gateway_api/apis/experimental/gateways.rs
1// WARNING: generated file - manual changes will be overriden
2
3use super::common::*;
4#[allow(unused_imports)]
5mod prelude {
6 pub use k8s_openapi::apimachinery::pkg::apis::meta::v1::Condition;
7 pub use kube_derive::CustomResource;
8 pub use schemars::JsonSchema;
9 pub use serde::{Deserialize, Serialize};
10 pub use std::collections::BTreeMap;
11}
12use self::prelude::*;
13/// Spec defines the desired state of Gateway.
14#[derive(CustomResource, Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
15#[kube(
16 group = "gateway.networking.k8s.io",
17 version = "v1",
18 kind = "Gateway",
19 plural = "gateways"
20)]
21#[kube(namespaced)]
22#[kube(status = "GatewayStatus")]
23#[kube(derive = "Default")]
24#[kube(derive = "PartialEq")]
25pub struct GatewaySpec {
26 /// Addresses requested for this Gateway. This is optional and behavior can
27 /// depend on the implementation. If a value is set in the spec and the
28 /// requested address is invalid or unavailable, the implementation MUST
29 /// indicate this in the associated entry in GatewayStatus.Addresses.
30 ///
31 /// The Addresses field represents a request for the address(es) on the
32 /// "outside of the Gateway", that traffic bound for this Gateway will use.
33 /// This could be the IP address or hostname of an external load balancer or
34 /// other networking infrastructure, or some other address that traffic will
35 /// be sent to.
36 ///
37 /// If no Addresses are specified, the implementation MAY schedule the
38 /// Gateway in an implementation-specific manner, assigning an appropriate
39 /// set of Addresses.
40 ///
41 /// The implementation MUST bind all Listeners to every GatewayAddress that
42 /// it assigns to the Gateway and add a corresponding entry in
43 /// GatewayStatus.Addresses.
44 ///
45 /// Support: Extended
46 ///
47 ///
48 #[serde(default, skip_serializing_if = "Option::is_none")]
49 pub addresses: Option<Vec<GatewayAddress>>,
50 /// BackendTLS configures TLS settings for when this Gateway is connecting to
51 /// backends with TLS.
52 ///
53 /// Support: Core
54 ///
55 ///
56 #[serde(
57 default,
58 skip_serializing_if = "Option::is_none",
59 rename = "backendTLS"
60 )]
61 pub backend_tls: Option<GatewayBackendTls>,
62 /// GatewayClassName used for this Gateway. This is the name of a
63 /// GatewayClass resource.
64 #[serde(rename = "gatewayClassName")]
65 pub gateway_class_name: String,
66 /// Infrastructure defines infrastructure level attributes about this Gateway instance.
67 ///
68 /// Support: Extended
69 #[serde(default, skip_serializing_if = "Option::is_none")]
70 pub infrastructure: Option<GatewayInfrastructure>,
71 /// Listeners associated with this Gateway. Listeners define
72 /// logical endpoints that are bound on this Gateway's addresses.
73 /// At least one Listener MUST be specified.
74 ///
75 /// Each Listener in a set of Listeners (for example, in a single Gateway)
76 /// MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
77 /// exactly one listener. (This section uses "set of Listeners" rather than
78 /// "Listeners in a single Gateway" because implementations MAY merge configuration
79 /// from multiple Gateways onto a single data plane, and these rules _also_
80 /// apply in that case).
81 ///
82 /// Practically, this means that each listener in a set MUST have a unique
83 /// combination of Port, Protocol, and, if supported by the protocol, Hostname.
84 ///
85 /// Some combinations of port, protocol, and TLS settings are considered
86 /// Core support and MUST be supported by implementations based on their
87 /// targeted conformance profile:
88 ///
89 /// HTTP Profile
90 ///
91 /// 1. HTTPRoute, Port: 80, Protocol: HTTP
92 /// 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
93 ///
94 /// TLS Profile
95 ///
96 /// 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
97 ///
98 /// "Distinct" Listeners have the following property:
99 ///
100 /// The implementation can match inbound requests to a single distinct
101 /// Listener. When multiple Listeners share values for fields (for
102 /// example, two Listeners with the same Port value), the implementation
103 /// can match requests to only one of the Listeners using other
104 /// Listener fields.
105 ///
106 /// For example, the following Listener scenarios are distinct:
107 ///
108 /// 1. Multiple Listeners with the same Port that all use the "HTTP"
109 /// Protocol that all have unique Hostname values.
110 /// 2. Multiple Listeners with the same Port that use either the "HTTPS" or
111 /// "TLS" Protocol that all have unique Hostname values.
112 /// 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener
113 /// with the same Protocol has the same Port value.
114 ///
115 /// Some fields in the Listener struct have possible values that affect
116 /// whether the Listener is distinct. Hostname is particularly relevant
117 /// for HTTP or HTTPS protocols.
118 ///
119 /// When using the Hostname value to select between same-Port, same-Protocol
120 /// Listeners, the Hostname value must be different on each Listener for the
121 /// Listener to be distinct.
122 ///
123 /// When the Listeners are distinct based on Hostname, inbound request
124 /// hostnames MUST match from the most specific to least specific Hostname
125 /// values to choose the correct Listener and its associated set of Routes.
126 ///
127 /// Exact matches must be processed before wildcard matches, and wildcard
128 /// matches must be processed before fallback (empty Hostname value)
129 /// matches. For example, `"foo.example.com"` takes precedence over
130 /// `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
131 ///
132 /// Additionally, if there are multiple wildcard entries, more specific
133 /// wildcard entries must be processed before less specific wildcard entries.
134 /// For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
135 /// The precise definition here is that the higher the number of dots in the
136 /// hostname to the right of the wildcard character, the higher the precedence.
137 ///
138 /// The wildcard character will match any number of characters _and dots_ to
139 /// the left, however, so `"*.example.com"` will match both
140 /// `"foo.bar.example.com"` _and_ `"bar.example.com"`.
141 ///
142 /// If a set of Listeners contains Listeners that are not distinct, then those
143 /// Listeners are Conflicted, and the implementation MUST set the "Conflicted"
144 /// condition in the Listener Status to "True".
145 ///
146 /// Implementations MAY choose to accept a Gateway with some Conflicted
147 /// Listeners only if they only accept the partial Listener set that contains
148 /// no Conflicted Listeners. To put this another way, implementations may
149 /// accept a partial Listener set only if they throw out *all* the conflicting
150 /// Listeners. No picking one of the conflicting listeners as the winner.
151 /// This also means that the Gateway must have at least one non-conflicting
152 /// Listener in this case, otherwise it violates the requirement that at
153 /// least one Listener must be present.
154 ///
155 /// The implementation MUST set a "ListenersNotValid" condition on the
156 /// Gateway Status when the Gateway contains Conflicted Listeners whether or
157 /// not they accept the Gateway. That Condition SHOULD clearly
158 /// indicate in the Message which Listeners are conflicted, and which are
159 /// Accepted. Additionally, the Listener status for those listeners SHOULD
160 /// indicate which Listeners are conflicted and not Accepted.
161 ///
162 /// A Gateway's Listeners are considered "compatible" if:
163 ///
164 /// 1. They are distinct.
165 /// 2. The implementation can serve them in compliance with the Addresses
166 /// requirement that all Listeners are available on all assigned
167 /// addresses.
168 ///
169 /// Compatible combinations in Extended support are expected to vary across
170 /// implementations. A combination that is compatible for one implementation
171 /// may not be compatible for another.
172 ///
173 /// For example, an implementation that cannot serve both TCP and UDP listeners
174 /// on the same address, or cannot mix HTTPS and generic TLS listens on the same port
175 /// would not consider those cases compatible, even though they are distinct.
176 ///
177 /// Note that requests SHOULD match at most one Listener. For example, if
178 /// Listeners are defined for "foo.example.com" and "*.example.com", a
179 /// request to "foo.example.com" SHOULD only be routed using routes attached
180 /// to the "foo.example.com" Listener (and not the "*.example.com" Listener).
181 /// This concept is known as "Listener Isolation". Implementations that do
182 /// not support Listener Isolation MUST clearly document this.
183 ///
184 /// Implementations MAY merge separate Gateways onto a single set of
185 /// Addresses if all Listeners across all Gateways are compatible.
186 ///
187 /// Support: Core
188 pub listeners: Vec<GatewayListeners>,
189}
190/// BackendTLS configures TLS settings for when this Gateway is connecting to
191/// backends with TLS.
192///
193/// Support: Core
194///
195///
196#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
197pub struct GatewayBackendTls {
198 /// ClientCertificateRef is a reference to an object that contains a Client
199 /// Certificate and the associated private key.
200 ///
201 /// References to a resource in different namespace are invalid UNLESS there
202 /// is a ReferenceGrant in the target namespace that allows the certificate
203 /// to be attached. If a ReferenceGrant does not allow this reference, the
204 /// "ResolvedRefs" condition MUST be set to False for this listener with the
205 /// "RefNotPermitted" reason.
206 ///
207 /// ClientCertificateRef can reference to standard Kubernetes resources, i.e.
208 /// Secret, or implementation-specific custom resources.
209 ///
210 /// This setting can be overridden on the service level by use of BackendTLSPolicy.
211 ///
212 /// Support: Core
213 ///
214 ///
215 #[serde(
216 default,
217 skip_serializing_if = "Option::is_none",
218 rename = "clientCertificateRef"
219 )]
220 pub client_certificate_ref: Option<BackendTlsClientCertificateReference>,
221}
222/// Infrastructure defines infrastructure level attributes about this Gateway instance.
223///
224/// Support: Extended
225#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
226pub struct GatewayInfrastructure {
227 /// Annotations that SHOULD be applied to any resources created in response to this Gateway.
228 ///
229 /// For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
230 /// For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
231 ///
232 /// An implementation may chose to add additional implementation-specific annotations as they see fit.
233 ///
234 /// Support: Extended
235 #[serde(default, skip_serializing_if = "Option::is_none")]
236 pub annotations: Option<BTreeMap<String, String>>,
237 /// Labels that SHOULD be applied to any resources created in response to this Gateway.
238 ///
239 /// For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
240 /// For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
241 ///
242 /// An implementation may chose to add additional implementation-specific labels as they see fit.
243 ///
244 /// If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
245 /// change, it SHOULD clearly warn about this behavior in documentation.
246 ///
247 /// Support: Extended
248 #[serde(default, skip_serializing_if = "Option::is_none")]
249 pub labels: Option<BTreeMap<String, String>>,
250 /// ParametersRef is a reference to a resource that contains the configuration
251 /// parameters corresponding to the Gateway. This is optional if the
252 /// controller does not require any additional configuration.
253 ///
254 /// This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
255 ///
256 /// The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
257 /// the merging behavior is implementation specific.
258 /// It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
259 ///
260 /// Support: Implementation-specific
261 #[serde(
262 default,
263 skip_serializing_if = "Option::is_none",
264 rename = "parametersRef"
265 )]
266 pub parameters_ref: Option<GatewayInfrastructureParametersReference>,
267}
268/// Listener embodies the concept of a logical endpoint where a Gateway accepts
269/// network connections.
270#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
271pub struct GatewayListeners {
272 /// AllowedRoutes defines the types of routes that MAY be attached to a
273 /// Listener and the trusted namespaces where those Route resources MAY be
274 /// present.
275 ///
276 /// Although a client request may match multiple route rules, only one rule
277 /// may ultimately receive the request. Matching precedence MUST be
278 /// determined in order of the following criteria:
279 ///
280 /// * The most specific match as defined by the Route type.
281 /// * The oldest Route based on creation timestamp. For example, a Route with
282 /// a creation timestamp of "2020-09-08 01:02:03" is given precedence over
283 /// a Route with a creation timestamp of "2020-09-08 01:02:04".
284 /// * If everything else is equivalent, the Route appearing first in
285 /// alphabetical order (namespace/name) should be given precedence. For
286 /// example, foo/bar is given precedence over foo/baz.
287 ///
288 /// All valid rules within a Route attached to this Listener should be
289 /// implemented. Invalid Route rules can be ignored (sometimes that will mean
290 /// the full Route). If a Route rule transitions from valid to invalid,
291 /// support for that Route rule should be dropped to ensure consistency. For
292 /// example, even if a filter specified by a Route rule is invalid, the rest
293 /// of the rules within that Route should still be supported.
294 ///
295 /// Support: Core
296 #[serde(
297 default,
298 skip_serializing_if = "Option::is_none",
299 rename = "allowedRoutes"
300 )]
301 pub allowed_routes: Option<GatewayListenersAllowedRoutes>,
302 /// Hostname specifies the virtual hostname to match for protocol types that
303 /// define this concept. When unspecified, all hostnames are matched. This
304 /// field is ignored for protocols that don't require hostname based
305 /// matching.
306 ///
307 /// Implementations MUST apply Hostname matching appropriately for each of
308 /// the following protocols:
309 ///
310 /// * TLS: The Listener Hostname MUST match the SNI.
311 /// * HTTP: The Listener Hostname MUST match the Host header of the request.
312 /// * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP
313 /// protocol layers as described above. If an implementation does not
314 /// ensure that both the SNI and Host header match the Listener hostname,
315 /// it MUST clearly document that.
316 ///
317 /// For HTTPRoute and TLSRoute resources, there is an interaction with the
318 /// `spec.hostnames` array. When both listener and route specify hostnames,
319 /// there MUST be an intersection between the values for a Route to be
320 /// accepted. For more information, refer to the Route specific Hostnames
321 /// documentation.
322 ///
323 /// Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
324 /// as a suffix match. That means that a match for `*.example.com` would match
325 /// both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
326 ///
327 /// Support: Core
328 #[serde(default, skip_serializing_if = "Option::is_none")]
329 pub hostname: Option<String>,
330 /// Name is the name of the Listener. This name MUST be unique within a
331 /// Gateway.
332 ///
333 /// Support: Core
334 pub name: String,
335 /// Port is the network port. Multiple listeners may use the
336 /// same port, subject to the Listener compatibility rules.
337 ///
338 /// Support: Core
339 pub port: i32,
340 /// Protocol specifies the network protocol this listener expects to receive.
341 ///
342 /// Support: Core
343 pub protocol: String,
344 /// TLS is the TLS configuration for the Listener. This field is required if
345 /// the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
346 /// if the Protocol field is "HTTP", "TCP", or "UDP".
347 ///
348 /// The association of SNIs to Certificate defined in GatewayTLSConfig is
349 /// defined based on the Hostname field for this listener.
350 ///
351 /// The GatewayClass MUST use the longest matching SNI out of all
352 /// available certificates for any TLS handshake.
353 ///
354 /// Support: Core
355 #[serde(default, skip_serializing_if = "Option::is_none")]
356 pub tls: Option<GatewayListenersTls>,
357}
358/// AllowedRoutes defines the types of routes that MAY be attached to a
359/// Listener and the trusted namespaces where those Route resources MAY be
360/// present.
361///
362/// Although a client request may match multiple route rules, only one rule
363/// may ultimately receive the request. Matching precedence MUST be
364/// determined in order of the following criteria:
365///
366/// * The most specific match as defined by the Route type.
367/// * The oldest Route based on creation timestamp. For example, a Route with
368/// a creation timestamp of "2020-09-08 01:02:03" is given precedence over
369/// a Route with a creation timestamp of "2020-09-08 01:02:04".
370/// * If everything else is equivalent, the Route appearing first in
371/// alphabetical order (namespace/name) should be given precedence. For
372/// example, foo/bar is given precedence over foo/baz.
373///
374/// All valid rules within a Route attached to this Listener should be
375/// implemented. Invalid Route rules can be ignored (sometimes that will mean
376/// the full Route). If a Route rule transitions from valid to invalid,
377/// support for that Route rule should be dropped to ensure consistency. For
378/// example, even if a filter specified by a Route rule is invalid, the rest
379/// of the rules within that Route should still be supported.
380///
381/// Support: Core
382#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
383pub struct GatewayListenersAllowedRoutes {
384 /// Kinds specifies the groups and kinds of Routes that are allowed to bind
385 /// to this Gateway Listener. When unspecified or empty, the kinds of Routes
386 /// selected are determined using the Listener protocol.
387 ///
388 /// A RouteGroupKind MUST correspond to kinds of Routes that are compatible
389 /// with the application protocol specified in the Listener's Protocol field.
390 /// If an implementation does not support or recognize this resource type, it
391 /// MUST set the "ResolvedRefs" condition to False for this Listener with the
392 /// "InvalidRouteKinds" reason.
393 ///
394 /// Support: Core
395 #[serde(default, skip_serializing_if = "Option::is_none")]
396 pub kinds: Option<Vec<Kind>>,
397 /// Namespaces indicates namespaces from which Routes may be attached to this
398 /// Listener. This is restricted to the namespace of this Gateway by default.
399 ///
400 /// Support: Core
401 #[serde(default, skip_serializing_if = "Option::is_none")]
402 pub namespaces: Option<GatewayListenersAllowedRoutesNamespaces>,
403}
404/// Namespaces indicates namespaces from which Routes may be attached to this
405/// Listener. This is restricted to the namespace of this Gateway by default.
406///
407/// Support: Core
408#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
409pub struct GatewayListenersAllowedRoutesNamespaces {
410 /// From indicates where Routes will be selected for this Gateway. Possible
411 /// values are:
412 ///
413 /// * All: Routes in all namespaces may be used by this Gateway.
414 /// * Selector: Routes in namespaces selected by the selector may be used by
415 /// this Gateway.
416 /// * Same: Only Routes in the same namespace may be used by this Gateway.
417 ///
418 /// Support: Core
419 #[serde(default, skip_serializing_if = "Option::is_none")]
420 pub from: Option<GatewayListenersAllowedRoutesNamespacesFrom>,
421 /// Selector must be specified when From is set to "Selector". In that case,
422 /// only Routes in Namespaces matching this Selector will be selected by this
423 /// Gateway. This field is ignored for other values of "From".
424 ///
425 /// Support: Core
426 #[serde(default, skip_serializing_if = "Option::is_none")]
427 pub selector: Option<GatewayListenersAllowedRoutesNamespacesSelector>,
428}
429/// Namespaces indicates namespaces from which Routes may be attached to this
430/// Listener. This is restricted to the namespace of this Gateway by default.
431///
432/// Support: Core
433#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, PartialEq)]
434pub enum GatewayListenersAllowedRoutesNamespacesFrom {
435 All,
436 Selector,
437 Same,
438}
439/// Selector must be specified when From is set to "Selector". In that case,
440/// only Routes in Namespaces matching this Selector will be selected by this
441/// Gateway. This field is ignored for other values of "From".
442///
443/// Support: Core
444#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
445pub struct GatewayListenersAllowedRoutesNamespacesSelector {
446 /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
447 #[serde(
448 default,
449 skip_serializing_if = "Option::is_none",
450 rename = "matchExpressions"
451 )]
452 pub match_expressions:
453 Option<Vec<GatewayListenersAllowedRoutesNamespacesSelectorMatchExpressions>>,
454 /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
455 /// map is equivalent to an element of matchExpressions, whose key field is "key", the
456 /// operator is "In", and the values array contains only "value". The requirements are ANDed.
457 #[serde(
458 default,
459 skip_serializing_if = "Option::is_none",
460 rename = "matchLabels"
461 )]
462 pub match_labels: Option<BTreeMap<String, String>>,
463}
464/// A label selector requirement is a selector that contains values, a key, and an operator that
465/// relates the key and values.
466#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
467pub struct GatewayListenersAllowedRoutesNamespacesSelectorMatchExpressions {
468 /// key is the label key that the selector applies to.
469 pub key: String,
470 /// operator represents a key's relationship to a set of values.
471 /// Valid operators are In, NotIn, Exists and DoesNotExist.
472 pub operator: String,
473 /// values is an array of string values. If the operator is In or NotIn,
474 /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
475 /// the values array must be empty. This array is replaced during a strategic
476 /// merge patch.
477 #[serde(default, skip_serializing_if = "Option::is_none")]
478 pub values: Option<Vec<String>>,
479}
480/// TLS is the TLS configuration for the Listener. This field is required if
481/// the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
482/// if the Protocol field is "HTTP", "TCP", or "UDP".
483///
484/// The association of SNIs to Certificate defined in GatewayTLSConfig is
485/// defined based on the Hostname field for this listener.
486///
487/// The GatewayClass MUST use the longest matching SNI out of all
488/// available certificates for any TLS handshake.
489///
490/// Support: Core
491#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
492pub struct GatewayListenersTls {
493 /// CertificateRefs contains a series of references to Kubernetes objects that
494 /// contains TLS certificates and private keys. These certificates are used to
495 /// establish a TLS handshake for requests that match the hostname of the
496 /// associated listener.
497 ///
498 /// A single CertificateRef to a Kubernetes Secret has "Core" support.
499 /// Implementations MAY choose to support attaching multiple certificates to
500 /// a Listener, but this behavior is implementation-specific.
501 ///
502 /// References to a resource in different namespace are invalid UNLESS there
503 /// is a ReferenceGrant in the target namespace that allows the certificate
504 /// to be attached. If a ReferenceGrant does not allow this reference, the
505 /// "ResolvedRefs" condition MUST be set to False for this listener with the
506 /// "RefNotPermitted" reason.
507 ///
508 /// This field is required to have at least one element when the mode is set
509 /// to "Terminate" (default) and is optional otherwise.
510 ///
511 /// CertificateRefs can reference to standard Kubernetes resources, i.e.
512 /// Secret, or implementation-specific custom resources.
513 ///
514 /// Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
515 ///
516 /// Support: Implementation-specific (More than one reference or other resource types)
517 #[serde(
518 default,
519 skip_serializing_if = "Option::is_none",
520 rename = "certificateRefs"
521 )]
522 pub certificate_refs: Option<Vec<BackendTlsClientCertificateReference>>,
523 /// FrontendValidation holds configuration information for validating the frontend (client).
524 /// Setting this field will require clients to send a client certificate
525 /// required for validation during the TLS handshake. In browsers this may result in a dialog appearing
526 /// that requests a user to specify the client certificate.
527 /// The maximum depth of a certificate chain accepted in verification is Implementation specific.
528 ///
529 /// Support: Extended
530 ///
531 ///
532 #[serde(
533 default,
534 skip_serializing_if = "Option::is_none",
535 rename = "frontendValidation"
536 )]
537 pub frontend_validation: Option<GatewayListenersTlsFrontendValidation>,
538 /// Mode defines the TLS behavior for the TLS session initiated by the client.
539 /// There are two possible modes:
540 ///
541 /// - Terminate: The TLS session between the downstream client and the
542 /// Gateway is terminated at the Gateway. This mode requires certificates
543 /// to be specified in some way, such as populating the certificateRefs
544 /// field.
545 /// - Passthrough: The TLS session is NOT terminated by the Gateway. This
546 /// implies that the Gateway can't decipher the TLS stream except for
547 /// the ClientHello message of the TLS protocol. The certificateRefs field
548 /// is ignored in this mode.
549 ///
550 /// Support: Core
551 #[serde(default, skip_serializing_if = "Option::is_none")]
552 pub mode: Option<GatewayListenersTlsMode>,
553 /// Options are a list of key/value pairs to enable extended TLS
554 /// configuration for each implementation. For example, configuring the
555 /// minimum TLS version or supported cipher suites.
556 ///
557 /// A set of common keys MAY be defined by the API in the future. To avoid
558 /// any ambiguity, implementation-specific definitions MUST use
559 /// domain-prefixed names, such as `example.com/my-custom-option`.
560 /// Un-prefixed names are reserved for key names defined by Gateway API.
561 ///
562 /// Support: Implementation-specific
563 #[serde(default, skip_serializing_if = "Option::is_none")]
564 pub options: Option<BTreeMap<String, String>>,
565}
566/// FrontendValidation holds configuration information for validating the frontend (client).
567/// Setting this field will require clients to send a client certificate
568/// required for validation during the TLS handshake. In browsers this may result in a dialog appearing
569/// that requests a user to specify the client certificate.
570/// The maximum depth of a certificate chain accepted in verification is Implementation specific.
571///
572/// Support: Extended
573///
574///
575#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
576pub struct GatewayListenersTlsFrontendValidation {
577 /// CACertificateRefs contains one or more references to
578 /// Kubernetes objects that contain TLS certificates of
579 /// the Certificate Authorities that can be used
580 /// as a trust anchor to validate the certificates presented by the client.
581 ///
582 /// A single CA certificate reference to a Kubernetes ConfigMap
583 /// has "Core" support.
584 /// Implementations MAY choose to support attaching multiple CA certificates to
585 /// a Listener, but this behavior is implementation-specific.
586 ///
587 /// Support: Core - A single reference to a Kubernetes ConfigMap
588 /// with the CA certificate in a key named `ca.crt`.
589 ///
590 /// Support: Implementation-specific (More than one reference, or other kinds
591 /// of resources).
592 ///
593 /// References to a resource in a different namespace are invalid UNLESS there
594 /// is a ReferenceGrant in the target namespace that allows the certificate
595 /// to be attached. If a ReferenceGrant does not allow this reference, the
596 /// "ResolvedRefs" condition MUST be set to False for this listener with the
597 /// "RefNotPermitted" reason.
598 #[serde(
599 default,
600 skip_serializing_if = "Option::is_none",
601 rename = "caCertificateRefs"
602 )]
603 pub ca_certificate_refs: Option<Vec<ParametersReference>>,
604}
605/// TLS is the TLS configuration for the Listener. This field is required if
606/// the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
607/// if the Protocol field is "HTTP", "TCP", or "UDP".
608///
609/// The association of SNIs to Certificate defined in GatewayTLSConfig is
610/// defined based on the Hostname field for this listener.
611///
612/// The GatewayClass MUST use the longest matching SNI out of all
613/// available certificates for any TLS handshake.
614///
615/// Support: Core
616#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, PartialEq)]
617pub enum GatewayListenersTlsMode {
618 Terminate,
619 Passthrough,
620}
621/// Status defines the current state of Gateway.
622#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
623pub struct GatewayStatus {
624 /// Addresses lists the network addresses that have been bound to the
625 /// Gateway.
626 ///
627 /// This list may differ from the addresses provided in the spec under some
628 /// conditions:
629 ///
630 /// * no addresses are specified, all addresses are dynamically assigned
631 /// * a combination of specified and dynamic addresses are assigned
632 /// * a specified address was unusable (e.g. already in use)
633 ///
634 ///
635 #[serde(default, skip_serializing_if = "Option::is_none")]
636 pub addresses: Option<Vec<GatewayAddress>>,
637 /// Conditions describe the current conditions of the Gateway.
638 ///
639 /// Implementations should prefer to express Gateway conditions
640 /// using the `GatewayConditionType` and `GatewayConditionReason`
641 /// constants so that operators and tools can converge on a common
642 /// vocabulary to describe Gateway state.
643 ///
644 /// Known condition types are:
645 ///
646 /// * "Accepted"
647 /// * "Programmed"
648 /// * "Ready"
649 #[serde(default, skip_serializing_if = "Option::is_none")]
650 pub conditions: Option<Vec<Condition>>,
651 /// Listeners provide status for each unique listener port defined in the Spec.
652 #[serde(default, skip_serializing_if = "Option::is_none")]
653 pub listeners: Option<Vec<GatewayStatusListeners>>,
654}
655/// ListenerStatus is the status associated with a Listener.
656#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
657pub struct GatewayStatusListeners {
658 /// AttachedRoutes represents the total number of Routes that have been
659 /// successfully attached to this Listener.
660 ///
661 /// Successful attachment of a Route to a Listener is based solely on the
662 /// combination of the AllowedRoutes field on the corresponding Listener
663 /// and the Route's ParentRefs field. A Route is successfully attached to
664 /// a Listener when it is selected by the Listener's AllowedRoutes field
665 /// AND the Route has a valid ParentRef selecting the whole Gateway
666 /// resource or a specific Listener as a parent resource (more detail on
667 /// attachment semantics can be found in the documentation on the various
668 /// Route kinds ParentRefs fields). Listener or Route status does not impact
669 /// successful attachment, i.e. the AttachedRoutes field count MUST be set
670 /// for Listeners with condition Accepted: false and MUST count successfully
671 /// attached Routes that may themselves have Accepted: false conditions.
672 ///
673 /// Uses for this field include troubleshooting Route attachment and
674 /// measuring blast radius/impact of changes to a Listener.
675 #[serde(rename = "attachedRoutes")]
676 pub attached_routes: i32,
677 /// Conditions describe the current condition of this listener.
678 pub conditions: Vec<Condition>,
679 /// Name is the name of the Listener that this status corresponds to.
680 pub name: String,
681 /// SupportedKinds is the list indicating the Kinds supported by this
682 /// listener. This MUST represent the kinds an implementation supports for
683 /// that Listener configuration.
684 ///
685 /// If kinds are specified in Spec that are not supported, they MUST NOT
686 /// appear in this list and an implementation MUST set the "ResolvedRefs"
687 /// condition to "False" with the "InvalidRouteKinds" reason. If both valid
688 /// and invalid Route kinds are specified, the implementation MUST
689 /// reference the valid Route kinds that have been specified.
690 #[serde(rename = "supportedKinds")]
691 pub supported_kinds: Vec<Kind>,
692}