gateway_api/apis/standard/gateways.rs
1// WARNING: generated by kopium - manual changes will be overwritten
2// kopium command: kopium --schema=derived --derive=JsonSchema --derive=Default --derive=PartialEq --docs -f -
3// kopium version: 0.21.2
4
5#[allow(unused_imports)]
6mod prelude {
7 pub use k8s_openapi::apimachinery::pkg::apis::meta::v1::Condition;
8 pub use kube::CustomResource;
9 pub use schemars::JsonSchema;
10 pub use serde::{Deserialize, Serialize};
11 pub use std::collections::BTreeMap;
12}
13use self::prelude::*;
14
15/// Spec defines the desired state of Gateway.
16#[derive(CustomResource, Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
17#[kube(
18 group = "gateway.networking.k8s.io",
19 version = "v1",
20 kind = "Gateway",
21 plural = "gateways"
22)]
23#[kube(namespaced)]
24#[kube(status = "GatewayStatus")]
25#[kube(derive = "Default")]
26#[kube(derive = "PartialEq")]
27pub struct GatewaySpec {
28 /// Addresses requested for this Gateway. This is optional and behavior can
29 /// depend on the implementation. If a value is set in the spec and the
30 /// requested address is invalid or unavailable, the implementation MUST
31 /// indicate this in an associated entry in GatewayStatus.Conditions.
32 ///
33 /// The Addresses field represents a request for the address(es) on the
34 /// "outside of the Gateway", that traffic bound for this Gateway will use.
35 /// This could be the IP address or hostname of an external load balancer or
36 /// other networking infrastructure, or some other address that traffic will
37 /// be sent to.
38 ///
39 /// If no Addresses are specified, the implementation MAY schedule the
40 /// Gateway in an implementation-specific manner, assigning an appropriate
41 /// set of Addresses.
42 ///
43 /// The implementation MUST bind all Listeners to every GatewayAddress that
44 /// it assigns to the Gateway and add a corresponding entry in
45 /// GatewayStatus.Addresses.
46 ///
47 /// Support: Extended
48 #[serde(default, skip_serializing_if = "Option::is_none")]
49 pub addresses: Option<Vec<GatewayAddresses>>,
50 /// GatewayClassName used for this Gateway. This is the name of a
51 /// GatewayClass resource.
52 #[serde(rename = "gatewayClassName")]
53 pub gateway_class_name: String,
54 /// Infrastructure defines infrastructure level attributes about this Gateway instance.
55 ///
56 /// Support: Extended
57 #[serde(default, skip_serializing_if = "Option::is_none")]
58 pub infrastructure: Option<GatewayInfrastructure>,
59 /// Listeners associated with this Gateway. Listeners define
60 /// logical endpoints that are bound on this Gateway's addresses.
61 /// At least one Listener MUST be specified.
62 ///
63 /// ## Distinct Listeners
64 ///
65 /// Each Listener in a set of Listeners (for example, in a single Gateway)
66 /// MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
67 /// exactly one listener. (This section uses "set of Listeners" rather than
68 /// "Listeners in a single Gateway" because implementations MAY merge configuration
69 /// from multiple Gateways onto a single data plane, and these rules _also_
70 /// apply in that case).
71 ///
72 /// Practically, this means that each listener in a set MUST have a unique
73 /// combination of Port, Protocol, and, if supported by the protocol, Hostname.
74 ///
75 /// Some combinations of port, protocol, and TLS settings are considered
76 /// Core support and MUST be supported by implementations based on the objects
77 /// they support:
78 ///
79 /// HTTPRoute
80 ///
81 /// 1. HTTPRoute, Port: 80, Protocol: HTTP
82 /// 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
83 ///
84 /// TLSRoute
85 ///
86 /// 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
87 ///
88 /// "Distinct" Listeners have the following property:
89 ///
90 /// **The implementation can match inbound requests to a single distinct
91 /// Listener**.
92 ///
93 /// When multiple Listeners share values for fields (for
94 /// example, two Listeners with the same Port value), the implementation
95 /// can match requests to only one of the Listeners using other
96 /// Listener fields.
97 ///
98 /// When multiple listeners have the same value for the Protocol field, then
99 /// each of the Listeners with matching Protocol values MUST have different
100 /// values for other fields.
101 ///
102 /// The set of fields that MUST be different for a Listener differs per protocol.
103 /// The following rules define the rules for what fields MUST be considered for
104 /// Listeners to be distinct with each protocol currently defined in the
105 /// Gateway API spec.
106 ///
107 /// The set of listeners that all share a protocol value MUST have _different_
108 /// values for _at least one_ of these fields to be distinct:
109 ///
110 /// * **HTTP, HTTPS, TLS**: Port, Hostname
111 /// * **TCP, UDP**: Port
112 ///
113 /// One **very** important rule to call out involves what happens when an
114 /// implementation:
115 ///
116 /// * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol
117 /// Listeners, and
118 /// * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP
119 /// Protocol.
120 ///
121 /// In this case all the Listeners that share a port with the
122 /// TCP Listener are not distinct and so MUST NOT be accepted.
123 ///
124 /// If an implementation does not support TCP Protocol Listeners, then the
125 /// previous rule does not apply, and the TCP Listeners SHOULD NOT be
126 /// accepted.
127 ///
128 /// Note that the `tls` field is not used for determining if a listener is distinct, because
129 /// Listeners that _only_ differ on TLS config will still conflict in all cases.
130 ///
131 /// ### Listeners that are distinct only by Hostname
132 ///
133 /// When the Listeners are distinct based only on Hostname, inbound request
134 /// hostnames MUST match from the most specific to least specific Hostname
135 /// values to choose the correct Listener and its associated set of Routes.
136 ///
137 /// Exact matches MUST be processed before wildcard matches, and wildcard
138 /// matches MUST be processed before fallback (empty Hostname value)
139 /// matches. For example, `"foo.example.com"` takes precedence over
140 /// `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
141 ///
142 /// Additionally, if there are multiple wildcard entries, more specific
143 /// wildcard entries must be processed before less specific wildcard entries.
144 /// For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
145 ///
146 /// The precise definition here is that the higher the number of dots in the
147 /// hostname to the right of the wildcard character, the higher the precedence.
148 ///
149 /// The wildcard character will match any number of characters _and dots_ to
150 /// the left, however, so `"*.example.com"` will match both
151 /// `"foo.bar.example.com"` _and_ `"bar.example.com"`.
152 ///
153 /// ## Handling indistinct Listeners
154 ///
155 /// If a set of Listeners contains Listeners that are not distinct, then those
156 /// Listeners are _Conflicted_, and the implementation MUST set the "Conflicted"
157 /// condition in the Listener Status to "True".
158 ///
159 /// The words "indistinct" and "conflicted" are considered equivalent for the
160 /// purpose of this documentation.
161 ///
162 /// Implementations MAY choose to accept a Gateway with some Conflicted
163 /// Listeners only if they only accept the partial Listener set that contains
164 /// no Conflicted Listeners.
165 ///
166 /// Specifically, an implementation MAY accept a partial Listener set subject to
167 /// the following rules:
168 ///
169 /// * The implementation MUST NOT pick one conflicting Listener as the winner.
170 /// ALL indistinct Listeners must not be accepted for processing.
171 /// * At least one distinct Listener MUST be present, or else the Gateway effectively
172 /// contains _no_ Listeners, and must be rejected from processing as a whole.
173 ///
174 /// The implementation MUST set a "ListenersNotValid" condition on the
175 /// Gateway Status when the Gateway contains Conflicted Listeners whether or
176 /// not they accept the Gateway. That Condition SHOULD clearly
177 /// indicate in the Message which Listeners are conflicted, and which are
178 /// Accepted. Additionally, the Listener status for those listeners SHOULD
179 /// indicate which Listeners are conflicted and not Accepted.
180 ///
181 /// ## General Listener behavior
182 ///
183 /// Note that, for all distinct Listeners, requests SHOULD match at most one Listener.
184 /// For example, if Listeners are defined for "foo.example.com" and "*.example.com", a
185 /// request to "foo.example.com" SHOULD only be routed using routes attached
186 /// to the "foo.example.com" Listener (and not the "*.example.com" Listener).
187 ///
188 /// This concept is known as "Listener Isolation", and it is an Extended feature
189 /// of Gateway API. Implementations that do not support Listener Isolation MUST
190 /// clearly document this, and MUST NOT claim support for the
191 /// `GatewayHTTPListenerIsolation` feature.
192 ///
193 /// Implementations that _do_ support Listener Isolation SHOULD claim support
194 /// for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated
195 /// conformance tests.
196 ///
197 /// ## Compatible Listeners
198 ///
199 /// A Gateway's Listeners are considered _compatible_ if:
200 ///
201 /// 1. They are distinct.
202 /// 2. The implementation can serve them in compliance with the Addresses
203 /// requirement that all Listeners are available on all assigned
204 /// addresses.
205 ///
206 /// Compatible combinations in Extended support are expected to vary across
207 /// implementations. A combination that is compatible for one implementation
208 /// may not be compatible for another.
209 ///
210 /// For example, an implementation that cannot serve both TCP and UDP listeners
211 /// on the same address, or cannot mix HTTPS and generic TLS listens on the same port
212 /// would not consider those cases compatible, even though they are distinct.
213 ///
214 /// Implementations MAY merge separate Gateways onto a single set of
215 /// Addresses if all Listeners across all Gateways are compatible.
216 ///
217 /// In a future release the MinItems=1 requirement MAY be dropped.
218 ///
219 /// Support: Core
220 pub listeners: Vec<GatewayListeners>,
221}
222
223/// GatewaySpecAddress describes an address that can be bound to a Gateway.
224#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
225pub struct GatewayAddresses {
226 /// Type of the address.
227 #[serde(default, skip_serializing_if = "Option::is_none", rename = "type")]
228 pub r#type: Option<String>,
229 /// When a value is unspecified, an implementation SHOULD automatically
230 /// assign an address matching the requested type if possible.
231 ///
232 /// If an implementation does not support an empty value, they MUST set the
233 /// "Programmed" condition in status to False with a reason of "AddressNotAssigned".
234 ///
235 /// Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
236 #[serde(default, skip_serializing_if = "Option::is_none")]
237 pub value: Option<String>,
238}
239
240/// Infrastructure defines infrastructure level attributes about this Gateway instance.
241///
242/// Support: Extended
243#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
244pub struct GatewayInfrastructure {
245 /// Annotations that SHOULD be applied to any resources created in response to this Gateway.
246 ///
247 /// For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
248 /// For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
249 ///
250 /// An implementation may chose to add additional implementation-specific annotations as they see fit.
251 ///
252 /// Support: Extended
253 #[serde(default, skip_serializing_if = "Option::is_none")]
254 pub annotations: Option<BTreeMap<String, String>>,
255 /// Labels that SHOULD be applied to any resources created in response to this Gateway.
256 ///
257 /// For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
258 /// For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
259 ///
260 /// An implementation may chose to add additional implementation-specific labels as they see fit.
261 ///
262 /// If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
263 /// change, it SHOULD clearly warn about this behavior in documentation.
264 ///
265 /// Support: Extended
266 #[serde(default, skip_serializing_if = "Option::is_none")]
267 pub labels: Option<BTreeMap<String, String>>,
268 /// ParametersRef is a reference to a resource that contains the configuration
269 /// parameters corresponding to the Gateway. This is optional if the
270 /// controller does not require any additional configuration.
271 ///
272 /// This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
273 ///
274 /// The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
275 /// the merging behavior is implementation specific.
276 /// It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
277 ///
278 /// If the referent cannot be found, refers to an unsupported kind, or when
279 /// the data within that resource is malformed, the Gateway SHOULD be
280 /// rejected with the "Accepted" status condition set to "False" and an
281 /// "InvalidParameters" reason.
282 ///
283 /// Support: Implementation-specific
284 #[serde(
285 default,
286 skip_serializing_if = "Option::is_none",
287 rename = "parametersRef"
288 )]
289 pub parameters_ref: Option<GatewayInfrastructureParametersRef>,
290}
291
292/// ParametersRef is a reference to a resource that contains the configuration
293/// parameters corresponding to the Gateway. This is optional if the
294/// controller does not require any additional configuration.
295///
296/// This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
297///
298/// The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
299/// the merging behavior is implementation specific.
300/// It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
301///
302/// If the referent cannot be found, refers to an unsupported kind, or when
303/// the data within that resource is malformed, the Gateway SHOULD be
304/// rejected with the "Accepted" status condition set to "False" and an
305/// "InvalidParameters" reason.
306///
307/// Support: Implementation-specific
308#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
309pub struct GatewayInfrastructureParametersRef {
310 /// Group is the group of the referent.
311 pub group: String,
312 /// Kind is kind of the referent.
313 pub kind: String,
314 /// Name is the name of the referent.
315 pub name: String,
316}
317
318/// Listener embodies the concept of a logical endpoint where a Gateway accepts
319/// network connections.
320#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
321pub struct GatewayListeners {
322 /// AllowedRoutes defines the types of routes that MAY be attached to a
323 /// Listener and the trusted namespaces where those Route resources MAY be
324 /// present.
325 ///
326 /// Although a client request may match multiple route rules, only one rule
327 /// may ultimately receive the request. Matching precedence MUST be
328 /// determined in order of the following criteria:
329 ///
330 /// * The most specific match as defined by the Route type.
331 /// * The oldest Route based on creation timestamp. For example, a Route with
332 /// a creation timestamp of "2020-09-08 01:02:03" is given precedence over
333 /// a Route with a creation timestamp of "2020-09-08 01:02:04".
334 /// * If everything else is equivalent, the Route appearing first in
335 /// alphabetical order (namespace/name) should be given precedence. For
336 /// example, foo/bar is given precedence over foo/baz.
337 ///
338 /// All valid rules within a Route attached to this Listener should be
339 /// implemented. Invalid Route rules can be ignored (sometimes that will mean
340 /// the full Route). If a Route rule transitions from valid to invalid,
341 /// support for that Route rule should be dropped to ensure consistency. For
342 /// example, even if a filter specified by a Route rule is invalid, the rest
343 /// of the rules within that Route should still be supported.
344 ///
345 /// Support: Core
346 #[serde(
347 default,
348 skip_serializing_if = "Option::is_none",
349 rename = "allowedRoutes"
350 )]
351 pub allowed_routes: Option<GatewayListenersAllowedRoutes>,
352 /// Hostname specifies the virtual hostname to match for protocol types that
353 /// define this concept. When unspecified, all hostnames are matched. This
354 /// field is ignored for protocols that don't require hostname based
355 /// matching.
356 ///
357 /// Implementations MUST apply Hostname matching appropriately for each of
358 /// the following protocols:
359 ///
360 /// * TLS: The Listener Hostname MUST match the SNI.
361 /// * HTTP: The Listener Hostname MUST match the Host header of the request.
362 /// * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header.
363 /// Note that this does not require the SNI and Host header to be the same.
364 /// The semantics of this are described in more detail below.
365 ///
366 /// To ensure security, Section 11.1 of RFC-6066 emphasizes that server
367 /// implementations that rely on SNI hostname matching MUST also verify
368 /// hostnames within the application protocol.
369 ///
370 /// Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the
371 /// reuse of a connection by responding with the HTTP 421 Misdirected Request
372 /// status code. This indicates that the origin server has rejected the
373 /// request because it appears to have been misdirected.
374 ///
375 /// To detect misdirected requests, Gateways SHOULD match the authority of
376 /// the requests with all the SNI hostname(s) configured across all the
377 /// Gateway Listeners on the same port and protocol:
378 ///
379 /// * If another Listener has an exact match or more specific wildcard entry,
380 /// the Gateway SHOULD return a 421.
381 /// * If the current Listener (selected by SNI matching during ClientHello)
382 /// does not match the Host:
383 /// * If another Listener does match the Host the Gateway SHOULD return a
384 /// 421.
385 /// * If no other Listener matches the Host, the Gateway MUST return a
386 /// 404.
387 ///
388 /// For HTTPRoute and TLSRoute resources, there is an interaction with the
389 /// `spec.hostnames` array. When both listener and route specify hostnames,
390 /// there MUST be an intersection between the values for a Route to be
391 /// accepted. For more information, refer to the Route specific Hostnames
392 /// documentation.
393 ///
394 /// Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
395 /// as a suffix match. That means that a match for `*.example.com` would match
396 /// both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
397 ///
398 /// Support: Core
399 #[serde(default, skip_serializing_if = "Option::is_none")]
400 pub hostname: Option<String>,
401 /// Name is the name of the Listener. This name MUST be unique within a
402 /// Gateway.
403 ///
404 /// Support: Core
405 pub name: String,
406 /// Port is the network port. Multiple listeners may use the
407 /// same port, subject to the Listener compatibility rules.
408 ///
409 /// Support: Core
410 pub port: i32,
411 /// Protocol specifies the network protocol this listener expects to receive.
412 ///
413 /// Support: Core
414 pub protocol: String,
415 /// TLS is the TLS configuration for the Listener. This field is required if
416 /// the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
417 /// if the Protocol field is "HTTP", "TCP", or "UDP".
418 ///
419 /// The association of SNIs to Certificate defined in ListenerTLSConfig is
420 /// defined based on the Hostname field for this listener.
421 ///
422 /// The GatewayClass MUST use the longest matching SNI out of all
423 /// available certificates for any TLS handshake.
424 ///
425 /// Support: Core
426 #[serde(default, skip_serializing_if = "Option::is_none")]
427 pub tls: Option<GatewayListenersTls>,
428}
429
430/// AllowedRoutes defines the types of routes that MAY be attached to a
431/// Listener and the trusted namespaces where those Route resources MAY be
432/// present.
433///
434/// Although a client request may match multiple route rules, only one rule
435/// may ultimately receive the request. Matching precedence MUST be
436/// determined in order of the following criteria:
437///
438/// * The most specific match as defined by the Route type.
439/// * The oldest Route based on creation timestamp. For example, a Route with
440/// a creation timestamp of "2020-09-08 01:02:03" is given precedence over
441/// a Route with a creation timestamp of "2020-09-08 01:02:04".
442/// * If everything else is equivalent, the Route appearing first in
443/// alphabetical order (namespace/name) should be given precedence. For
444/// example, foo/bar is given precedence over foo/baz.
445///
446/// All valid rules within a Route attached to this Listener should be
447/// implemented. Invalid Route rules can be ignored (sometimes that will mean
448/// the full Route). If a Route rule transitions from valid to invalid,
449/// support for that Route rule should be dropped to ensure consistency. For
450/// example, even if a filter specified by a Route rule is invalid, the rest
451/// of the rules within that Route should still be supported.
452///
453/// Support: Core
454#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
455pub struct GatewayListenersAllowedRoutes {
456 /// Kinds specifies the groups and kinds of Routes that are allowed to bind
457 /// to this Gateway Listener. When unspecified or empty, the kinds of Routes
458 /// selected are determined using the Listener protocol.
459 ///
460 /// A RouteGroupKind MUST correspond to kinds of Routes that are compatible
461 /// with the application protocol specified in the Listener's Protocol field.
462 /// If an implementation does not support or recognize this resource type, it
463 /// MUST set the "ResolvedRefs" condition to False for this Listener with the
464 /// "InvalidRouteKinds" reason.
465 ///
466 /// Support: Core
467 #[serde(default, skip_serializing_if = "Option::is_none")]
468 pub kinds: Option<Vec<GatewayListenersAllowedRoutesKinds>>,
469 /// Namespaces indicates namespaces from which Routes may be attached to this
470 /// Listener. This is restricted to the namespace of this Gateway by default.
471 ///
472 /// Support: Core
473 #[serde(default, skip_serializing_if = "Option::is_none")]
474 pub namespaces: Option<GatewayListenersAllowedRoutesNamespaces>,
475}
476
477/// RouteGroupKind indicates the group and kind of a Route resource.
478#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
479pub struct GatewayListenersAllowedRoutesKinds {
480 /// Group is the group of the Route.
481 #[serde(default, skip_serializing_if = "Option::is_none")]
482 pub group: Option<String>,
483 /// Kind is the kind of the Route.
484 pub kind: String,
485}
486
487/// Namespaces indicates namespaces from which Routes may be attached to this
488/// Listener. This is restricted to the namespace of this Gateway by default.
489///
490/// Support: Core
491#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
492pub struct GatewayListenersAllowedRoutesNamespaces {
493 /// From indicates where Routes will be selected for this Gateway. Possible
494 /// values are:
495 ///
496 /// * All: Routes in all namespaces may be used by this Gateway.
497 /// * Selector: Routes in namespaces selected by the selector may be used by
498 /// this Gateway.
499 /// * Same: Only Routes in the same namespace may be used by this Gateway.
500 ///
501 /// Support: Core
502 #[serde(default, skip_serializing_if = "Option::is_none")]
503 pub from: Option<GatewayListenersAllowedRoutesNamespacesFrom>,
504 /// Selector must be specified when From is set to "Selector". In that case,
505 /// only Routes in Namespaces matching this Selector will be selected by this
506 /// Gateway. This field is ignored for other values of "From".
507 ///
508 /// Support: Core
509 #[serde(default, skip_serializing_if = "Option::is_none")]
510 pub selector: Option<GatewayListenersAllowedRoutesNamespacesSelector>,
511}
512
513/// Namespaces indicates namespaces from which Routes may be attached to this
514/// Listener. This is restricted to the namespace of this Gateway by default.
515///
516/// Support: Core
517#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, PartialEq)]
518pub enum GatewayListenersAllowedRoutesNamespacesFrom {
519 All,
520 Selector,
521 Same,
522}
523
524/// Selector must be specified when From is set to "Selector". In that case,
525/// only Routes in Namespaces matching this Selector will be selected by this
526/// Gateway. This field is ignored for other values of "From".
527///
528/// Support: Core
529#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
530pub struct GatewayListenersAllowedRoutesNamespacesSelector {
531 /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
532 #[serde(
533 default,
534 skip_serializing_if = "Option::is_none",
535 rename = "matchExpressions"
536 )]
537 pub match_expressions:
538 Option<Vec<GatewayListenersAllowedRoutesNamespacesSelectorMatchExpressions>>,
539 /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
540 /// map is equivalent to an element of matchExpressions, whose key field is "key", the
541 /// operator is "In", and the values array contains only "value". The requirements are ANDed.
542 #[serde(
543 default,
544 skip_serializing_if = "Option::is_none",
545 rename = "matchLabels"
546 )]
547 pub match_labels: Option<BTreeMap<String, String>>,
548}
549
550/// A label selector requirement is a selector that contains values, a key, and an operator that
551/// relates the key and values.
552#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
553pub struct GatewayListenersAllowedRoutesNamespacesSelectorMatchExpressions {
554 /// key is the label key that the selector applies to.
555 pub key: String,
556 /// operator represents a key's relationship to a set of values.
557 /// Valid operators are In, NotIn, Exists and DoesNotExist.
558 pub operator: String,
559 /// values is an array of string values. If the operator is In or NotIn,
560 /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
561 /// the values array must be empty. This array is replaced during a strategic
562 /// merge patch.
563 #[serde(default, skip_serializing_if = "Option::is_none")]
564 pub values: Option<Vec<String>>,
565}
566
567/// TLS is the TLS configuration for the Listener. This field is required if
568/// the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
569/// if the Protocol field is "HTTP", "TCP", or "UDP".
570///
571/// The association of SNIs to Certificate defined in ListenerTLSConfig is
572/// defined based on the Hostname field for this listener.
573///
574/// The GatewayClass MUST use the longest matching SNI out of all
575/// available certificates for any TLS handshake.
576///
577/// Support: Core
578#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
579pub struct GatewayListenersTls {
580 /// CertificateRefs contains a series of references to Kubernetes objects that
581 /// contains TLS certificates and private keys. These certificates are used to
582 /// establish a TLS handshake for requests that match the hostname of the
583 /// associated listener.
584 ///
585 /// A single CertificateRef to a Kubernetes Secret has "Core" support.
586 /// Implementations MAY choose to support attaching multiple certificates to
587 /// a Listener, but this behavior is implementation-specific.
588 ///
589 /// References to a resource in different namespace are invalid UNLESS there
590 /// is a ReferenceGrant in the target namespace that allows the certificate
591 /// to be attached. If a ReferenceGrant does not allow this reference, the
592 /// "ResolvedRefs" condition MUST be set to False for this listener with the
593 /// "RefNotPermitted" reason.
594 ///
595 /// This field is required to have at least one element when the mode is set
596 /// to "Terminate" (default) and is optional otherwise.
597 ///
598 /// CertificateRefs can reference to standard Kubernetes resources, i.e.
599 /// Secret, or implementation-specific custom resources.
600 ///
601 /// Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
602 ///
603 /// Support: Implementation-specific (More than one reference or other resource types)
604 #[serde(
605 default,
606 skip_serializing_if = "Option::is_none",
607 rename = "certificateRefs"
608 )]
609 pub certificate_refs: Option<Vec<GatewayListenersTlsCertificateRefs>>,
610 /// Mode defines the TLS behavior for the TLS session initiated by the client.
611 /// There are two possible modes:
612 ///
613 /// - Terminate: The TLS session between the downstream client and the
614 /// Gateway is terminated at the Gateway. This mode requires certificates
615 /// to be specified in some way, such as populating the certificateRefs
616 /// field.
617 /// - Passthrough: The TLS session is NOT terminated by the Gateway. This
618 /// implies that the Gateway can't decipher the TLS stream except for
619 /// the ClientHello message of the TLS protocol. The certificateRefs field
620 /// is ignored in this mode.
621 ///
622 /// Support: Core
623 #[serde(default, skip_serializing_if = "Option::is_none")]
624 pub mode: Option<GatewayListenersTlsMode>,
625 /// Options are a list of key/value pairs to enable extended TLS
626 /// configuration for each implementation. For example, configuring the
627 /// minimum TLS version or supported cipher suites.
628 ///
629 /// A set of common keys MAY be defined by the API in the future. To avoid
630 /// any ambiguity, implementation-specific definitions MUST use
631 /// domain-prefixed names, such as `example.com/my-custom-option`.
632 /// Un-prefixed names are reserved for key names defined by Gateway API.
633 ///
634 /// Support: Implementation-specific
635 #[serde(default, skip_serializing_if = "Option::is_none")]
636 pub options: Option<BTreeMap<String, String>>,
637}
638
639/// SecretObjectReference identifies an API object including its namespace,
640/// defaulting to Secret.
641///
642/// The API object must be valid in the cluster; the Group and Kind must
643/// be registered in the cluster for this reference to be valid.
644///
645/// References to objects with invalid Group and Kind are not valid, and must
646/// be rejected by the implementation, with appropriate Conditions set
647/// on the containing object.
648#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
649pub struct GatewayListenersTlsCertificateRefs {
650 /// Group is the group of the referent. For example, "gateway.networking.k8s.io".
651 /// When unspecified or empty string, core API group is inferred.
652 #[serde(default, skip_serializing_if = "Option::is_none")]
653 pub group: Option<String>,
654 /// Kind is kind of the referent. For example "Secret".
655 #[serde(default, skip_serializing_if = "Option::is_none")]
656 pub kind: Option<String>,
657 /// Name is the name of the referent.
658 pub name: String,
659 /// Namespace is the namespace of the referenced object. When unspecified, the local
660 /// namespace is inferred.
661 ///
662 /// Note that when a namespace different than the local namespace is specified,
663 /// a ReferenceGrant object is required in the referent namespace to allow that
664 /// namespace's owner to accept the reference. See the ReferenceGrant
665 /// documentation for details.
666 ///
667 /// Support: Core
668 #[serde(default, skip_serializing_if = "Option::is_none")]
669 pub namespace: Option<String>,
670}
671
672/// TLS is the TLS configuration for the Listener. This field is required if
673/// the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
674/// if the Protocol field is "HTTP", "TCP", or "UDP".
675///
676/// The association of SNIs to Certificate defined in ListenerTLSConfig is
677/// defined based on the Hostname field for this listener.
678///
679/// The GatewayClass MUST use the longest matching SNI out of all
680/// available certificates for any TLS handshake.
681///
682/// Support: Core
683#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, PartialEq)]
684pub enum GatewayListenersTlsMode {
685 Terminate,
686 Passthrough,
687}
688
689/// Status defines the current state of Gateway.
690#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
691pub struct GatewayStatus {
692 /// Addresses lists the network addresses that have been bound to the
693 /// Gateway.
694 ///
695 /// This list may differ from the addresses provided in the spec under some
696 /// conditions:
697 ///
698 /// * no addresses are specified, all addresses are dynamically assigned
699 /// * a combination of specified and dynamic addresses are assigned
700 /// * a specified address was unusable (e.g. already in use)
701 #[serde(default, skip_serializing_if = "Option::is_none")]
702 pub addresses: Option<Vec<GatewayStatusAddresses>>,
703 /// Conditions describe the current conditions of the Gateway.
704 ///
705 /// Implementations should prefer to express Gateway conditions
706 /// using the `GatewayConditionType` and `GatewayConditionReason`
707 /// constants so that operators and tools can converge on a common
708 /// vocabulary to describe Gateway state.
709 ///
710 /// Known condition types are:
711 ///
712 /// * "Accepted"
713 /// * "Programmed"
714 /// * "Ready"
715 #[serde(default, skip_serializing_if = "Option::is_none")]
716 pub conditions: Option<Vec<Condition>>,
717 /// Listeners provide status for each unique listener port defined in the Spec.
718 #[serde(default, skip_serializing_if = "Option::is_none")]
719 pub listeners: Option<Vec<GatewayStatusListeners>>,
720}
721
722/// GatewayStatusAddress describes a network address that is bound to a Gateway.
723#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
724pub struct GatewayStatusAddresses {
725 /// Type of the address.
726 #[serde(default, skip_serializing_if = "Option::is_none", rename = "type")]
727 pub r#type: Option<String>,
728 /// Value of the address. The validity of the values will depend
729 /// on the type and support by the controller.
730 ///
731 /// Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
732 pub value: String,
733}
734
735/// ListenerStatus is the status associated with a Listener.
736#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
737pub struct GatewayStatusListeners {
738 /// AttachedRoutes represents the total number of Routes that have been
739 /// successfully attached to this Listener.
740 ///
741 /// Successful attachment of a Route to a Listener is based solely on the
742 /// combination of the AllowedRoutes field on the corresponding Listener
743 /// and the Route's ParentRefs field. A Route is successfully attached to
744 /// a Listener when it is selected by the Listener's AllowedRoutes field
745 /// AND the Route has a valid ParentRef selecting the whole Gateway
746 /// resource or a specific Listener as a parent resource (more detail on
747 /// attachment semantics can be found in the documentation on the various
748 /// Route kinds ParentRefs fields). Listener or Route status does not impact
749 /// successful attachment, i.e. the AttachedRoutes field count MUST be set
750 /// for Listeners with condition Accepted: false and MUST count successfully
751 /// attached Routes that may themselves have Accepted: false conditions.
752 ///
753 /// Uses for this field include troubleshooting Route attachment and
754 /// measuring blast radius/impact of changes to a Listener.
755 #[serde(rename = "attachedRoutes")]
756 pub attached_routes: i32,
757 /// Conditions describe the current condition of this listener.
758 pub conditions: Vec<Condition>,
759 /// Name is the name of the Listener that this status corresponds to.
760 pub name: String,
761 /// SupportedKinds is the list indicating the Kinds supported by this
762 /// listener. This MUST represent the kinds an implementation supports for
763 /// that Listener configuration.
764 ///
765 /// If kinds are specified in Spec that are not supported, they MUST NOT
766 /// appear in this list and an implementation MUST set the "ResolvedRefs"
767 /// condition to "False" with the "InvalidRouteKinds" reason. If both valid
768 /// and invalid Route kinds are specified, the implementation MUST
769 /// reference the valid Route kinds that have been specified.
770 #[serde(rename = "supportedKinds")]
771 pub supported_kinds: Vec<GatewayStatusListenersSupportedKinds>,
772}
773
774/// RouteGroupKind indicates the group and kind of a Route resource.
775#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
776pub struct GatewayStatusListenersSupportedKinds {
777 /// Group is the group of the Route.
778 #[serde(default, skip_serializing_if = "Option::is_none")]
779 pub group: Option<String>,
780 /// Kind is the kind of the Route.
781 pub kind: String,
782}