selected by this
535/// Gateway. This field is ignored for other values of "From".
536///
537/// Support: Core
538#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
539pub struct GatewayListenersAllowedRoutesNamespacesSelector {
540 /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
541 #[serde(
542 default,
543 skip_serializing_if = "Option::is_none",
544 rename = "matchExpressions"
545 )]
546 pub match_expressions:
547 Option<Vec<GatewayListenersAllowedRoutesNamespacesSelectorMatchExpressions>>,
548 /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
549 /// map is equivalent to an element of matchExpressions, whose key field is "key", the
550 /// operator is "In", and the values array contains only "value". The requirements are ANDed.
551 #[serde(
552 default,
553 skip_serializing_if = "Option::is_none",
554 rename = "matchLabels"
555 )]
556 pub match_labels: Option<BTreeMap<String, String>>,
557}
558
559/// A label selector requirement is a selector that contains values, a key, and an operator that
560/// relates the key and values.
561#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
562pub struct GatewayListenersAllowedRoutesNamespacesSelectorMatchExpressions {
563 /// key is the label key that the selector applies to.
564 pub key: String,
565 /// operator represents a key's relationship to a set of values.
566 /// Valid operators are In, NotIn, Exists and DoesNotExist.
567 pub operator: String,
568 /// values is an array of string values. If the operator is In or NotIn,
569 /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
570 /// the values array must be empty. This array is replaced during a strategic
571 /// merge patch.
572 #[serde(default, skip_serializing_if = "Option::is_none")]
573 pub values: Option<Vec<String>>,
574}
575
576/// TLS is the TLS configuration for the Listener. This field is required if
577/// the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
578/// if the Protocol field is "HTTP", "TCP", or "UDP".
579///
580/// The association of SNIs to Certificate defined in GatewayTLSConfig is
581/// defined based on the Hostname field for this listener.
582///
583/// The GatewayClass MUST use the longest matching SNI out of all
584/// available certificates for any TLS handshake.
585///
586/// Support: Core
587#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
588pub struct GatewayListenersTls {
589 /// CertificateRefs contains a series of references to Kubernetes objects that
590 /// contains TLS certificates and private keys. These certificates are used to
591 /// establish a TLS handshake for requests that match the hostname of the
592 /// associated listener.
593 ///
594 /// A single CertificateRef to a Kubernetes Secret has "Core" support.
595 /// Implementations MAY choose to support attaching multiple certificates to
596 /// a Listener, but this behavior is implementation-specific.
597 ///
598 /// References to a resource in different namespace are invalid UNLESS there
599 /// is a ReferenceGrant in the target namespace that allows the certificate
600 /// to be attached. If a ReferenceGrant does not allow this reference, the
601 /// "ResolvedRefs" condition MUST be set to False for this listener with the
602 /// "RefNotPermitted" reason.
603 ///
604 /// This field is required to have at least one element when the mode is set
605 /// to "Terminate" (default) and is optional otherwise.
606 ///
607 /// CertificateRefs can reference to standard Kubernetes resources, i.e.
608 /// Secret, or implementation-specific custom resources.
609 ///
610 /// Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
611 ///
612 /// Support: Implementation-specific (More than one reference or other resource types)
613 #[serde(
614 default,
615 skip_serializing_if = "Option::is_none",
616 rename = "certificateRefs"
617 )]
618 pub certificate_refs: Option<Vec<GatewayListenersTlsCertificateRefs>>,
619 /// FrontendValidation holds configuration information for validating the frontend (client).
620 /// Setting this field will require clients to send a client certificate
621 /// required for validation during the TLS handshake. In browsers this may result in a dialog appearing
622 /// that requests a user to specify the client certificate.
623 /// The maximum depth of a certificate chain accepted in verification is Implementation specific.
624 ///
625 /// Support: Extended
626 ///
627 ///
628 #[serde(
629 default,
630 skip_serializing_if = "Option::is_none",
631 rename = "frontendValidation"
632 )]
633 pub frontend_validation: Option<GatewayListenersTlsFrontendValidation>,
634 /// Mode defines the TLS behavior for the TLS session initiated by the client.
635 /// There are two possible modes:
636 ///
637 /// - Terminate: The TLS session between the downstream client and the
638 /// Gateway is terminated at the Gateway. This mode requires certificates
639 /// to be specified in some way, such as populating the certificateRefs
640 /// field.
641 /// - Passthrough: The TLS session is NOT terminated by the Gateway. This
642 /// implies that the Gateway can't decipher the TLS stream except for
643 /// the ClientHello message of the TLS protocol. The certificateRefs field
644 /// is ignored in this mode.
645 ///
646 /// Support: Core
647 #[serde(default, skip_serializing_if = "Option::is_none")]
648 pub mode: Option<GatewayListenersTlsMode>,
649 /// Options are a list of key/value pairs to enable extended TLS
650 /// configuration for each implementation. For example, configuring the
651 /// minimum TLS version or supported cipher suites.
652 ///
653 /// A set of common keys MAY be defined by the API in the future. To avoid
654 /// any ambiguity, implementation-specific definitions MUST use
655 /// domain-prefixed names, such as `example.com/my-custom-option`.
656 /// Un-prefixed names are reserved for key names defined by Gateway API.
657 ///
658 /// Support: Implementation-specific
659 #[serde(default, skip_serializing_if = "Option::is_none")]
660 pub options: Option<BTreeMap<String, String>>,
661}
662
663/// SecretObjectReference identifies an API object including its namespace,
664/// defaulting to Secret.
665///
666/// The API object must be valid in the cluster; the Group and Kind must
667/// be registered in the cluster for this reference to be valid.
668///
669/// References to objects with invalid Group and Kind are not valid, and must
670/// be rejected by the implementation, with appropriate Conditions set
671/// on the containing object.
672#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
673pub struct GatewayListenersTlsCertificateRefs {
674 /// Group is the group of the referent. For example, "gateway.networking.k8s.io".
675 /// When unspecified or empty string, core API group is inferred.
676 #[serde(default, skip_serializing_if = "Option::is_none")]
677 pub group: Option<String>,
678 /// Kind is kind of the referent. For example "Secret".
679 #[serde(default, skip_serializing_if = "Option::is_none")]
680 pub kind: Option<String>,
681 /// Name is the name of the referent.
682 pub name: String,
683 /// Namespace is the namespace of the referenced object. When unspecified, the local
684 /// namespace is inferred.
685 ///
686 /// Note that when a namespace different than the local namespace is specified,
687 /// a ReferenceGrant object is required in the referent namespace to allow that
688 /// namespace's owner to accept the reference. See the ReferenceGrant
689 /// documentation for details.
690 ///
691 /// Support: Core
692 #[serde(default, skip_serializing_if = "Option::is_none")]
693 pub namespace: Option<String>,
694}
695
696/// FrontendValidation holds configuration information for validating the frontend (client).
697/// Setting this field will require clients to send a client certificate
698/// required for validation during the TLS handshake. In browsers this may result in a dialog appearing
699/// that requests a user to specify the client certificate.
700/// The maximum depth of a certificate chain accepted in verification is Implementation specific.
701///
702/// Support: Extended
703///
704///
705#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
706pub struct GatewayListenersTlsFrontendValidation {
707 /// CACertificateRefs contains one or more references to
708 /// Kubernetes objects that contain TLS certificates of
709 /// the Certificate Authorities that can be used
710 /// as a trust anchor to validate the certificates presented by the client.
711 ///
712 /// A single CA certificate reference to a Kubernetes ConfigMap
713 /// has "Core" support.
714 /// Implementations MAY choose to support attaching multiple CA certificates to
715 /// a Listener, but this behavior is implementation-specific.
716 ///
717 /// Support: Core - A single reference to a Kubernetes ConfigMap
718 /// with the CA certificate in a key named `ca.crt`.
719 ///
720 /// Support: Implementation-specific (More than one reference, or other kinds
721 /// of resources).
722 ///
723 /// References to a resource in a different namespace are invalid UNLESS there
724 /// is a ReferenceGrant in the target namespace that allows the certificate
725 /// to be attached. If a ReferenceGrant does not allow this reference, the
726 /// "ResolvedRefs" condition MUST be set to False for this listener with the
727 /// "RefNotPermitted" reason.
728 #[serde(
729 default,
730 skip_serializing_if = "Option::is_none",
731 rename = "caCertificateRefs"
732 )]
733 pub ca_certificate_refs: Option<Vec<GatewayListenersTlsFrontendValidationCaCertificateRefs>>,
734}
735
736/// ObjectReference identifies an API object including its namespace.
737///
738/// The API object must be valid in the cluster; the Group and Kind must
739/// be registered in the cluster for this reference to be valid.
740///
741/// References to objects with invalid Group and Kind are not valid, and must
742/// be rejected by the implementation, with appropriate Conditions set
743/// on the containing object.
744#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
745pub struct GatewayListenersTlsFrontendValidationCaCertificateRefs {
746 /// Group is the group of the referent. For example, "gateway.networking.k8s.io".
747 /// When unspecified or empty string, core API group is inferred.
748 pub group: String,
749 /// Kind is kind of the referent. For example "ConfigMap" or "Service".
750 pub kind: String,
751 /// Name is the name of the referent.
752 pub name: String,
753 /// Namespace is the namespace of the referenced object. When unspecified, the local
754 /// namespace is inferred.
755 ///
756 /// Note that when a namespace different than the local namespace is specified,
757 /// a ReferenceGrant object is required in the referent namespace to allow that
758 /// namespace's owner to accept the reference. See the ReferenceGrant
759 /// documentation for details.
760 ///
761 /// Support: Core
762 #[serde(default, skip_serializing_if = "Option::is_none")]
763 pub namespace: Option<String>,
764}
765
766/// TLS is the TLS configuration for the Listener. This field is required if
767/// the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
768/// if the Protocol field is "HTTP", "TCP", or "UDP".
769///
770/// The association of SNIs to Certificate defined in GatewayTLSConfig is
771/// defined based on the Hostname field for this listener.
772///
773/// The GatewayClass MUST use the longest matching SNI out of all
774/// available certificates for any TLS handshake.
775///
776/// Support: Core
777#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, PartialEq)]
778pub enum GatewayListenersTlsMode {
779 Terminate,
780 Passthrough,
781}
782
783/// Status defines the current state of Gateway.
784#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
785pub struct GatewayStatus {
786 /// Addresses lists the network addresses that have been bound to the
787 /// Gateway.
788 ///
789 /// This list may differ from the addresses provided in the spec under some
790 /// conditions:
791 ///
792 /// * no addresses are specified, all addresses are dynamically assigned
793 /// * a combination of specified and dynamic addresses are assigned
794 /// * a specified address was unusable (e.g. already in use)
795 ///
796 ///
797 #[serde(default, skip_serializing_if = "Option::is_none")]
798 pub addresses: Option<Vec<GatewayStatusAddresses>>,
799 /// Conditions describe the current conditions of the Gateway.
800 ///
801 /// Implementations should prefer to express Gateway conditions
802 /// using the `GatewayConditionType` and `GatewayConditionReason`
803 /// constants so that operators and tools can converge on a common
804 /// vocabulary to describe Gateway state.
805 ///
806 /// Known condition types are:
807 ///
808 /// * "Accepted"
809 /// * "Programmed"
810 /// * "Ready"
811 #[serde(default, skip_serializing_if = "Option::is_none")]
812 pub conditions: Option<Vec<Condition>>,
813 /// Listeners provide status for each unique listener port defined in the Spec.
814 #[serde(default, skip_serializing_if = "Option::is_none")]
815 pub listeners: Option<Vec<GatewayStatusListeners>>,
816}
817
818/// GatewayStatusAddress describes a network address that is bound to a Gateway.
819#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
820pub struct GatewayStatusAddresses {
821 /// Type of the address.
822 #[serde(default, skip_serializing_if = "Option::is_none", rename = "type")]
823 pub r#type: Option<String>,
824 /// Value of the address. The validity of the values will depend
825 /// on the type and support by the controller.
826 ///
827 /// Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
828 pub value: String,
829}
830
831/// ListenerStatus is the status associated with a Listener.
832#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
833pub struct GatewayStatusListeners {
834 /// AttachedRoutes represents the total number of Routes that have been
835 /// successfully attached to this Listener.
836 ///
837 /// Successful attachment of a Route to a Listener is based solely on the
838 /// combination of the AllowedRoutes field on the corresponding Listener
839 /// and the Route's ParentRefs field. A Route is successfully attached to
840 /// a Listener when it is selected by the Listener's AllowedRoutes field
841 /// AND the Route has a valid ParentRef selecting the whole Gateway
842 /// resource or a specific Listener as a parent resource (more detail on
843 /// attachment semantics can be found in the documentation on the various
844 /// Route kinds ParentRefs fields). Listener or Route status does not impact
845 /// successful attachment, i.e. the AttachedRoutes field count MUST be set
846 /// for Listeners with condition Accepted: false and MUST count successfully
847 /// attached Routes that may themselves have Accepted: false conditions.
848 ///
849 /// Uses for this field include troubleshooting Route attachment and
850 /// measuring blast radius/impact of changes to a Listener.
851 #[serde(rename = "attachedRoutes")]
852 pub attached_routes: i32,
853 /// Conditions describe the current condition of this listener.
854 pub conditions: Vec<Condition>,
855 /// Name is the name of the Listener that this status corresponds to.
856 pub name: String,
857 /// SupportedKinds is the list indicating the Kinds supported by this
858 /// listener. This MUST represent the kinds an implementation supports for
859 /// that Listener configuration.
860 ///
861 /// If kinds are specified in Spec that are not supported, they MUST NOT
862 /// appear in this list and an implementation MUST set the "ResolvedRefs"
863 /// condition to "False" with the "InvalidRouteKinds" reason. If both valid
864 /// and invalid Route kinds are specified, the implementation MUST
865 /// reference the valid Route kinds that have been specified.
866 #[serde(rename = "supportedKinds")]
867 pub supported_kinds: Vec<GatewayStatusListenersSupportedKinds>,
868}
869
870/// RouteGroupKind indicates the group and kind of a Route resource.
871#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
872pub struct GatewayStatusListenersSupportedKinds {
873 /// Group is the group of the Route.
874 #[serde(default, skip_serializing_if = "Option::is_none")]
875 pub group: Option<String>,
876 /// Kind is the kind of the Route.
877 pub kind: String,
878}