gateway_api/apis/standard/gateways.rs
1// WARNING: generated by kopium - manual changes will be overwritten
2// kopium command: kopium --schema=derived --derive=JsonSchema --derive=Default --derive=PartialEq --docs -f -
3// kopium version: 0.21.2
4
5#[allow(unused_imports)]
6mod prelude {
7 pub use k8s_openapi::apimachinery::pkg::apis::meta::v1::Condition;
8 pub use kube::CustomResource;
9 pub use schemars::JsonSchema;
10 pub use serde::{Deserialize, Serialize};
11 pub use std::collections::BTreeMap;
12}
13use self::prelude::*;
14
15/// Spec defines the desired state of Gateway.
16#[derive(CustomResource, Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
17#[kube(
18 group = "gateway.networking.k8s.io",
19 version = "v1",
20 kind = "Gateway",
21 plural = "gateways"
22)]
23#[kube(namespaced)]
24#[kube(status = "GatewayStatus")]
25#[kube(derive = "Default")]
26#[kube(derive = "PartialEq")]
27pub struct GatewaySpec {
28 /// Addresses requested for this Gateway. This is optional and behavior can
29 /// depend on the implementation. If a value is set in the spec and the
30 /// requested address is invalid or unavailable, the implementation MUST
31 /// indicate this in the associated entry in GatewayStatus.Addresses.
32 ///
33 /// The Addresses field represents a request for the address(es) on the
34 /// "outside of the Gateway", that traffic bound for this Gateway will use.
35 /// This could be the IP address or hostname of an external load balancer or
36 /// other networking infrastructure, or some other address that traffic will
37 /// be sent to.
38 ///
39 /// If no Addresses are specified, the implementation MAY schedule the
40 /// Gateway in an implementation-specific manner, assigning an appropriate
41 /// set of Addresses.
42 ///
43 /// The implementation MUST bind all Listeners to every GatewayAddress that
44 /// it assigns to the Gateway and add a corresponding entry in
45 /// GatewayStatus.Addresses.
46 ///
47 /// Support: Extended
48 ///
49 ///
50 #[serde(default, skip_serializing_if = "Option::is_none")]
51 pub addresses: Option<Vec<GatewayAddresses>>,
52 /// GatewayClassName used for this Gateway. This is the name of a
53 /// GatewayClass resource.
54 #[serde(rename = "gatewayClassName")]
55 pub gateway_class_name: String,
56 /// Infrastructure defines infrastructure level attributes about this Gateway instance.
57 ///
58 /// Support: Extended
59 #[serde(default, skip_serializing_if = "Option::is_none")]
60 pub infrastructure: Option<GatewayInfrastructure>,
61 /// Listeners associated with this Gateway. Listeners define
62 /// logical endpoints that are bound on this Gateway's addresses.
63 /// At least one Listener MUST be specified.
64 ///
65 /// Each Listener in a set of Listeners (for example, in a single Gateway)
66 /// MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
67 /// exactly one listener. (This section uses "set of Listeners" rather than
68 /// "Listeners in a single Gateway" because implementations MAY merge configuration
69 /// from multiple Gateways onto a single data plane, and these rules _also_
70 /// apply in that case).
71 ///
72 /// Practically, this means that each listener in a set MUST have a unique
73 /// combination of Port, Protocol, and, if supported by the protocol, Hostname.
74 ///
75 /// Some combinations of port, protocol, and TLS settings are considered
76 /// Core support and MUST be supported by implementations based on their
77 /// targeted conformance profile:
78 ///
79 /// HTTP Profile
80 ///
81 /// 1. HTTPRoute, Port: 80, Protocol: HTTP
82 /// 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
83 ///
84 /// TLS Profile
85 ///
86 /// 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
87 ///
88 /// "Distinct" Listeners have the following property:
89 ///
90 /// The implementation can match inbound requests to a single distinct
91 /// Listener. When multiple Listeners share values for fields (for
92 /// example, two Listeners with the same Port value), the implementation
93 /// can match requests to only one of the Listeners using other
94 /// Listener fields.
95 ///
96 /// For example, the following Listener scenarios are distinct:
97 ///
98 /// 1. Multiple Listeners with the same Port that all use the "HTTP"
99 /// Protocol that all have unique Hostname values.
100 /// 2. Multiple Listeners with the same Port that use either the "HTTPS" or
101 /// "TLS" Protocol that all have unique Hostname values.
102 /// 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener
103 /// with the same Protocol has the same Port value.
104 ///
105 /// Some fields in the Listener struct have possible values that affect
106 /// whether the Listener is distinct. Hostname is particularly relevant
107 /// for HTTP or HTTPS protocols.
108 ///
109 /// When using the Hostname value to select between same-Port, same-Protocol
110 /// Listeners, the Hostname value must be different on each Listener for the
111 /// Listener to be distinct.
112 ///
113 /// When the Listeners are distinct based on Hostname, inbound request
114 /// hostnames MUST match from the most specific to least specific Hostname
115 /// values to choose the correct Listener and its associated set of Routes.
116 ///
117 /// Exact matches must be processed before wildcard matches, and wildcard
118 /// matches must be processed before fallback (empty Hostname value)
119 /// matches. For example, `"foo.example.com"` takes precedence over
120 /// `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
121 ///
122 /// Additionally, if there are multiple wildcard entries, more specific
123 /// wildcard entries must be processed before less specific wildcard entries.
124 /// For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
125 /// The precise definition here is that the higher the number of dots in the
126 /// hostname to the right of the wildcard character, the higher the precedence.
127 ///
128 /// The wildcard character will match any number of characters _and dots_ to
129 /// the left, however, so `"*.example.com"` will match both
130 /// `"foo.bar.example.com"` _and_ `"bar.example.com"`.
131 ///
132 /// If a set of Listeners contains Listeners that are not distinct, then those
133 /// Listeners are Conflicted, and the implementation MUST set the "Conflicted"
134 /// condition in the Listener Status to "True".
135 ///
136 /// Implementations MAY choose to accept a Gateway with some Conflicted
137 /// Listeners only if they only accept the partial Listener set that contains
138 /// no Conflicted Listeners. To put this another way, implementations may
139 /// accept a partial Listener set only if they throw out *all* the conflicting
140 /// Listeners. No picking one of the conflicting listeners as the winner.
141 /// This also means that the Gateway must have at least one non-conflicting
142 /// Listener in this case, otherwise it violates the requirement that at
143 /// least one Listener must be present.
144 ///
145 /// The implementation MUST set a "ListenersNotValid" condition on the
146 /// Gateway Status when the Gateway contains Conflicted Listeners whether or
147 /// not they accept the Gateway. That Condition SHOULD clearly
148 /// indicate in the Message which Listeners are conflicted, and which are
149 /// Accepted. Additionally, the Listener status for those listeners SHOULD
150 /// indicate which Listeners are conflicted and not Accepted.
151 ///
152 /// A Gateway's Listeners are considered "compatible" if:
153 ///
154 /// 1. They are distinct.
155 /// 2. The implementation can serve them in compliance with the Addresses
156 /// requirement that all Listeners are available on all assigned
157 /// addresses.
158 ///
159 /// Compatible combinations in Extended support are expected to vary across
160 /// implementations. A combination that is compatible for one implementation
161 /// may not be compatible for another.
162 ///
163 /// For example, an implementation that cannot serve both TCP and UDP listeners
164 /// on the same address, or cannot mix HTTPS and generic TLS listens on the same port
165 /// would not consider those cases compatible, even though they are distinct.
166 ///
167 /// Note that requests SHOULD match at most one Listener. For example, if
168 /// Listeners are defined for "foo.example.com" and "*.example.com", a
169 /// request to "foo.example.com" SHOULD only be routed using routes attached
170 /// to the "foo.example.com" Listener (and not the "*.example.com" Listener).
171 /// This concept is known as "Listener Isolation". Implementations that do
172 /// not support Listener Isolation MUST clearly document this.
173 ///
174 /// Implementations MAY merge separate Gateways onto a single set of
175 /// Addresses if all Listeners across all Gateways are compatible.
176 ///
177 /// Support: Core
178 pub listeners: Vec<GatewayListeners>,
179}
180
181/// GatewayAddress describes an address that can be bound to a Gateway.
182#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
183pub struct GatewayAddresses {
184 /// Type of the address.
185 #[serde(default, skip_serializing_if = "Option::is_none", rename = "type")]
186 pub r#type: Option<String>,
187 /// Value of the address. The validity of the values will depend
188 /// on the type and support by the controller.
189 ///
190 /// Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
191 pub value: String,
192}
193
194/// Infrastructure defines infrastructure level attributes about this Gateway instance.
195///
196/// Support: Extended
197#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
198pub struct GatewayInfrastructure {
199 /// Annotations that SHOULD be applied to any resources created in response to this Gateway.
200 ///
201 /// For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
202 /// For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
203 ///
204 /// An implementation may chose to add additional implementation-specific annotations as they see fit.
205 ///
206 /// Support: Extended
207 #[serde(default, skip_serializing_if = "Option::is_none")]
208 pub annotations: Option<BTreeMap<String, String>>,
209 /// Labels that SHOULD be applied to any resources created in response to this Gateway.
210 ///
211 /// For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
212 /// For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
213 ///
214 /// An implementation may chose to add additional implementation-specific labels as they see fit.
215 ///
216 /// If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
217 /// change, it SHOULD clearly warn about this behavior in documentation.
218 ///
219 /// Support: Extended
220 #[serde(default, skip_serializing_if = "Option::is_none")]
221 pub labels: Option<BTreeMap<String, String>>,
222 /// ParametersRef is a reference to a resource that contains the configuration
223 /// parameters corresponding to the Gateway. This is optional if the
224 /// controller does not require any additional configuration.
225 ///
226 /// This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
227 ///
228 /// The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
229 /// the merging behavior is implementation specific.
230 /// It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
231 ///
232 /// Support: Implementation-specific
233 #[serde(
234 default,
235 skip_serializing_if = "Option::is_none",
236 rename = "parametersRef"
237 )]
238 pub parameters_ref: Option<GatewayInfrastructureParametersRef>,
239}
240
241/// ParametersRef is a reference to a resource that contains the configuration
242/// parameters corresponding to the Gateway. This is optional if the
243/// controller does not require any additional configuration.
244///
245/// This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
246///
247/// The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
248/// the merging behavior is implementation specific.
249/// It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
250///
251/// Support: Implementation-specific
252#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
253pub struct GatewayInfrastructureParametersRef {
254 /// Group is the group of the referent.
255 pub group: String,
256 /// Kind is kind of the referent.
257 pub kind: String,
258 /// Name is the name of the referent.
259 pub name: String,
260}
261
262/// Listener embodies the concept of a logical endpoint where a Gateway accepts
263/// network connections.
264#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
265pub struct GatewayListeners {
266 /// AllowedRoutes defines the types of routes that MAY be attached to a
267 /// Listener and the trusted namespaces where those Route resources MAY be
268 /// present.
269 ///
270 /// Although a client request may match multiple route rules, only one rule
271 /// may ultimately receive the request. Matching precedence MUST be
272 /// determined in order of the following criteria:
273 ///
274 /// * The most specific match as defined by the Route type.
275 /// * The oldest Route based on creation timestamp. For example, a Route with
276 /// a creation timestamp of "2020-09-08 01:02:03" is given precedence over
277 /// a Route with a creation timestamp of "2020-09-08 01:02:04".
278 /// * If everything else is equivalent, the Route appearing first in
279 /// alphabetical order (namespace/name) should be given precedence. For
280 /// example, foo/bar is given precedence over foo/baz.
281 ///
282 /// All valid rules within a Route attached to this Listener should be
283 /// implemented. Invalid Route rules can be ignored (sometimes that will mean
284 /// the full Route). If a Route rule transitions from valid to invalid,
285 /// support for that Route rule should be dropped to ensure consistency. For
286 /// example, even if a filter specified by a Route rule is invalid, the rest
287 /// of the rules within that Route should still be supported.
288 ///
289 /// Support: Core
290 #[serde(
291 default,
292 skip_serializing_if = "Option::is_none",
293 rename = "allowedRoutes"
294 )]
295 pub allowed_routes: Option<GatewayListenersAllowedRoutes>,
296 /// Hostname specifies the virtual hostname to match for protocol types that
297 /// define this concept. When unspecified, all hostnames are matched. This
298 /// field is ignored for protocols that don't require hostname based
299 /// matching.
300 ///
301 /// Implementations MUST apply Hostname matching appropriately for each of
302 /// the following protocols:
303 ///
304 /// * TLS: The Listener Hostname MUST match the SNI.
305 /// * HTTP: The Listener Hostname MUST match the Host header of the request.
306 /// * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP
307 /// protocol layers as described above. If an implementation does not
308 /// ensure that both the SNI and Host header match the Listener hostname,
309 /// it MUST clearly document that.
310 ///
311 /// For HTTPRoute and TLSRoute resources, there is an interaction with the
312 /// `spec.hostnames` array. When both listener and route specify hostnames,
313 /// there MUST be an intersection between the values for a Route to be
314 /// accepted. For more information, refer to the Route specific Hostnames
315 /// documentation.
316 ///
317 /// Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
318 /// as a suffix match. That means that a match for `*.example.com` would match
319 /// both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
320 ///
321 /// Support: Core
322 #[serde(default, skip_serializing_if = "Option::is_none")]
323 pub hostname: Option<String>,
324 /// Name is the name of the Listener. This name MUST be unique within a
325 /// Gateway.
326 ///
327 /// Support: Core
328 pub name: String,
329 /// Port is the network port. Multiple listeners may use the
330 /// same port, subject to the Listener compatibility rules.
331 ///
332 /// Support: Core
333 pub port: i32,
334 /// Protocol specifies the network protocol this listener expects to receive.
335 ///
336 /// Support: Core
337 pub protocol: String,
338 /// TLS is the TLS configuration for the Listener. This field is required if
339 /// the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
340 /// if the Protocol field is "HTTP", "TCP", or "UDP".
341 ///
342 /// The association of SNIs to Certificate defined in GatewayTLSConfig is
343 /// defined based on the Hostname field for this listener.
344 ///
345 /// The GatewayClass MUST use the longest matching SNI out of all
346 /// available certificates for any TLS handshake.
347 ///
348 /// Support: Core
349 #[serde(default, skip_serializing_if = "Option::is_none")]
350 pub tls: Option<GatewayListenersTls>,
351}
352
353/// AllowedRoutes defines the types of routes that MAY be attached to a
354/// Listener and the trusted namespaces where those Route resources MAY be
355/// present.
356///
357/// Although a client request may match multiple route rules, only one rule
358/// may ultimately receive the request. Matching precedence MUST be
359/// determined in order of the following criteria:
360///
361/// * The most specific match as defined by the Route type.
362/// * The oldest Route based on creation timestamp. For example, a Route with
363/// a creation timestamp of "2020-09-08 01:02:03" is given precedence over
364/// a Route with a creation timestamp of "2020-09-08 01:02:04".
365/// * If everything else is equivalent, the Route appearing first in
366/// alphabetical order (namespace/name) should be given precedence. For
367/// example, foo/bar is given precedence over foo/baz.
368///
369/// All valid rules within a Route attached to this Listener should be
370/// implemented. Invalid Route rules can be ignored (sometimes that will mean
371/// the full Route). If a Route rule transitions from valid to invalid,
372/// support for that Route rule should be dropped to ensure consistency. For
373/// example, even if a filter specified by a Route rule is invalid, the rest
374/// of the rules within that Route should still be supported.
375///
376/// Support: Core
377#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
378pub struct GatewayListenersAllowedRoutes {
379 /// Kinds specifies the groups and kinds of Routes that are allowed to bind
380 /// to this Gateway Listener. When unspecified or empty, the kinds of Routes
381 /// selected are determined using the Listener protocol.
382 ///
383 /// A RouteGroupKind MUST correspond to kinds of Routes that are compatible
384 /// with the application protocol specified in the Listener's Protocol field.
385 /// If an implementation does not support or recognize this resource type, it
386 /// MUST set the "ResolvedRefs" condition to False for this Listener with the
387 /// "InvalidRouteKinds" reason.
388 ///
389 /// Support: Core
390 #[serde(default, skip_serializing_if = "Option::is_none")]
391 pub kinds: Option<Vec<GatewayListenersAllowedRoutesKinds>>,
392 /// Namespaces indicates namespaces from which Routes may be attached to this
393 /// Listener. This is restricted to the namespace of this Gateway by default.
394 ///
395 /// Support: Core
396 #[serde(default, skip_serializing_if = "Option::is_none")]
397 pub namespaces: Option<GatewayListenersAllowedRoutesNamespaces>,
398}
399
400/// RouteGroupKind indicates the group and kind of a Route resource.
401#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
402pub struct GatewayListenersAllowedRoutesKinds {
403 /// Group is the group of the Route.
404 #[serde(default, skip_serializing_if = "Option::is_none")]
405 pub group: Option<String>,
406 /// Kind is the kind of the Route.
407 pub kind: String,
408}
409
410/// Namespaces indicates namespaces from which Routes may be attached to this
411/// Listener. This is restricted to the namespace of this Gateway by default.
412///
413/// Support: Core
414#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
415pub struct GatewayListenersAllowedRoutesNamespaces {
416 /// From indicates where Routes will be selected for this Gateway. Possible
417 /// values are:
418 ///
419 /// * All: Routes in all namespaces may be used by this Gateway.
420 /// * Selector: Routes in namespaces selected by the selector may be used by
421 /// this Gateway.
422 /// * Same: Only Routes in the same namespace may be used by this Gateway.
423 ///
424 /// Support: Core
425 #[serde(default, skip_serializing_if = "Option::is_none")]
426 pub from: Option<GatewayListenersAllowedRoutesNamespacesFrom>,
427 /// Selector must be specified when From is set to "Selector". In that case,
428 /// only Routes in Namespaces matching this Selector will be selected by this
429 /// Gateway. This field is ignored for other values of "From".
430 ///
431 /// Support: Core
432 #[serde(default, skip_serializing_if = "Option::is_none")]
433 pub selector: Option<GatewayListenersAllowedRoutesNamespacesSelector>,
434}
435
436/// Namespaces indicates namespaces from which Routes may be attached to this
437/// Listener. This is restricted to the namespace of this Gateway by default.
438///
439/// Support: Core
440#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, PartialEq)]
441pub enum GatewayListenersAllowedRoutesNamespacesFrom {
442 All,
443 Selector,
444 Same,
445}
446
447/// Selector must be specified when From is set to "Selector". In that case,
448/// only Routes in Namespaces matching this Selector will be selected by this
449/// Gateway. This field is ignored for other values of "From".
450///
451/// Support: Core
452#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
453pub struct GatewayListenersAllowedRoutesNamespacesSelector {
454 /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
455 #[serde(
456 default,
457 skip_serializing_if = "Option::is_none",
458 rename = "matchExpressions"
459 )]
460 pub match_expressions:
461 Option<Vec<GatewayListenersAllowedRoutesNamespacesSelectorMatchExpressions>>,
462 /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
463 /// map is equivalent to an element of matchExpressions, whose key field is "key", the
464 /// operator is "In", and the values array contains only "value". The requirements are ANDed.
465 #[serde(
466 default,
467 skip_serializing_if = "Option::is_none",
468 rename = "matchLabels"
469 )]
470 pub match_labels: Option<BTreeMap<String, String>>,
471}
472
473/// A label selector requirement is a selector that contains values, a key, and an operator that
474/// relates the key and values.
475#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
476pub struct GatewayListenersAllowedRoutesNamespacesSelectorMatchExpressions {
477 /// key is the label key that the selector applies to.
478 pub key: String,
479 /// operator represents a key's relationship to a set of values.
480 /// Valid operators are In, NotIn, Exists and DoesNotExist.
481 pub operator: String,
482 /// values is an array of string values. If the operator is In or NotIn,
483 /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
484 /// the values array must be empty. This array is replaced during a strategic
485 /// merge patch.
486 #[serde(default, skip_serializing_if = "Option::is_none")]
487 pub values: Option<Vec<String>>,
488}
489
490/// TLS is the TLS configuration for the Listener. This field is required if
491/// the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
492/// if the Protocol field is "HTTP", "TCP", or "UDP".
493///
494/// The association of SNIs to Certificate defined in GatewayTLSConfig is
495/// defined based on the Hostname field for this listener.
496///
497/// The GatewayClass MUST use the longest matching SNI out of all
498/// available certificates for any TLS handshake.
499///
500/// Support: Core
501#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
502pub struct GatewayListenersTls {
503 /// CertificateRefs contains a series of references to Kubernetes objects that
504 /// contains TLS certificates and private keys. These certificates are used to
505 /// establish a TLS handshake for requests that match the hostname of the
506 /// associated listener.
507 ///
508 /// A single CertificateRef to a Kubernetes Secret has "Core" support.
509 /// Implementations MAY choose to support attaching multiple certificates to
510 /// a Listener, but this behavior is implementation-specific.
511 ///
512 /// References to a resource in different namespace are invalid UNLESS there
513 /// is a ReferenceGrant in the target namespace that allows the certificate
514 /// to be attached. If a ReferenceGrant does not allow this reference, the
515 /// "ResolvedRefs" condition MUST be set to False for this listener with the
516 /// "RefNotPermitted" reason.
517 ///
518 /// This field is required to have at least one element when the mode is set
519 /// to "Terminate" (default) and is optional otherwise.
520 ///
521 /// CertificateRefs can reference to standard Kubernetes resources, i.e.
522 /// Secret, or implementation-specific custom resources.
523 ///
524 /// Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
525 ///
526 /// Support: Implementation-specific (More than one reference or other resource types)
527 #[serde(
528 default,
529 skip_serializing_if = "Option::is_none",
530 rename = "certificateRefs"
531 )]
532 pub certificate_refs: Option<Vec<GatewayListenersTlsCertificateRefs>>,
533 /// Mode defines the TLS behavior for the TLS session initiated by the client.
534 /// There are two possible modes:
535 ///
536 /// - Terminate: The TLS session between the downstream client and the
537 /// Gateway is terminated at the Gateway. This mode requires certificates
538 /// to be specified in some way, such as populating the certificateRefs
539 /// field.
540 /// - Passthrough: The TLS session is NOT terminated by the Gateway. This
541 /// implies that the Gateway can't decipher the TLS stream except for
542 /// the ClientHello message of the TLS protocol. The certificateRefs field
543 /// is ignored in this mode.
544 ///
545 /// Support: Core
546 #[serde(default, skip_serializing_if = "Option::is_none")]
547 pub mode: Option<GatewayListenersTlsMode>,
548 /// Options are a list of key/value pairs to enable extended TLS
549 /// configuration for each implementation. For example, configuring the
550 /// minimum TLS version or supported cipher suites.
551 ///
552 /// A set of common keys MAY be defined by the API in the future. To avoid
553 /// any ambiguity, implementation-specific definitions MUST use
554 /// domain-prefixed names, such as `example.com/my-custom-option`.
555 /// Un-prefixed names are reserved for key names defined by Gateway API.
556 ///
557 /// Support: Implementation-specific
558 #[serde(default, skip_serializing_if = "Option::is_none")]
559 pub options: Option<BTreeMap<String, String>>,
560}
561
562/// SecretObjectReference identifies an API object including its namespace,
563/// defaulting to Secret.
564///
565/// The API object must be valid in the cluster; the Group and Kind must
566/// be registered in the cluster for this reference to be valid.
567///
568/// References to objects with invalid Group and Kind are not valid, and must
569/// be rejected by the implementation, with appropriate Conditions set
570/// on the containing object.
571#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
572pub struct GatewayListenersTlsCertificateRefs {
573 /// Group is the group of the referent. For example, "gateway.networking.k8s.io".
574 /// When unspecified or empty string, core API group is inferred.
575 #[serde(default, skip_serializing_if = "Option::is_none")]
576 pub group: Option<String>,
577 /// Kind is kind of the referent. For example "Secret".
578 #[serde(default, skip_serializing_if = "Option::is_none")]
579 pub kind: Option<String>,
580 /// Name is the name of the referent.
581 pub name: String,
582 /// Namespace is the namespace of the referenced object. When unspecified, the local
583 /// namespace is inferred.
584 ///
585 /// Note that when a namespace different than the local namespace is specified,
586 /// a ReferenceGrant object is required in the referent namespace to allow that
587 /// namespace's owner to accept the reference. See the ReferenceGrant
588 /// documentation for details.
589 ///
590 /// Support: Core
591 #[serde(default, skip_serializing_if = "Option::is_none")]
592 pub namespace: Option<String>,
593}
594
595/// TLS is the TLS configuration for the Listener. This field is required if
596/// the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
597/// if the Protocol field is "HTTP", "TCP", or "UDP".
598///
599/// The association of SNIs to Certificate defined in GatewayTLSConfig is
600/// defined based on the Hostname field for this listener.
601///
602/// The GatewayClass MUST use the longest matching SNI out of all
603/// available certificates for any TLS handshake.
604///
605/// Support: Core
606#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, PartialEq)]
607pub enum GatewayListenersTlsMode {
608 Terminate,
609 Passthrough,
610}
611
612/// Status defines the current state of Gateway.
613#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
614pub struct GatewayStatus {
615 /// Addresses lists the network addresses that have been bound to the
616 /// Gateway.
617 ///
618 /// This list may differ from the addresses provided in the spec under some
619 /// conditions:
620 ///
621 /// * no addresses are specified, all addresses are dynamically assigned
622 /// * a combination of specified and dynamic addresses are assigned
623 /// * a specified address was unusable (e.g. already in use)
624 ///
625 ///
626 #[serde(default, skip_serializing_if = "Option::is_none")]
627 pub addresses: Option<Vec<GatewayStatusAddresses>>,
628 /// Conditions describe the current conditions of the Gateway.
629 ///
630 /// Implementations should prefer to express Gateway conditions
631 /// using the `GatewayConditionType` and `GatewayConditionReason`
632 /// constants so that operators and tools can converge on a common
633 /// vocabulary to describe Gateway state.
634 ///
635 /// Known condition types are:
636 ///
637 /// * "Accepted"
638 /// * "Programmed"
639 /// * "Ready"
640 #[serde(default, skip_serializing_if = "Option::is_none")]
641 pub conditions: Option<Vec<Condition>>,
642 /// Listeners provide status for each unique listener port defined in the Spec.
643 #[serde(default, skip_serializing_if = "Option::is_none")]
644 pub listeners: Option<Vec<GatewayStatusListeners>>,
645}
646
647/// GatewayStatusAddress describes a network address that is bound to a Gateway.
648#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
649pub struct GatewayStatusAddresses {
650 /// Type of the address.
651 #[serde(default, skip_serializing_if = "Option::is_none", rename = "type")]
652 pub r#type: Option<String>,
653 /// Value of the address. The validity of the values will depend
654 /// on the type and support by the controller.
655 ///
656 /// Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
657 pub value: String,
658}
659
660/// ListenerStatus is the status associated with a Listener.
661#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
662pub struct GatewayStatusListeners {
663 /// AttachedRoutes represents the total number of Routes that have been
664 /// successfully attached to this Listener.
665 ///
666 /// Successful attachment of a Route to a Listener is based solely on the
667 /// combination of the AllowedRoutes field on the corresponding Listener
668 /// and the Route's ParentRefs field. A Route is successfully attached to
669 /// a Listener when it is selected by the Listener's AllowedRoutes field
670 /// AND the Route has a valid ParentRef selecting the whole Gateway
671 /// resource or a specific Listener as a parent resource (more detail on
672 /// attachment semantics can be found in the documentation on the various
673 /// Route kinds ParentRefs fields). Listener or Route status does not impact
674 /// successful attachment, i.e. the AttachedRoutes field count MUST be set
675 /// for Listeners with condition Accepted: false and MUST count successfully
676 /// attached Routes that may themselves have Accepted: false conditions.
677 ///
678 /// Uses for this field include troubleshooting Route attachment and
679 /// measuring blast radius/impact of changes to a Listener.
680 #[serde(rename = "attachedRoutes")]
681 pub attached_routes: i32,
682 /// Conditions describe the current condition of this listener.
683 pub conditions: Vec<Condition>,
684 /// Name is the name of the Listener that this status corresponds to.
685 pub name: String,
686 /// SupportedKinds is the list indicating the Kinds supported by this
687 /// listener. This MUST represent the kinds an implementation supports for
688 /// that Listener configuration.
689 ///
690 /// If kinds are specified in Spec that are not supported, they MUST NOT
691 /// appear in this list and an implementation MUST set the "ResolvedRefs"
692 /// condition to "False" with the "InvalidRouteKinds" reason. If both valid
693 /// and invalid Route kinds are specified, the implementation MUST
694 /// reference the valid Route kinds that have been specified.
695 #[serde(rename = "supportedKinds")]
696 pub supported_kinds: Vec<GatewayStatusListenersSupportedKinds>,
697}
698
699/// RouteGroupKind indicates the group and kind of a Route resource.
700#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema, Default, PartialEq)]
701pub struct GatewayStatusListenersSupportedKinds {
702 /// Group is the group of the Route.
703 #[serde(default, skip_serializing_if = "Option::is_none")]
704 pub group: Option<String>,
705 /// Kind is the kind of the Route.
706 pub kind: String,
707}